123 Reg logo Blog

Bulletproof WordPress: Surefire Tips to Secure Your Site

By Thom Harrison - October 13, 2023

WordPress dominates as the world’s go-to content management system — and there are many great reasons for that. Yet, the platform’s popularity alone can make it an obvious target for online attacks. Fear not: there are just a few easy steps you can take to keep that beautiful WordPress site of yours safe. You’ll want to protect all the hard work that’s gone in, after all. Your visitors also need and expect security. So with that, let’s dig into our surefire tips for keeping WordPress under lock and key.

Use strong, unique passwords

It’s sad but true: 48% of small businsesses are targeted by cyberattacks each year. So, to start with the obvious: you really ought to use strong and unique passwords across all your WordPress accounts. Change your passwords often. This is true for your admin account, FTP and database access, and all other associated accounts. Reused passwords can be compromised.

Try your best to make your password over 10 characters long and to include uppercase and lowercase letters, numbers, and special characters. One great tip is to take the first letters of a memorable sentence and put that into a clever password (or a “mnemonic”). For example: “this little piggy went to market” might become “tlpWENT2m”. Password manager tools are also available — both for generating and storing passwords for each account.

Change your login URL

By default, WordPress login URLs are easy to guess because they’re usually www.example.com/wp-admin or something similar. Hackers know this and will target your login page to attempt brute-force attacks. However, you can protect your website by using a plugin to change your login URL to something unique, making it harder for hackers to find.

One of the most popular plugins for changing your login URL is WPS Hide Login, which allows you to change your login URL to anything you want. It’s also easy to use and comes with a simple user interface. Just make sure you keep a record of your new login URL so you don’t lose it and only share it with people who need access to your website.

Use an SSL Certificate

SSL Certificates are sort of like digital passports and they’re especially important when exchanging sensitive info. Have you ever noticed the padlock icon when shopping? SSL’s work to encrypt the data that transfers between a browser and a web server, making it practically impossible for hackers to intercept. This includes things like credit card details, login credentials, and other personal data. Fortunately, SSL certificates are easy to set up, and you can read more about them here. 123 Reg Managed WordPress actually comes with a free SSL certificate to help keep your website and your user’s data secure.

There are all sorts of very good reasons to get an SSL Certificate. In fact, they’re a must-have for any sort of website that deals with transactions or sensitive information. If you’re not using 123 Reg Managed WordPress, you may need to purchase an SSL certificate separately and install it on your server. Once you’ve installed the SSL certificate, you need to configure your WordPress website to use HTTPS instead of HTTP. This is easy to do using a plugin like Really Simple SSL, which automatically redirects all HTTP traffic to HTTPS.

Don’t use the default “Admin” username

WordPress sets the default username as “Admin,” which is easy for hackers to guess. When creating your WordPress account, always use a unique username.

If you’re already using the default “Admin” username, you can easily change it by creating a new user with administrator privileges and then deleting the “Admin” user. To do this, go to Users > Add New in your WordPress dashboard, create a new user with administrator privileges, and then log out. Log back in with the new user account and delete the “Admin” user.

Keep WordPress core up to date

WordPress regularly releases updates to improve performance, add new features, and patch security vulnerabilities. It’s essential to keep your WordPress core up to date by regularly checking for updates and installing them promptly. 123 Reg Managed WordPress automatically updates your WordPress core to help keep your website secure.

If you’re using a WordPress hosting package that doesn’t offer automatic updates, you need to regularly check for updates and install them manually. To check for updates, go to Dashboard > Updates in your WordPress dashboard. If there are any updates available, click on the “Update Now” button to install them. Make sure you backup your website before installing any updates.

Keep WordPress plugins and themes up to date, too

The average WordPress website has over 23 plugins and themes installed — and over 99% of security vulnerabilites are related to plugins and themes. Just like WordPress core, plugins and themes can also have security vulnerabilities that need patching. In fact, plugins and themes are the sources of the majority of WordPress vulnerabilities. It’s essential to keep your plugins and themes up to date by regularly checking for updates and installing them promptly. Outdated plugins and themes can be a significant security risk, as they can be used to gain unauthorised access to your website.

It’s a good idea to test the effect of updating plugins and themes in a staging environment. You can do this from your WordPress Dashboard and looking for the section named (you guessed it) “Updates”. If there are updates available, click on the “Update Now” button to install. It’s also good practice to remove any unused plugins and themes as they can pose a security risk.

