Let this guide get you started with 9 ways to secure your authority site, complete with simple and advanced tips you can follow depending on your skill level.
Simple security measures
Don’t fret, you don’t need to have mad coding skills to beat hackers real-time like in the movies. Check out these simple security measures you can even try out as you go through this article.
1. Keep your WordPress site and plugins up to date
WordPress has never been complacent despite being the ultimate big boss among Content Management Systems (CMS). New features. Constant bug fixes. Never-ending optimization. However, these innovations come at the expense of security gaps for older versions. Developers often resolve these issues in no time, but it’s best to update your authority site as soon as you can.
The same goes for WordPress plugins. Stay skeptical! Only install themes and tools from reliable sources. That enticing upgrade might be a malicious code in disguise, with bogus developers building a backdoor for easy malware penetration.
Before clicking on that install now button, conduct a full background check about the provider on Google or the WordPress theme and plugin directory. Subscriptions to premium developers often cost more, but the peace of mind you get is definitely priceless.
2. Create complex passwords and enable login authentication
You could be the most forgetful person in the world, but I still won’t tolerate your classic “123456” or “asdfghjkl” passwords. It’s highly unadvised to use them even for social networking accounts, so why would you entrust your money-making authority sites to these predictable keys?
Draft long cryptic passwords, complete with upper and lower case letters, numbers, and special characters. You can play around with your favorite quote (e.g. blur the line between work and play = “13lurTheL!n3b/nW0rk&[email protected]”), but I prefer to create random gibberish phrases like ‘dU$2154z1x7wWwf’.(nope this is not my password)
If you’re wondering how I remember my passwords – I actually don’t! But there are services like LastPass which can help you store and manage them easily.
3. Customize your WordPress user settings
There are two things on WordPress that you should never set in default: your username, and your user rights.
Did you know that the first thing hackers would do is to try entering a standard username? These brute force attackers love WordPress accounts who still use “admin” or “wp_admin.” Unless you want to do them a favor, update it by creating a new user with admin rights. Simply go to User > Add New. Log in with the new account, then delete the old admin.
Add a layer of protection by managing your user rights. Your team doesn’t need access to everything on your site. You could use the admin user you created for administrative tasks. Meanwhile, an extra user with only editor rights would be enough to handle content publishing.
Even if you’re running a one-man company, having multiple user accounts is still smart. When you’re working away from home and have to use unsecured WLAN networks, never log into your admin user. At least thieves won’t cause any major damage though they’ve accessed your editor account.
4. Install WordPress Security Plugins
While WordPress only offers the bare minimum in protecting your account, handy plugins can get the job done for you. Here are a few options you can consider installing:
This simple but powerful plugin can ward off brute force attackers from your authority site. When activated with a firewall setting, hackers will be blocked for accessing the site from fraudulent IP addresses and after wrong login attempts. For every succeeding failed shot, banning time is increased to 24 hours. This plugin will then track the IP address of the hacker and inform you about the attempt via email(if you set it up correctly).
This plugin has not been updated for several years, but it works just fine for my sites. Other alternatives you could explore are Login Ninja and Jetpack.
Want a dependable plugin that can automatically check your site for manual infections? Try out AntiVirus. It can also head to the Google Safe Browsing database for you, to see if your authority site has been classified as unsafe. Whenever it finds something suspicious, this plugin will send you an e-mail notification.
The plugin Antivirus checks your theme manually or daily automatically for malware infection. The plugin also checks the Google Safe Browsing database to see if your site has been classified as unsafe. If there is any suspicion you will be notified by e-mail. As an alternative, you can also give the Google Search Console a try.
5. Prevent spam
Comment sections are great for engaging your readers, but they also make your authority site vulnerable to spams. As you gain popularity, you become a tempting target for spammers who will try to flood you with negative or random feedback. To protect your website from this kind of attack, install the free plugin Antispam Bee. I’ve been using it for all my pages. It’s easy to set up but is powerful enough to protect me 99.9% of the time.
Though using captchas for the comment section seems tempting, steer away from this tactic. Apart from spammers, it may also turn off your readers! A few seconds of hassle can be enough for you to lose a potential viewer engagement.
6. Create regular backups
No matter how many plugins you install or how complex your password is, these can all be in vain if you don’t make regular backups. It’s important to do so at regular intervals. In the event that all your security measures fail, your backup will save you a lot of tears. Getting your authority site back up will be a breeze.
The ideal frequency for creating backups will depend on how often you publish new articles. No need to do this every day if you only post once a month!
I personally back up all of my websites every week with the help of the BackWPup plugin. It has a free version that allows you to save your data directly into a dropbox or your hard disk, while a cloud storage and advanced features are up for grabs. Similar plugins available in the market are Updraft Plus, BlogVault, and BackUpWordPress.
How often you create a backup depends on how often you publish new articles. If you publish something on your finished niche site only once a month, you don’t need to create a backup every day. But I would recommend backing up everything once a week. I have been using the plugin BackWPup for years. In the free version you can save your backup directly into the dropbox or save it to your hard disk. In the Pro Version* more features and cloud storage are available.
Advanced security measures
The basic security tactics we’ve discussed are often enough, but it doesn’t hurt to take things farther if you have advanced technical skills. Don’t try to do these via trial and error! If you have no idea what you’re doing, you might end up with a big chaotic mush that used to be your perfectly running website.
7. Protect your website with the .htaccess file
If your host provider supports .htaccess files, you have abundant opportunities to protect your authority site:
- Creation of an additional login area for WordPress
- Change your default WordPress login URL
- Prohibit outsiders from accessing important folders and files
- Prohibit image hotlinking
- Protect XML-RPC interface from DDOS attacks
- Suppress PHP error messages to prevent the attacker from displaying information
8. Set write and read rights correctly
The golden rule is to give write permissions to as few files as possible – just enough to make your authority site functional:
- /wp-content/uploads/ for media uploads
- /wp-content/cache/ for enabling your caching plugin
If a new plugin or theme requires too many rights to work, take that as a red flag! Find another alternative instead.
9. Change database prefix
After installation, you will be given the default database prefix of “wp_”. To prevent your authority site from brute force attacks, change it pronto through the phpMyAdmin interface or use the plugin Change Database Prefix. If you choose the latter, you’ll have to temporarily give the wp-config.php write permissions. Remove it after you make the necessary changes and uninstall the plugin.