WordPress is one of the most used CMS in the world but also one of the most attacked. More and more we find cases of hacked websites, with their code completely damaged and with important security flaws.
We just wrote an article with the most important WordPress security plugins on the market. These plugins are essential to maintain a secure website, but not only that. There are also a series of practices that we recommend carrying out to keep your website safe and free from hacks and attacks.
1. Always use the Latest Version of WordPress, Plugins and Themes
Hackers know how to access your website through certain vulnerabilities or flaws that can occur in WordPress and in the different plugins. They take advantage of these flaws to inject code or attack that page in some way with the aim of stealing information and compromising its proper functioning. In fact, websites are mostly broken due to bugs in old versions of WordPress.
As soon as WordPress detects these vulnerabilities, it adds patches and updates its version. This is why it is so important to keep an up-to-date version of WordPress.
The same thing happens with plugins, through a hacked plugin they can access your database and ruin your web. That is why it is important to keep the plugins updated to their latest version and also be up to date with the plugins that have been hacked to update them or replace them with similar ones.
There are many resources to help you stay on top of the latest wordpress site development security updates and vulnerabilities. Check out some of them included below:
- WP Security Bloggers: An impressive aggregate resource of over 20 security sources.
- WPScan Vulnerability Database: Catalog over 10,000 WordPress core vulnerabilities, plugins, and themes.
- ThreatPress: Daily updated database of WordPress plugins, themes and main vulnerabilities.
- Official WordPress security archive
2. Strong passwords and do not use “Admin” as the Login Name
Something fundamental to protect anything on the Internet is to always have keys that are strong and complex. Ideally, that password should be totally random, long enough, and contain letters (uppercase and lowercase), numbers, and other symbols. If we do not emphasize this point we could have problems with unauthorized access to our WordPress site.
Do not Use Admin:
When installing WordPress and creating the username to access the administration we must avoid putting the typical Admin. This is so because hackers, when they go to make an attack attempt, are the first thing they will try.
Therefore, we do not recommend using names like Admin, Root, and the like. Better to put something else to make it difficult for possible intruders to access the management of your website.
3. Block Access to WordPress
By default, the login URL for your WordPress site is domain.com/wp-admin. One of the problems with this is that all the bots, hackers, and scripts out there.
By changing the URL you can make yourself less visible and better protect yourself against brute force attacks. This is not a one-size-fits-all solution; it is just a little trick that can help protect you.
To change the WordPress login URL we recommend using the free WPS Hide login plugin.
4. Limit Access Attempts
How to limit access attempts? Although the previous solution of changing the admin login URL can help decrease most malicious login attempts, putting a limit can also be very effective.
The free Cerber Limit Login Attempts plugin is a good way to easily configure the duration of lockouts, access attempts, and IP black and white lists.