While it is basically impossible to stop hackers from trying to get into your site, there are quite a few things you can do to improve your website's security and make sure that at least it is really hard for them to be able to take control of your site.
In a nutshell, these are:
- Get an SSL certificate
- Do not use the default admin username
- Enforce strong passwords
- Install a firewall on your site
- Limit login attempts
- Make backups
- Bonus: TBD
1. Get an SSL certificate
There is basically no excuse not to have an SSL certificate on your website on the 21st Century.
They help you encrypt your information (and your users' information as well) and it's a must if there's any type of login or password feature on your website (which every WordPress website has). Also, Google ranks websites with an SSL certificate higher than those who don't.
And the thing is, nowadays you don't even have to pay for one, thanks to Let's Encrypt.
Most hosting and domain providers allow you to add your own Let's Encrypt certificate to your website, and some of them even renew the certificates for you automatically.
However, some providers do not support Let's Encrypt out of the box. One of these companies is GoDaddy, but I would never use them to host my websites or domains anyway because of their involvement in animal rights controversies.
Another one is Namecheap, which is the one I currently use to host my websites and manage my domains.
While these companies don't actively support Let's Encrypt, you are free to install them on your own. The downside is you have to renew them yourself every three months but, they do provide an excellent alternative for those who host with them, giving 50 SSL certificates that are valid for one year and which they install automatically. You can also auto-renew them if you're comfortable with SSH, you just have to activate SSH on your cPanel and then follow this tutorial to enable automatic renewals of Let's Encrypt SSL certificates.
The other option is to purchase an SSL Certificate and add it to your website, the advantage of this is that purchased certificates actually come with a money guarantee or protection in case your data gets leaked, but until now I've found the Let's Encrypt certificates to be more than enough.
For your reference, this is a list that contains a lot of hosting providers that support Let's Encrypt.
My advice for this section: Use a hosting provider that supports Let's Encrypt or that provides you with their own SSL certificates for free, alternatively, install the certificate on your own.
2. Do not use the default admin username
This is one of the most common mistakes people make when building and managing their own WordPress sites. Upon installing, WordPress asks you to create an administrator account and most people choose to just write admin.
This is a huge security problem because you're basically giving away free information to hackers and you just made their lives a bit easier, because they don't have to spend time guessing what your most powerful user's username is.
Of course, it's as bad if you just use your website's or business' name as the administrator username (maybe only slightly better).
To illustrate my point, here are some screenshots from some of the sites I'm managing:
So, imagine the results above were from your site. How difficult would it be for them to guess your password?
My advice for this section: create a new administrator with a random username (I use LastPass to help me generate random usernames and passwords) AND create another user with no administration capabilities (so an editor, an author, or a subscriber) to create posts and manage comments. This is especially important if you have several people working on your site. Do not share your credentials and do not make everyone an administrator.
Ideally, your subscriber user would manage public comments, and your author or editor users would create posts. Your administrator user should only be used for backend stuff (updating plugins, changing colors, themes and whatever) and its name should never be shown on the frontend.
Also, make sure that you're not displaying your plain username, display your name or nickname instead or something else.
2. Enforce strong passwords
I already talked about this at length in my post about tips on keeping your passwords safe, but I'll make a small recap here.
Make sure that you only allow strong passwords on your site. While this option is not enabled by default on WordPress, you can use a plugin like No Weak Passwords or a more complex security system (I'll talk about this in my next tip).
In any case, using a password manager (such as LastPass) will allow you to generate secure passwords without going crazy by trying to remember all those numbers, uppercase and lowercase letters and symbols.
It should go without saying that using passwords like 12345678 should be a big no-no. Unfortunately, these passwords are still widely used and, if you use one of them, you could lose all your hard work.
Another thing is to never use the same passwords for every account you have. Again, a password manager, could help you improve the security of not only your WordPress website but also all your other accounts.
My advice for this section: Read my other blog post on password security and start using a password manager ASAP.
3. Install a firewall on your site
Sure, your hosting company might provide some security and protect your website from some attacks. But why take the risk?
It's better if you take control of your website's security (or hire someone with knowledge about it) and use a firewall to block hacker attacks, malware installation, etc.
A firewall program, such as Wordfence or Sucuri, can help keep intruders out and defend your website against scripts that could destroy your site, redirect your users to unwanted third-party sites, steal your users' information, etc.
You'll usually have to go through the whole installation and configuration options to see which ones make most sense for your site.
These firewalls also come with options to force strong passwords (so that users can't register on your site using passwords such as "password"), limit login attempts, block IPs, block non-existant or specificusernames, and more.
4. Limit login attempts
WordPress usually doesn't limit the number of times a user can try logging in to an account, which makes it an easy target for Brute Force Attacks (basically, trying out passwords until you get it right).
To avoid this, the best thing to do is to limit the number of times a user can try logging in to an account by using a firewall (see tip above) or a plugin such as Loginizer.
In my experience, someone who is a legitimate user of your site will use the "Forgot Password" option after a couple of tries. So, if someone tries 27 times they're mostly just trying to log in to someone else's account. I usually set my sites to 3 loggin attempts.
6. Make backups
Now, there's always a chance that something goes wrong and your website gets hacked anyway. What can you do in such cases?
The simple answer is to make continuous backups of your site. If you installed your website through Softaculous, they have a nice backup option that you can use, which is useful as long as your server/host doesn't go down.
Another option is to use (yet) another plugin to take care of this for you. I currently use UpdraftPlus and make backups of my websites to my Google Drive. You can set it up to make backups as frequently as you want (on my most active sites I backup daily, while on others I might backup every week or every month) and you can also set it up to keep a set number of backups, I usually choose from 2-4 depending on how often I make changes to the site.
7. Bonus: Disallow user scanning
By default, WordPress allows user scanning through /?author=N scans and APIs, and the first user (the administrator) is always number 1. So, if someone adds this string at the end of your domain, they could easily figure out your administrator username even if it's not "admin".
To prevent this, firewall plugins such as Wordfence usually come with a nice checkbox that disallows user scanning. If someone adds the above string to your domain and you have this option enabled, they'll get a "Page Not Found" error instead.
Just make sure this option is enabled in your Wordfence security settings and you're good to go!