Beyond producing regular content for your website, you also must be mindful of regular maintenance. This includes paying attention to your site’s security. And if you have a WordPress site, this means undergoing a variety of hardening tasks.
Today, we’ll be discussing how to harden WordPress for maximum security, including the steps you can take from the outset as well as what you must continue to do to ensure your site’s ongoing security.
UNLIMITED DOWNLOADS: 500,000+ WordPress & Design Assets
Sign up for Envato Elements and get unlimited downloads starting at only $16.50 per month!
Thoroughly Vet Themes and Plugins
Before you install anything onto your WordPress site, you need to do your research. This means, examining which plugins and themes you might want to use on your site and looking into them. Read reviews. Take a look at their support channels or forums. Visit the developer’s website. Google the developer to find out more about them and to see if anyone has complained.
While a star-rating can give you a good first impression of a plugin or theme, you must dig deeper than a cursory look. Installing a shoddily put together theme or plugin can result in disaster for the overall health of your website.
Minimize Number of Installed Themes and Plugins
On a similar note as the above, you also need to make sure every plugin or theme installed on your site is carrying its weight. If you decide to switch themes, don’t leave old themes installed for months and months. If you want to try out a bunch of similar plugins, don’t leave all of them installed once you’ve settled on your pick.
Extra themes and plugins provide unnecessary access points to your site. Each could be its own security risk if they’re no longer updated or stop being supported. And you’re less likely to realize when this is the case if you’re not actively using them. Not to mention, having a bunch of extra plugins and themes installed can actually slow your site down. Get rid of the bulk, immediately.
Keep Themes and Plugins Updated
Another thing you need to do is update your plugins and themes regularly. While there are arguments for and against automatic updates, one thing is for certain: updating plugins and themes soon after updates are released is imperative for maintaining your site’s security and is an essential hardening step. Outdated themes and plugins are entry points to your site for brute force attacks and malware. So, when you see a notification at the top of the WordPress dashboard (usually an orange-backed number), click it, check than the update is compatible with your WordPress version, and if it is update immediately.
Pick a High-Quality Security Plugin
While we’re talking about plugins, it’s also important to note that the security plugin you select will have a great impact on how you harden WordPress. After all, many of the top security plugins automate a lot of these efforts and encompass a wide swathe of features. You’ll only need to select one security plugin as they typically have comparable feature sets. But a few you might wish to consider include:
- Sucuri Security
- All-in-One WordPress Security and Firewall
- iThemes Security
- Bulletproof Security
There are more plugins than these available, but we’ve picked out a few top choices to mull over.
Take Care in Password Selection and Use 2FA
One of the most tried and true tips for improving site security is as simple as selecting a good password. While it’s tempting to pick a password that you can easily remember it’s much more important to select one that’s quite complicated. Using a password generator is your best bet here as it’ll ensure your password is unique and maximizes security.
Another thing you need to enact on your site immediately is two-factor authentication. 2FA makes logging into your site more difficult, which means it’s an extra layer of security and insurance against brute force attacks. There are several plugins that make this possible, one of the most popular being Google Authenticator.
Perform Regular Backups
Another strong line of defense in protecting your WordPress site is to perform regular backups. This ensures that if something goes wrong, you can revert back to an earlier version of your site without losing all of your content. This is your fail safe. If even after all of your WordPress hardening efforts your site is hacked, you will be able to secure the breach and revert your site back to an earlier version.
Limit Login Attempts/Prevent Brute Force Attacks
Along with creating a strong password and implementing 2FA, you also need to limit login attempts. This can greatly help reduce the instance of brute force attacks. Since hackers use automated software to repeatedly try to login to websites, you can eliminate the risk of their efforts by limiting the number of times someone can try to login. This is achievable through the use of a plugin like the aptly named Limit Login Attempts Reloaded. This takes the string out of potential brute force attacks.
Disable the File Editor
Reducing backend access to your website is another way to harden WordPress. While you can do this manually, it’s best to use a plugin to achieve this end. Some larger WordPress security plugins include the ability to just check a box and disable the file editor. This is a preferable way to deal with the issue, especially if you’ve opted for an “all-in-one” style security option.
Change Security Keys
Every time you login to your website, the credentials you used to do so are saved in an encrypted format. This format is called security keys and salts. Unfortunately, this format is sometimes hackable, and if a hacker gets a hold of it, they can unencrypt your login information. The solution? Changing your site’s security keys and salts with regularity. Again, many all-encompassing security plugins include this feature.
Hide PHP Errors
Last thing we’re going to discuss here today is how to hide PHP errors. While using built-in debugging tools within PHP is smart, displaying these errors to the broader public is not. Hackers that view PHP errors can use that information to locate weaknesses in your site to exploit. Instead, hide them. To do this, you just need to set WP-DEBUG to false within the wp-config.php file in your WordPress installation. Plugins can complete this job for you as well.
Protect Your Website and Harden WordPress Now
Hopefully you now have a better understanding of how to harden WordPress to improve site security for the haul. There’s definitely more to site security than just these elements, but the ten tasks listed here are more than enough to get you started. Best of luck!
This post may contain affiliate links. See our disclosure about affiliate links here.