7 Simple Tricks to Make Your WordPress Website Secure

Every day thousands of websites get hacked and blacklisted by Google. A compromised website can seriously damage your personal or business reputation, cause downtime and inconveniences for your visitors, and ultimately affect your revenue.

7 simple tricks to make your WordPress website secure

If you’re serious about your website or blog, you have to take extra precautions to make hackers’ life difficult. You’re probably nodding your head at this point, but you aren’t sure how to tackle this. Well, I’ve got good news for you. It’s not that complicated. These seven simple steps will improve your website security significantly and help you sleep better at night 🙂

1. Keep your software up-to-date

This is by far the most important security tip anyone can give you. Outdated themes, plugins, and WordPress version are the easiest targets for hackers. So just by doing regular software updates, you’re greatly reducing the chances of your website being hijacked by the bad guys.

2. Improve your password strength

Weak passwords and usernames are vulnerable to “brute force attacks” where hackers use sophisticated software to guess your password. To protect against such attacks, passwords should be made of a combination of uppercase and lowercase letters, numbers, and special characters. They should be at least 10 characters long and should be changed on a regular basis.

How to change your WordPress admin password?

In the admin area, go to Users and select the user you’d like to edit. Scroll down to the New Password section and click on Generate Password. A password will be generated automatically, but you can change it to anything you like. WordPress will indicate the strength of your password so make sure it’s strong enough! Click the Update User button on the bottom of the page to save it.

How to generate a new WordPress admin password
How to change the password for your WordPress admin area.

3. Change the admin login page URL

Most of the times hackers will try to gain access to a WordPress website by targeting the default admin area login page (www.yoursite.com/wp-admin/). If you change this default URL, you will effectively protect your site against all such threats.

This can be a very technical task, but luckily there are many plugins that help us achieve that without any programming knowledge. We have been using All In One WP Security & Firewall which is a free, comprehensive security plugin that’s super easy to use.

Install and activate the plugin, go to WP Security > Brute Force and change the login page URL to anything you like. Now your default login URL won’t work anymore, so next time you log in you will have to use your new URL instead.

WordPress security - how to change the admin area URL
Improve your WordPress security by changing your admin URL.

4. Add a security question to the admin login page

Adding a security question to your WordPress login page makes it much harder for automated scripts to get unauthorized access. All In One WP Security plugin helps us achieve that with just a few clicks.

Go to WP Security > Brute Force and select the Login Captcha tab. Now you can activate the login page security question by checking Enable Captcha On Login Page or alternatively install Google reCAPTCHA.

5. Limit login attempts

By default, WordPress allows users to try to login as many time as they want. Hackers may exploit that to crack passwords by trying to login with different combinations. By setting the maximum amount of attempts to login to a small number, you make their job almost impossible. This additional layer of security, combined with steps 2, 3 and 4, will make your website almost bulletproof against brute force and some other common cyber attacks.

Go to WP Security > User Login and select the Login Lockdown tab. You can activate the feature by checking Enable Login Lockdown Feature.  Once checked, you can configure the max login attempts (we recommend using between 3 and 10), the time length of the lockout (we recommend between 30 to 60 minutes) and other settings to ensure this feature is doing its job. Make sure to check the Notify By Email option and enter your preferred email. This way, if there is ever a login attempt that failed, you will be notified on your email.

WordPress security - limit login attempts
Enable the Login Lockdown feature and set the max login attempts.

6. Enable firewall

A firewall will stop malicious scripts before they get a chance to mess with the code on your WordPress website. All In One WP Security comes with a basic firewall that’s very easy to use and will be enough for most websites. However, if your site contains sensitive data, we recommend that you explore other premium firewalls, such as CloudFlare WAF, Jetpack or others.

Go to WP Security > Firewall and select the Basic Firewall Rules tab. All you need to do to activate the firewall is to check Enable Basic Firewall Protection.

How to enable firewall for your WordPress website
How to enable a basic firewall using All In One WP Security & Firewall plugin.

7. Change WordPress Database Prefix

The database is the most valuable part of your website because every single information is stored in there. It’s also one of the hacker’s favourite targets. They use a variety of automated scripts to gain unauthorized access, steal sensitive data and inject malicious code into the database. The smartest and easiest way you can protect your database is by changing the database prefix.

The database prefix is a string of characters before the database table name. The default prefix in WordPress is wp_. Every hacker worth a grain of salt knows this. That’s why is absolutely crucial to change the database prefix for all tables!

How to change the database prefix?

The default database prefix can be easily changed during installation, on the page where you configure your username, password, and email. But since you’re reading this section I am assuming, you did not do it during installation. Not to worry. Our All In One WP Security plugin is here for the rescue once again 🙂

Go to WP Security > Database Security and select that DB Prefix tab. Navigate to Generate New DB Table Prefix and change the database prefix to your own (we recommend at least 3 to 6 characters) or check for the plugin to generate a random 6 character string of letters. Hit the Change DB Prefix button and that’s it! Your database is now much safer.

Important note: In some rare cases, changing the database prefix can break your website. Before the change, it is recommended to perform a backup.

How do you keep your website secure? Share your tips and experiences with all of us in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *