10 Simple Security Tricks to Keep Your Website Safe in 2020.
I’ve heard many website owners complain about WordPress security. The thought is that an open source script is vulnerable to all sorts of attacks. Is that a fact? And if so, how do you secure your WordPress website?
Luckily, the lack of built-in WordPress security is a myth. In fact, sometimes it’s the other way around – WordPress websites are much more secure than their online brothers and sisters.
Today, I plan to discuss quite a few simple tricks that can help you secure your WordPress website even more.
After implementing these tactics and following up with continual WordPress security checks, you’ll be well on your way to secure your WordPress website for good.
Note down 10 tricks to get your website safe from hackers.
1. Work only with good hosts
You should only work with reliable, high-quality and safe hosting. This piece of advice seems obvious, right?
More or less, everyone thinks their hosting is great until something breaks for the first time. In the real world, not all hosting companies and hosting offerings are created equal.
If you take a look into one of our hosting surveys, you’ll see how different people’s experiences are in terms of overall hosting quality and also individual aspects of their hosting setups, like security, reliability, speed, etc.
2. Protect the wp-config.php file
The wp-config.php file holds crucial information about your WordPress installation, and it’s the most important file in your site’s root directory. Protecting it means securing the core of your WordPress blog.
This tactic makes things difficult for hackers to breach the security of your site, since the wp-config.php file becomes inaccessible to them.
As a bonus, the protection process is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.
3. Disallow file editing
If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.
If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.
To make this work, add the following to the wp-config.php file (at the very end):
4. Set directory permissions carefully
Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment.
In such a case, changing files and directory permissions is a good move to secure the website at the hosting level. Setting the directory permissions to “755” and files to “644” protects the whole file system – directories, subdirectories, and individual files.
This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.
5. Disable directory listing with .htaccess
If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.
For example, if you create a directory called “data”, you can see everything in that directory simply by typing http://www.example.com/data/ in your browser. No password or anything is needed.
6. Block all hotlinking
Let’s say you locate an image online and would like to share it on your website. First of all, you need permission or to pay for that image, otherwise there’s a good chance it’s illegal to do so. But if you do get permission, you might directly pull the image’s URL and use that to place the photo in your post. The main problem here is that the image is shown on your site, but being hosted on another site’s server.
From this perspective, you don’t have any control over whether or not the photo remains on the server. But it’s also important to realize that people might do this to your website.
If you’re trying to secure your WordPress website, hotlinking is basically another person taking your photo and stealing your server bandwidth to show the image on their own website. In the end, you’ll see slower loading speeds and the potential for high server costs.
7. Understand, and protect, against DDoS attacks
A DDoS attack is a common type of strike against your server bandwidth, where the attacker uses multiple programs and systems to overload your server. Although an attack like this does not jeopardize your site files, it’s meant to crash your site for a long period of time if not resolved. Usually, you only hear about DDoS attacks when it happens to large companies like GitHub or Target. They’re conducted by what many refer to as cyber-terrorists, so the motive might simply be to wreak havoc.
That said, you don’t need to be a Fortune 500 company to be at risk.
If this worries you, we recommend signing up for the Sucuri or Cloudflare premium plans. These solutions have web application firewalls to analyze the bandwidth being used and block out DDoS attacks entirely.
8. Set up a website lockdown feature and ban users
A lockdown feature for failed login attempts can solve the huge problem of continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. Along with over 30 other awesome WordPress security measures, you can specify a certain number of failed login attempts before the plugin bans the attacker’s IP address.
9. Use two-factor authentication for WordPress security
Introducing a two-factor authentication (2FA) module on the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, or more popular, the Google Authenticator app, which sends a secret code to your phone. This way, only the person with your phone (you) can log in to your site.
10. Rename your login URL to secure your WordPress website
Changing the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via
wp-admin added to the site’s main URL.
When hackers know the direct URL of your login page, they can try to brute force their way in. They attempt to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username:
admin and password:
p@ssword … with millions of such combinations).
At this point, we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.
This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it.
The easiest way to change your login URL is to use the aptly named plugin WPS Hide Login. It’s very simple to use; just input your new login page URL and save the changes. You can set the URL to anything you want.