WordPress has long been the world’s most popular website-building platform and as of May 2024, is used on a staggering 43.4% of all websites . Being free, easy to use and with tens of thousands of plugins to add additional functionality, its popularity is no surprise. It’s also one of the few platforms to have web hosting solutions specially designed for it and there are no end of websites offering users help with every aspect of building, customising and managing their sites. However, WordPress is also popular with cybercriminals. With hundreds of millions of sites, many not secured effectively, it is a major target. To ensure your site isn’t one of those vulnerable to cyberattacks, here we look at some of the most important tips to keep your WordPress site secure.
Contents
Security-focused hosting
The starting point for securing your WordPress website is to choose a hosting provider that takes security seriously. According to the UK government, half of UK businesses experienced a cyberattack in the last 12 months , while security firm Astra says 30,000 websites are hacked every day, 43% of which belong to small companies . A good web host will put effective measures in place to prevent their customers from such attacks. At Webhosting UK, for instance, we defend our WordPress Hosting customers with a WordPress application firewall that keeps hacks and bots away from your site all day, every day. In addition, we offer free daily backups, spam filtering and email encryption. Moreover, you can use our excellent WordPress Toolkit to enhance security even more. Putting these measures in place by yourself would be technically challenging, costly and require ongoing monitoring; with a secure web host, however, this important work is done for you.
Use 2FA
The next step in protecting your site is with the logins for your WordPress dashboard, control panel and hosting account. If a hacker gets access to any of these they can cause havoc. They can change passwords and lock you out of your own account and then have the freedom to take control of your hosting services, domains, email accounts and, of course, your website.
The first step to making these secure is to use strong passwords of at least 16 characters made up of a random string of capital and lowercase letters, numbers and special characters. These will be really difficult for hackers to crack. Secondly, each of the logins should have a different password and none of the passwords should be ones you have used for any other online account.
While this can help with security, it is not enough given the sophisticated tools that hackers use today. Ideally, you need to double up with two-factor authentication. This will require you to type in an extra six-figure code during the login – one that is generated on your phone. As you have your phone with you, and the codes change every 30 seconds, hackers will not have access to them and so cannot log in even if they have your username and password. While this does make logging in less user-friendly, it is worth the effort for the additional layer of security it provides.
For more information, read Two-Factor Authentication: Why You Need It for Your Web Hosting
Get a security plugin
You can enhance the security provided by your web host by installing a security plugin. Plugins like Shield Security, Wordfence and Solid Security also include a firewall that detects and blocks suspicious traffic. You can configure these firewalls to block users or bots from specific locations and IPs, and anything that attempts to log in continuously and might be a brute-force hacking tool.
These plugins also scan your site for malware, vulnerabilities and dangerous links, and let you know if your IP address has been blacklisted – something that can happen on shared hosting accounts if you have unscrupulous neighbours.
Implement auto-updates
If you find new updates available nearly every time you log in to your website, it’s often the case that a vulnerability has been discovered in the previous version and the developer has created an update to remove it. Cybercriminals are very swift at taking advantage here. They will send out bots searching the internet for websites still using vulnerable plugins and when they find them, they will attempt to exploit that vulnerability. The sooner you update, the sooner that vulnerability is eradicated.
One reason so many WordPress sites become victims of a cyberattack is some owners are too slow in updating and the hackers get there before them. While manually updating can be a burden, in practice, there is no need to manually update at all. Today, it can be automated from within the plugin dashboard of WordPress and once implemented, you can let the automation do the work for you. You can do the same for the WordPress core and themes too.
SSL certificate
An SSL certificate is vital for websites today as it encrypts information sent from your users’ browsers to your website, preventing personal and financial data from being intercepted in transit. Having one installed also means browsers will label your website as secure which can be helpful for SEO and give visitors greater confidence to shop with you. At Webhosting UK, our WordPress Hosting lets you install free SSLs, such as Let’s Encrypt, for each of your sites, which ensures protection and saves you money on paid versions. However, for larger companies that need enhanced verification and warranty, paid versions are available.
Learn more about SSLs, read SSL Certificates – What They Are and Why Your Website Needs One
Password-protect your directories
Did you know that you can password-protect individual directories in your website file manager? This ensures that should anyone ever get access to your control panel; they would not be able to gain entry to your admin and other directories without having to input another password. You can put this in place via the Directory Privacy feature in cPanel or for more advanced users, by making changes to your .htaccess file.
Uninstall old plugins
While you may be diligent in setting up auto-updates for active plugins and themes, sometimes you can overlook this for those which have been deactivated, leaving them vulnerable. The easy way to
ensure this doesn’t happen is simply to delete them. You can always reinstall them if you decide you want to use them later.
Ensure regular backups
According to the University of Salford, 60% of small and medium-sized companies that become victims of cyberattacks go bust within 6 months . The primary reason for this is the loss of income through downtime and the financial costs of getting a website back online.
The ultimate insurance policy for website owners is a recent backup. With this, you can restore your website quickly and inexpensively. This applies not just to recovering from cyberattacks but hardware failure, software corruption, human error or other types of disaster. Webhosting UK WordPress plans come with free daily backups included. However, if your business needs more frequent backups, we also offer remote, cloud-based backup solutions that come with auto-scheduling, encryption and integrity checks.
Get up-to-date with backups, read Website and Data Backups – A Practical Guide
Conclusion
Website-building software doesn’t get much better than WordPress in terms of cost, ease of use and the vast range of functions you can build into your site. However, as a common target for hackers, it is essential that you put security measures into place and regularly review them. Hopefully, the tips provided here will help you to protect your website and keep it safe.
Looking for highly secure hosting created specifically for WordPress? With optimised performance, 24/7 support, free daily backups, WordPress Toolkit and a wide range of other features, check out our WordPress Hosting plans today.