Back up your websiteand do it often

Backups are essential to recover your website if it gets hacked, corrupted, or accidentally deleted. It’s essential to have a recent backup of your website stored securely, so you can restore it quickly if something goes wrong.

123 Reg Managed WordPress automatically creates daily backups of your website, so you can easily restore your website to a previous version if necessary. If you’re using a self-hosted WordPress website, you need to set up backups manually using a plugin like UpdraftPlus, which stores your backups in a secure location like Dropbox or Google Drive. It may be a good idea to manually back up a website before making any significant updates/changes.

Enable SSH

Secure Shell (SSH) is a network protocol that provides a secure way to access your WordPress files and folders. It’s an essential tool for high-level users who need to make advanced changes to their websites without compromising security.

123 Reg Managed WordPress offers SSH access on selected plans, allowing you to securely access your WordPress files and folders. You can learn more about using SSH with 123 Reg here. If you’re using another provider, contact them to see if they offer SSH and how to activate it.

Use Two-Factor Authentication (2FA)

Enabling Two-Factor Authentication adds an extra layer of security beyond just passwords. If your host offers it — and a good one should — use it! With 2FA, after entering your password, you’ll also need to verify your identity through a second method, often involving a code sent to your mobile device or email. Even if your password is cracked, access will be thwarted by the need for that secondary step. With 123 Reg, 2-step verification comes as part of our Domain Ownership Protection.

File permissions

Getting technical now. In WordPress, deciding who can access and change folders (directories) on your site is a way of setting permissions. You adjust these settings, often to 755 for directories and 644 for files, controlling who can read, write, or execute them. You can change these permissions in your WordPress settings to enhance your site’s security. For max security, limit these permissions to the essentials. With 123 Reg, you can find out more about how to to this here.

WordPress Security Pugins

You can improve your website’s security by installing WordPress security plugins. These plugins can offer a range of features for protection, such as firewalls to block malicious traffic, malware scanning to find and eliminate potential threats, and login attempt monitoring to spot suspicious activities. Even if you’re not a tech expert, these plugins make it easy to boost your site’s security. You can learn more about installing WordPress plugins here.

Use a staging website

A staging website is a duplicate of your live website that allows you to test changes before deploying them to your live website. It reduces the risk of your live website going offline due to a broken plugin, theme, or code.

Using a staging website with WordPress can help make things easier for you whether you’re using the platform as an individual, or as part of a team. Here are some of the benefits offered by a staging website:

✓ Avoids downtime and errors: Making changes directly on a live website can lead to errors or downtime, which can be detrimental to a business’s reputation. A staging site allows developers to test new features, updates, or changes before making them live. This ensures that any errors or issues are resolved before the site goes live, reducing the risk of downtime and errors.

✓ Better performance: A staging site can be used to test new plugins, themes, or updates before implementing them on the live site. This allows you to check that the new changes will not negatively impact the website’s performance, speed, or functionality.

✓ Improved collaboration: A staging site also makes it easier for developers, designers, and content creators to collaborate on a website project. By having a testing environment, you or a team member can work on updates and changes without disrupting the live site. You can also preview new content before publishing it, ensuring that it is error-free and displays correctly.

✓ Saves time: Using a staging site can reduce the time and resources needed for testing, debugging, and implementing changes. This can result in faster development and fewer errors, saving time.

123 Reg Managed WordPress offers a free staging website on selected plans, allowing you to test changes safely before deploying them to your live website. To create a staging website, follow the instructions in this article.

Once you’ve created your staging website, whenever you want to make changes and updates, you should copy your live website to staging, make the changes, check everything works and then move the staging website to live.

A secure send-off

Keeping your WordPress secure may not be rocket science, but it’s so important for your digital presence — both for protecting your own data and that of your audience. Let’s recap:

Start with strong passwords and manage them well. Use SSL certificates and keep your WordPress core, plugins, and themes up to date. Back up regularly. These fundamentals will help to build up a resilient defense against the cyber threats out there. Staging-before-you-post is always a smart thing to do to prevent any accidents that might compromise sensitive data.

Following these basic principles will not only help for your website’s protection — but also bring peace of mind. For slightly more advanced users, you may wish to think about installing a malware scanner. Enabling SSH access can really help protect your data, especially when working on important projects from afar.

Stay secure and keep enjoying the experience that WordPress has to offer!

If you’d like some more help with understanding WordPress security or any other aspect of the CMS, get in contact with our support team on +44 (0)345 450 2310.