Use a Strong Password
Passwords are a very important part of website security and unfortunately often overlooked. If you are using a plain password i.e. ‘123456, abc123, password’, you need to immediately change your password. While this password may be easy to remember it is also extremely easy to guess. An advanced user can easily crack your password and get in without much hassle.
Change the admin username
During your WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to figure out is the password, then your entire site gets into the wrong hands.
Monitor your files
If you want some added WordPress security, monitor the changes to your website’s files via plugins like Wordfence, or again, iThemes Security.
Make backups regularly to secure your WordPress website
No matter how secure your WordPress website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens.
Disable File Editing
When you are setting up your WordPress site there is a code editor function in your dashboard which allows you to edit your theme and plugin. It can be accessed by going to Appearance>Editor. Another way you can find the plugin editor is by going under Plugins>Editor.
Once your site is live we recommend that you disable this feature. If any hackers gain access to your WordPress admin panel, they can inject subtle, malicious code to your theme and plugin. Often times the code will be so subtle you may not notice anything is amiss until it is too late. To disable the ability to edit plugins and the theme file, simply paste the following code in your wp-config.php file.
Install SSL Certificate (or even activate autossl)
Nowadays Single Sockets Layer, SSL, is beneficial for all kinds of websites. Initially SSL was needed in order to make a site secure for specific transactions, like to process payments. Today, however, Google has recognized it’s importance and provides sites with an SSL certificate a more weighted place within its search results. On your cpanel server we have AUTOSSL - you can redirect your website to this
Change your WP-login URL
By default, to login to WordPress the address is “yoursite.com/wp-admin”. By leaving it as default you may be targeted for a brute force attack to crack your username/password combination. If you accept users to register for subscription accounts you may also get a lot of spam registrations. To prevent this, you can change the admin login URL or add a security question to the registration and login page. Pro Tip: You can further protect your login page by adding a 2-factor authentication plugin to your WordPress. When you try to login, you will need to provide an additional authentication in order to gain access your site — for example, it can be your password and an email (or text). This is an enhanced security feature to prevent hackers from accessing your site. Pro Tip 2: You can also check which IPs have the most failed login attempts, then you can block those IP addresses.
Limit Login Attempts
By default, WordPress allows users to try to login as many time as they want. While this may help if you frequently forget what letters are capital, it also opens you to brute force attacks. By limiting the number login attempts, users can try a limited number of times until they are temporarily blocked. The limits your chance of a brute force attempt as the hacker gets locked out before they can finish their attack. (you can activate this through softaculous at the CPANEL)
Hide wp-config.php and .htaccess files
While this is an advanced process for improving your site’s security, if you’re serious about your security it’s a good practice to hide your site’s .htaccess and wp-config.php files to prevent hackers from accessing them.
We strongly recommend this option to be implemented by experienced developers, as it’s imperative to first take a backup of your site and then proceed with caution. Any mistake might make your site inaccessible.
To hide the files, after your backup, there are two things you need to do: First, go to your wp-config.php file and add the following code,
<Files wp-config.php> order allow,deny deny from all </Files>
In a similar method, you will add the following code to your .htaccess file,
<Files .htaccess> order allow,deny deny from all </Files>
Although the process itself is very easy it’s important to ensure you have the backup before beginning in case anything goes wrong in the process.
Update your WordPress version
Keeping your WordPress up to date is a good practice to keeping your website secure. With every update, developers make a few changes, often times including updates to security features. By staying updated with the latest version you are helping protect yourself against being a target for pre-identified loopholes and exploits hackers can use to gain access to your site.
It is also important to update your plugins and themes for the same reasons.