Secure Your WordPress Website

Top Tips To Secure Your WordPress Website

Martin Starkie Online Security, Server Side & Web Technical, Web Specialists Blog

If you are a WordPress website owner you should be very concerned about your website security.

Your website security should be as “locked down” as possible. During your quest for better WordPress security you also need to think about the usability of your website and make sure you have got the balance right.

The balance can be easily tipped, on one side of the equation you can have a really usable website that has no security, and on the other side you can have a website that is completely locked down but is unusable to the end user, i.e your customers.

We all know that a good strong password and having the right permissions on your WordPress website is the first step you need to take when creating a WordPress website, but there are some extra steps you can take to increase your website security even further without affecting the usability.

  • Out of hours lock down

    If your website admin works office hours and you know nobody needs to access your website outside of those hours, it is a good idea to create a schedule that automatically locks down access to you WordPress website outside of office hours.

  • Use available resources

    The professionals in the internet security industry have made available a list of “bad actors”. The list is continually curated of bots/IP addresses that have earned themselves a reputation of being blocked. You can add this list to your website and block anyone on this list from accessing your website.

  • Don’t make it easy for any user or bot attempting to do harm to your website

    If your web team initially setup your WordPress website and gave you your admin login details with the username “admin” then you should be questioning, how concerned they are about your website security? Many years ago when creating a WordPress website, by default, WordPress would generate a main administrator and give them the username as “admin” and ever since humans and bots will use that username when attempting to hack into your website. A basic rule is to create the main administrator with a username that is completely unrelated to the business or website.

  • Close Security holes

    The most recent security hole that was discovered was a major security vulnerability which existed in the XML-RPC protocol in WordPress. Plugins like JetPack use this protocol to function with outside sources and even allows Desktop and mobile apps to access your WordPress site. If the XML-RPC protocol is enabled on your website it creates a vulnerability which could allow someone to attempt an infinite number of login attempts that could brute-force your passwords. Our advice would be if you don’t really need these plugins that use the XML-RPC protocol that remove them from your website. If you do rely on these plugins there is a fix available which will eliminate the ability for outsiders to use multiple attempts to login at the same time.

By enabling the above suggestions, this will give you good WordPress website security but this needs to be coupled with regular security updates of your WordPress core files and good management and maintenance of the server that your website is hosted on. This lies in the hands of your Web Team and/or Web hosting company.


Need a Web Technical Support Team?

Drop us a line for a friendly chat about your website on 01282 618210 or...

Share this Post