Approximately 31.9% of all websites around the globe use WordPress as their content management system (CMS), and another 50,000 new sites appear every day on the Internet which also use WordPress. If that isn’t enough to convince you that WordPress is the dominant player in the CMS market, consider also that of the top 10,000 websites on the Internet, 3,845 of them are powered by WordPress. Obviously, all that is great for WordPress, but there’s a slight downside to having that kind of popularity – the CMS giant is also the most popular target for hackers who are trying to penetrate the security system of websites and networks.
Because of its worldwide popularity and overwhelming dominance as a content management system, it’s the one CMS which is constantly targeted by criminal-minded individuals seeking to hijack website data and hold it for ransom or to carry out other kinds of security threats. That doesn’t mean that WordPress has an inherently weak security system – just the opposite, in fact. But regardless of how robust its present security system is, prior versions of WordPress remain installed to a large extent, and those are the ones most vulnerable to attack. If you refer to this updated WordPress stats, of all WordPress sites which are hacked, 39.3% are versions prior to the most current one, simply because they don’t include the latest protections.
If you have a WordPress site, here are some things you should be optimizing to protect it:
1. Make sure that you are using the current version because that’s the one which will include all the most current security features
2. Keep all plugins current, because they are also subject to attack, especially to the newest cyber threats on the Internet
3. Follow some of the recommendations listed below, because these are proven techniques for discouraging cyber attacks.
Discourage brute force attacks
While it’s almost impossible for any human to guess a correct password and username to gain entry into your WordPress system, it’s much easier for a computer to guess it. This is particularly true of WordPress sites, because the system will allow you to keep guessing a password or username, even if you continue to enter wrong entries.
This is, of course, a default situation which you do have the capability to change, but many people are not aware that it can be changed, and they leave the default behavior in effect. That makes your WordPress site vulnerable to a brute force attack.
In order to prevent this from happening, you can use a simple plugin which blocks the IP address of any user attempting to gain access to your site after a specified number of incorrect entries. Once you’ve installed the Login Lockdown plugin, this vulnerability will be closed up, and brute force attacks will no longer be possible.
Rename your WP login URL
WordPress allows everyone by default to login simply by navigating to the wp-admin or the wp-login.php URL which is available on your website. Everyone, including
However, if hackers don’t know where your login page is, they won’t be able to target your site with any of their attacks. The most effective way of hiding your login page and preventing cyber criminals from locating it is to simply rename the URL. You can use Login Lockdown (as suggested above) to rename your login page URL so that it has a custom string of your choosing. Once this plugin is activated, it will redirect all attempts to reach wp-admin back to your homepage.
There is a crude, yet effective way to change the name of your wp-login.php file. All you need is access to your site’s files and manually create a new login file. Here are the steps:
Create a new file
1. Copy the code from your wp-login.php, then paste it into your new file.
2. Replace each instance of wp-login.php with the new file name. You can use the shortcut
3. Delete the old wp-login.php file.
Login through your new URL.
Use SSL protocol for your website
One of the defense lines you should be using for your WordPress website is to have a secure sockets layer (SSL) protocol installed because it guarantees that any connection between two websites is secure. Whenever two websites are connected, tons of information and much of that information would be considered sensitive.
There are various types of SSL you can get for your WordPress site. AltusHost offers you 3 types of SSL certificates that you can use for your WordPress site. You can easily install a SSL certificate from the cPanel by following the steps below:
1. Login to your cPanel.
2. Under ‘Security’ options, click on ‘SSL/TLS Manager’
3. Under ‘Install and manage SSL’, select ‘Manage SSL Sites’
4. Copy your certificate code including —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and past it into the ‘Certificate: (CRT)’ field
5. Click ‘Autofill by Certificate’
6. Copy and paste the chain of intermediate certificates (CA Bundle) into the box under
7. Click ‘Install Certificate’
Without the SSL protocol installed, most of the information is sent back and forth in ordinary text. That means if it were to be intercepted by a hacker, it could easily be stolen. This can’t happen with the SSL protocol installed, because it uses an encryption algorithm which makes the data unreadable without having a key.
Implement two-factor authentication
Ordinarily, you can log onto a website simply by supplying a username and password, and this is known as single-factor authentication. To increase the difficulty of having anyone hack into your system, you can implement two-factor authentication, by requiring a secondary means of user identification.
Once a user correctly supplies username and password, you can then ask them for their mobile phone number so you can send a single-usage pin number to that phone. The pin number would then have to be entered on the screen in order to gain access. Alternatively, after entering a username and password correctly, you could ask the user to answer a secret security question, which they have previously provided the answer for. Two-factor authentication can be installed by using a free plugin already available.
Only allow logins by email
It’s much easier to guess someone’s username than it is to guess their email address, especially since email addresses tend to be much longer. You can improve your website’s security by forcing users to login with their email address rather than a username.
Any hacker who is trying to guess an email address would have to know the characters needed for the local portion of the address as well as the domain name, and the top level domain. This makes it much harder to guess, even when using a computer to stage a brute force attack. To prevent users from logging in with their username and to force the use of an email login instead, you can install the WP Email Login plugin.
Password protect your admin directory
You can add an additional security layer to your system by requiring a username and password before allowing anyone to access the wp-admin directory. This would force any criminal-minded person to guess two sets of usernames and passwords in order to gain entry to your system. The easiest way to implement this is if you are system is situated on an Apache Web server, because Apache makes it easy for you to password protect any directory whatsoever on your system. If your system is not supported by Apache servers, you can still do it manually by interacting with your operating system, or by installing the free plugin called AskApache Password Protect.
Disallow file editing
WordPress permits administrators to edit any plugin file and any theme within the system. Since this is true, if any of your admin accounts are hacked successfully by a cyber criminal, he/she would then be able to insert harmful or malicious code into your existing code. Worse than this, when such a penetration occurs, it’s virtually undetectable, so harmful activities can be carried out in the background without you ever being aware of it.
The only way to prevent this is to disallow file editing, and this can be accomplished by simply adding a line of code into your wp-config.php file. Here’s the line of code that you should add:
define(‘DISALLOW_FILE_EDIT’, true);
Once you’ve inserted this simple line of code, it will have the effect of disallowing any kind of file editing from your WordPress dashboard, and you will have an extra layer of security in effect.
The tips above are simple yet useful to boost the security of a WordPress website especially when it’s a new one. If you want a customized environment for your WordPress site, it’s recommended to host it with a WordPress hosting. You will get the optimized performance, security and ease of use for your WordPress site.
About the author: Jason Chow is a fan of technology, WordPress, and entrepreneurship. He is an outreach manager for WHSR and WebRevenue.io. Jason is also a marketer – he likes to read news related to startups and Internet marketing
