WordPress Security Checklist: 17 Valid Points
Protecting your website is an important matter just like securing your house, that’s why we’ve created this WordPress security checklist. Cybercrimes are happening more often nowadays. Personal information stealing and later selling or blackmailing, website information stealing for blackmailing purposes and much more. You definitely do not want that to happen with your website. To prevent this you need to constantly keep an eye on your security.
WordPress Security Checklist
We will provide you multiple ways on how you can protect your website. You can actually apply various possibilities in one and make the website more protected.
1. Good hosting
The first step in securing your website is hosting, that is the most important thing in this WordPress security checklist. Shared hosting is more vulnerable since your website might get hacked even if the attack was led against some other website on that server. Dedicated or managed servers are better from this point of view. These servers hold only your website and the level of security measures is quite high. But this does not mean that you should not add your own protection. It means that the server will be hard to hack, not your website. We’ve handpicked the best WordPress managed hosting companies.
2. WordPress core, plugin, and theme updates
WordPress is a constantly developing platform and so are its elements. So it is natural that there will be new versions released. These new versions will contain updates, bug fixes and many more. Obviously, that is impossible to remove and fix all the trouble parts in one go. But developers around the world are trying their best to lessen them. That is why newer versions of these elements are being released. New versions prevent your website from leaving loops that hackers can get in. We’ve prepared our own guides – how to update WordPress plugins, how to update WordPress core and how to update WordPress theme.
3. Multiple security levels
One password is not the best protection you can have, it is actually the most basic level of what can exist. It is possible to set different variations of multi-layered protections, it is up to you to choose the one you want. The most popular one is the authentification, there are various programs that provide you with a code that is changing every minute or two. If you don’t manage to fill it in this time span you will not log in. Check out our beginners’ guide on WordPress security.
4. WP security plugin
WordPress security plugins are useful add-ons. They provide you with valuable information as a report that will show you if your website is doing well. The information in this report is provided by scanning, it scans your website to detect any malware or virus. If the website is being hacked or there is a malware detected it will send an alarm to the company that maintains your website. There is a huge choice of these plugins it is up to you to decide which to buy. We recommend using iThemes Security or Wordfence.
5. Strong password and over time span password change
It is highly recommended to set a strong password from the first time you do it. It will lessen the chances that someone will log in as an administrator and delete all the data or set some malware software to steal the information that will be input. Also, it is a good idea to set a password change request for overtime period plugin like iThemes Security. This plugin will ask you to change your password after the set time period of time.
6. SSL certificate
This certificate is required if your website is an online store. Having this certificate means that your website corresponds to the set requirements. It proves to your customers that the website is protected and their data is safe. No one wants someone else to get access to their credit card or bank account.
7. Login attempt limit
To prevent your website admin or website visitor’s accounts from being hacked it is advised to limit login attempts. This action will set a limit after which the account will be suspended for some time not allowing to log in. Also, the good idea is to set an automatic e-mail notification that will be sent on behalf of failed login attempts.
8. Two-factor verification
This method is a very common way to protect your website. It uses a verification app, that usually generates codes that change every 1-3 minutes, depending on what app and which verification you are using. You are requested to provide it after you type in your login and password. You are asked to write down the code that is currently showing on your authentification app. If you do not mention to log in before the code changes, you will need to input the new code that showed up.
9. Do not use nulled themes or plugins
Nulled themes and plugins are usually premium elements, that have their copyright resources removed. These elements do not have support from their developer so when there is an update you will not get it. That will mean that you won’t get any bug or security fix that will result in a high possibility that your website will be hacked. Also, you will not be able to update your WordPress core.
Let’s continue with our WP security checklist:
10. Enable a Web Application Firewall
WAF (Web Application Firewall) is one of the quickest ways how to protect your website. It adds multiple security elements from various known and unknown threats. There are two types of WAF:
- Hosted- it is a plugin that is installed directly in WordPress. Requests are examined, protected, blocked after reaching requests to the webserver.
- Cloud-based – cloud-based security provider protects a site. This sits out of your hosting infrastructure, at the network edge.
11. Switch your site to HTTPS
HTTP is the method of how the data gets transformed on the internet. You can see it at the beginning of every website. Also, it is very easy to hack in the data that is being transferred. If you are sending crucial data it really matters, does not it? to remove the possibility of hacking, it is recommended to change from http to https. To be able to do so you need to get an SSL certificate. SSL certificate will encrypt the data that is being transmitted.
12. Magic link password
This method of protection mostly used only on registration, but nevertheless, it is possible to use it on logging in. After registration, it requests you to write a specific key, password, that has been sent to your email to validate that you are not a bot. On the contrarily some sites still use it when visitors log in. They are asked to provide the key, that was sent to their registered e-mail. This is done to be ensured that it is the owner of the account logging in.
13. WP-login URL change
Without changing your WP-login URL you are risking that on the time someone tries to hack into your website, it is like an open door. This is the primary thing you need to do whenever you consider having a website: straightforward change of the WordPress-login URL change.
14. Change core folder names wp-content, wp-includes, wp-admin
To be able to change the names of the most crucial folders you will need to install a plugin that will allow you to do so. You need to do so to make it harder to understand which folder is an important folder of the website. It contains all the themes, plugins and media files. After renaming these folders, they must stay in the same directory, if you move them to another directory, your website will crash. So remember this important matter.
15. Protect wp-config.php via .htaccess file
This file contains the most crucial information about your website. It stores all the security or database connections. You definitely do not want this file to fall in someone’s hands. This is the easiest possibility of how to protect it:
- Connect to your website using FTP client.
- Download .htaccess file.
- Open it using notepad or another text editor.
- Copy below text:
# protect wpconfig.php
deny from all
- Save it with “Save as” function so that it does not get .txt extension.
- Upload .htaccess bac to the root of your website.
16. Disable file editing
If you are not the only one with administrator rights, and another party is not supposed to do any coding. It is better to disable theme and plugin editing, to preempt any unexpected changes caused by them. These changes applied by them can crash the entire website or they can install malware. One way that we will tell you about is using a plugin. iThemes security is one of the plugins that provide these services. After installing this plugin go to Security -> Settings. From there move to WordPress Tweaks. In there you will find tickbox Disable File Editor, tick in and press Save Settings button. That is all, you secured your website from unwelcomed file editing.
17. Back up your site regularly
The last and most logical way how to secure your website is to create backups on a constant basis. It is advised to make multiple backups at once and store them in different places. Backup is your best friend in case something ever is to happen with your website.
To sum it up
There are many ways how to secure your website, the most important ones are in this WordPress Security checklist. The more of them you have the better it will be for you and your business in the future. As well as that you should remember that if you are not hacked today, you will never be in the future. Spending some money on your website’s security will save you more and make it possible to sleep well at night. We hope that the ways we described will encourage you to improve the protection of your website.