WordPress is the world’s most used CMS (Content Management System) with millions of websites using it to update content every day. However, due to its mass popularity WordPress is also a prime target for hackers with thousands of “Brute Force” and “DDoS” attacks (just to name a couple) occurring every day. So how do you know if your WordPress site is secure? In this article, we run through 7 security factors you can implement to harden your WordPress website from incoming attacks.

2 Factor Authentication

Also known as “2FA”, is an extra security layer that not only needs a username & password to login but also requires access to a device or physical object that only that user has access to e.g mobile phone or application.

One of the most used 2FA plugins for WordPress is Clef in which a user needs access to their mobile app and match an on-screen code to be granted access to the WordPress admin panel.

Even if a hacker has stolen your password, 2-factor authentication stops them from accessing your website.

WAF (Web Application Firewall)

A Web Application Firewall filters, monitors and blocks malicious HTTP traffic to your website. This basically puts a “filter layer” in between users and your website, letting legitimate users onto the site while blocking malicious requests.

One of the most common occurring cyber-attacks is “Distributed Denial of Service” or “DDoS”, in which an attempt is made to overwhelm a website with traffic to the point that it is made unavailable. A firewall such as CloudFlare blocks these attacks while allowing normal users access to your site.

Bespoke “wp-admin” Login URL

For the vast majority of WordPress websites, the administrator panel is accessed using the /wp-admin extension (e.g “www.example.com/wp-admin”). Meaning anyone can access the login page of a WordPress website by using this extension. Hackers use this to attempt “Brute Force” attacks in which they use a program to guess huge numbers of login credentials until they finally gain access.

What many people don’t know is that the “/wp-admin” extension can actually be changed to something only the administers know. For example, you could use “/secretword” instead. If hackers can’t access the login page, they can’t perform a “Brute Force” attack.

The login URL to your admin panel can be changed using a plugin such as WP Hide Login or manually in the .htaccess file – click here for instructions.

Don’t Use “Admin” as a username

By default, WordPress sets up usernames as “Admin”. If a hacker has access to your login URL (mentioned above) and your username is set to the WordPress default then they’re already halfway to gaining access to your website. Change this to something unique. This can be changed in the user section of the WordPress Admin Panel.

Long Complex Passwords

Probably the most well-known security measure but still overlooked by many is the use of complex and long passwords. Your admin password should contain capitals, lowercase, numbers and symbols to be as secure as possible. The longer the better. If you use the generate password button in WordPress > Users, it generates one for you. Copy, paste and save this new complex password somewhere only you know where it’s stored. The best passwords are the ones even you can’t remember!

WordPress & Plugin Updates

As WordPress is an open source CMS, anyone can study the source code to improve it. However, this also allows hackers to study it and find loopholes that gain access to sites. Keeping WordPress up to date is crucial if you want your website to be secure. With WordPress being a target for Hackers it’s always recommended that you’re running the latest version of WordPress.

Similarly, plugins are updated for your benefit and often the updates are for code fixes and security purposes. It’s also important to keep the number of plugins you’re running to a minimum and only downloading plugins with good review ratings and large numbers of user downloads are highly recommended.

Monitoring, Malware Scanning & Alerts

It’s often the case that WordPress users find out they’ve been hacked days if not weeks after a security breach. There are a number of plugins available to download that offer continuous monitoring, malware scanning to identify current security issues and email alerts that allow you to log your website’s user activity.

The most popular plugin for monitoring and scanning WordPress files as well as receiving updates is Wordfence Security, which offers a wide range of security features including, scheduled scans, login attempt recording, IP blocking and password audits.

The above factors will harden your WordPress website and greatly increase security if you have not taken these steps already. Full documentation on securing WordPress can be found here – WordPress Codex – Hardening WordPress