Disclosure: Hosting Canada is community-supported. We may earn a commission when you make a purchase through one of our links. Learn more.

How To Secure Your WordPress Site

Gary Stevens — Last Updated on April 28, 2021

WordPress often gets a bum rap as an insecure platform that invites any passing hacker to simply reach in and mess with stuff like taking candy from a baby.

This reputation is largely undeserved. The problem is not that WordPress has inherent security issues but rather that the website owner hasn’t taken the precautionary (you know, proactive!) steps to protect it.

How To Secure Your WordPress Website

So, if you are a WordPress site owner and mad as heck that you got hacked, don’t let your first reaction be to swear off the most popular CMS (content management system) in the galaxy.

Instead, ask yourself what you have done to prevent being hacked. If your jaw has lodged open as your brain struggles for a thought, never fear. We’re here to show you…

#1. Repel Brute Force Attacks with a Lockdown Feature

Hackers love to turn loose scripts on WordPress website that sit at the front door and automatically try thousands of different login combinations.

This is called a brute force attack. By deploying a plugin like the All in One WP Security and Firewall you can set a limit on brute force attempts and much more.

Real Hack example in WordPress

#2. Two-Factor Authentication (2FA)

Rather than a single password, setting up 2FA (once again, not difficult) requires a user to provide a second type of password.

One popular method is to have a one-time use code sent to your phone each time you login. Since it is unlikely a hacker would have hacked your website and your phone, 2FA makes it much harder for hackers to penetrate your site.

#3. Use Your Email to Login

You can choose to have your email address serve as your login username. Since the usernames most people choose are easier to guess than an email, this step immediately puts you at least one step above the masses.

Check out the free 23bn2]   plugin for help setting this up.

#4. Change the Login URL

It’s a relatively easy path for a hacker to find his or her way to your WordPress login page. Out of the box, the address that follows your domain name is either wp-login.php or wp-admin. This is the route for hackers to launch brute force attacks. Why not change it to something harder to guess?

#5. Improve Your Password Game

Without focused effort and discipline, most humans become way too predictable with their passwords. Best practices in this area is to use at least an eight character combination that includes letters (lower and uppercase), numbers, and special characters. Lastly, change them every 3-6 months.

Top Worst Passwords

#6. Lockdown the wp-admin Directory

The wp-admin directory is the heart of it all. If bad guys get in, they can wreck your entire website in short order. A great idea is to create a password specifically for this area, one you have to log into separately from the dashboard.

#7. Get an SSL Certificate

SSL CertificationGoogle has strongly pushed the idea of every website having a SSL (secure sockets layer) certificate.

By the end of 2020, the search engine giant intends to begin penalizing noncompliant domains in search results.

Here’s a good idea – get one!

#8. Bad Ideas in User Naming

When you first install WordPress, the username field is automatically filled with the word “admin.” You’d be surprised how many people leave it like that. That’s a gimme to a hacker. Then all he or she has to do is guess your password and they’re in your site.

#9. Did You Change that File?

Wordfence is one of the most downloaded WordPress plugins. In addition to being a fine overall security service it has one feature we like – it lets you know if there have been file changes by someone other than you.

Wordfence Dashboard

We also recommend using Wordfence alongside other security tools, like a firewall and virtual private network (VPN). I recommend and review several of the best VPN services for Canadian small business, so have a look and pick one that works within your budget.

#10. Re-Name Your Database

SQL injections are a common attack aimed at WordPress databases. One reason is that too many people leave the “wp” prefix in place as a table name.

Don’t make it so easy for the bad guys to guess. Change the name to something like “mywp” or “wpsquirrels.” Use a plugin like WP-DBManager to change the name if it’s already set.

It’s important to choose the best WordPress web host you an afford. By investing in a good hosting company, you could avoid hundreds of thousands of dollars lost to hacks.

#11. Regular Backups – the Miracle Cure

Cure to what, you ask…?

Just about anything a bad guy can do to your website can be undone when you have a regular, comprehensive backup process in place.

On the other hand, not backing up your website leaves with you with the prospect of starting again from scratch if it gets infected.

#12. Check Audit Logs

If you have a multi-user website, audit logs provide a visual record of what each person with login permissions has been doing. Maybe you think you can trust everyone.

Regardless, make it a point to at least scan the audit logs regularly. It’s also a great place to start your detective work if something goes awry on the site.

Audit Log

#13. Choose Your Web Hosting Company Wisely

Not all web hosts are created equal. Each tends to do one thing a little better than the others.

When it comes to WordPress web hosting, look for a company that specializes in that CMS. One-click installation should be a given feature provided by any worthwhile WordPress hosting provider.

#14. Stop File Editing

Wouldn’t it be great if there was a way to stop a hacker from editing files even if they managed to get into the system?

Actually, there is, and it’s easy to implement. Find the wp-config.php file and add this line of code to the end: define(‘DISALLOW_FILE_EDIT’, true);

#15. Stay Up To Date

Every time a theme, plugin, or the WordPress software itself issues a security update or new version, install it right away. When an update arrives, it normally means that bugs or security problems have been detected and fixed.

If you forget to update or just ignore the notification such updates, they are allowing hackers to use the vulnerability to break into your site.

If this is too hard to remember you can opt to use a website builder software like Wix or Squarespace, which run automatic updates in the background so you don’t have to do it manually. Check out our reviews of the best website builders for Canada to learn more.

See also: How to Move Http to Https on WordPress

Final Thoughts

Don’t let yourself be overwhelmed by the sheer number of preventative measures covered here. Believe us, there are dozens more we could have included. The point is to get proactive about keeping hackers out of your WordPress website.

There are plenty of tools and strategies with which to do the job. Feeling overwhelmed? Call or chat up the tech support department at your web host – the one that specializes in WordPress – and ask for help.

The bottom line is that there is nothing inherently unsafe about WordPress that can’t be found in any other website development platform.

The success or failure of repelling hackers lies squarely with the website owner and how motivated he or she is to keep the bad stuff and people out.

Choosing the most secure web hosting provider you can is a great way to avoid a lot of these problems in the first place. But you can always find a way to switch web hosts for your WordPress site.