Is Your WordPress Website Really Protected?
Before revealing our recommendations on how to properly protect your WordPress website, let’s start with a little quiz to test your WordPress security smarts.
Whatever your score, keeping your WordPress website protected is paramount. And given how remote work is skyrocketing these days, it’s no wonder why so many of you are turning to WordPress to get that passion project blog or e-commerce business of yours up and running.
Although WordPress currently powers over one-third of the Internet’s top 10 million websites, it also accounts for 90% of all hacked CMS websites.
But don’t let this figure deter you. In fact, it should empower you.
The beauty of WordPress is that you’re ultimately responsible for everything, which includes its security. And although you’re most likely familiar with the basic security measures (ahem a strong username and password, anyone?), there’s still plenty more to learn.
That’s why we’re breaking down everything that was touched upon in the quiz, all in a handy format for you to easily refer back to.
1. Ensure You Have the Latest Version of Themes & Plugins
Perhaps you’re old-fashioned and still prefer using Internet Explorer as your browser. That’s all well and good but a helpful word of advice? Don’t let your WordPress website suffer because you forgot to update it to the latest version.
Given that outdated themes and plugins are the leading causes of cyberattacks, it’s crucial that you set up automatic updates to avoid these tiny breaches in code. Our plugin pick? Easy Updates Manager.
Whatever you do, don’t skip this one. If you do, your website is basically asking to be hacked.
2. Hide Your URLs Away
Every successful hacker knows they can find your WordPress dashboard just by adding /wp-admin to your domain name. Instead of making it easy for them to launch a brute-force attack, simply hide your login URL. (We recommend this free plugin to do so.) If you’re an EasyWP Managed WordPress Hosting customer, don’t forget to check out this handy guide on changing your WordPress Admin URL.
Another easy way to keep your WordPress account safe? By limiting the number of failed login attempts. We particularly enjoy the Login Lockdown plugin, which quickly detects a certain number of failed login attempts from the same IP address range and subsequently disables any login functionality. This actively stops a brute-force attack dead in its tracks.
You should also consider using reCAPTCHA, Google’s free service that helps protect websites from spam and abuse.
3. Keep Your Version Hidden
While on the subject of hiding, don’t forget to hide your current WordPress version. Hackers often target those who unwittingly fail to keep their specific version secret.
The solution? Add this simple code to the function.php file of your WordPress theme, which makes it that much harder for a hacker to well, crack, your website.
4. Be Wary of Certain Plugins & Themes
Treat your WordPress website the same as you’d treat your trusted smartphone. You wouldn’t install an untrustworthy application on there, would you?
The same goes for any WordPress theme or plugin that seems too good to be true. Although you might not know off-hand which ones are safe to use, you can easily cross-reference it with our handy list of untrustworthy plugins. A brief side note about caching plugins? While EasyWP has built-in caching, Shared Hosting supports caching plugins.
Another helpful rule of thumb? If you’re reading a WordPress plugin review, check to see how many people are actually using it. You might just find yourself reconsidering that installation, after all.
As for WordPress themes, the same rule applies. Many of the custom “free” themes have base64 encoding, which often hides malicious code. This is yet another avenue for hackers to gain access to your website files and upload malware.
Now is also a good time to do a quick inventory of those plugins or themes that you never use. Our advice? Remove them immediately from your WordPress account. Many forget to update plugins or themes they don’t use, which can lead to gaps in security.
5. Consider Manual or Automatic Backups
If you’re new to WordPress and still learning the ins and outs of editing your website, you might very well find yourself having forgotten to back up to the latest version.
Whatever you do, don’t panic. As a Namecheap Hosting customer, it’s super easy to back up.
For EasyWP customers, create your backups in just one click.
For Shared Hosting customers, take advantage of the AutoBackup tool via the Softaculous app located in your cPanel.
6. Always Use Protection
As the saying goes, it’s far better to be safe than sorry.
When it comes to your WordPress website, solid protection, in the form of security plugins, is your first line of defense.
In no particular order, here are our top three plugin suggestions to keep your website protected:
- Wordfence Security. Actively scans your website for all activity/changes made.
- Acunetix WP Security. Monitors your website for any WordPress security weaknesses.
- All In One WordPress Security. Checks for vulnerabilities as well as implements and enforces the latest recommended WordPress security practices and techniques.
If you already follow more than half of our recommendations, give yourself a pat on the back! Your WordPress website is well on its way to keeping those cyberattacks at bay.
Wew! Thanks Namecheap 🙂
nice article, but I feel one shouldn’t use google Recaptcha on their blog, because google ReCaptcha collects data and lot more, here read this first https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side
instead, use other ReCaptcha service
Thanks for your input! We’ve recommended this Google plugin since it’s one of the safest and most popular. We did some research on a few other non-Google captchas, e.g. Sweet Captcha and Confident Captcha, and it appears as though their WP plugins haven’t been updated for three or more years. At Namecheap, we’re all about security and unfortunately, these other plugins don’t seem safe enough for us to recommend. If you have any personal recommendations, we’d love to hear them!
How can I get a security key for my site?
Thanks for reading! You can copy your security keys in the wp-config.php file in the root folder of your domain (make sure to look for AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY). If you didn’t set them up during installation or if you’d like to re-generate those keys, you can do it through this generator: https://api.wordpress.org/secret-key/1.1/salt/. Hope this helps!
Feel google captcha can do better job in terms of blocking spammers?
Hi! Google Captcha should definitely help to filter most of the bots and spammers, but still it’s not the ideal option. It works best together with other protective measures.
For example, if you want to protect your Contact form from spammers, you can try Honeypot method. Basically, it adds a hidden field to your contact form. Real users won’t complete it because the field is invisible. However bots won’t know this and will fill it in. This allows the plugin to recognize them as bots and block their submission.