Being the world’s most popular content management system, it is hardly any surprise that websites built using WordPress are constantly under attack. Hackers constantly attempt to log in to the backend using common username/password combinations (such as admin, test, administrator, etc.). Out of the box, WordPress is secure. But, there are some extra steps you can take to harden your WordPress website.
Implement a security policy
The first step to harden your WordPress website is using a strong username/password combination for all your login accounts. Don’t permit easily to guess usernames such as first names, last names, and email addresses. Also avoid the most common usernames (123456, abc123, account, admin, administrator, etc.). Force all users to use a secure password. Use a password generator such as LastPass to generate a secure password. Using the LastPass password generator, you can select the length of the password and the types of characters. The default LastPass password generated is 12 characters long and includes the character types of uppercase and lowercase letters, the numbers 0 to 9, and special characters (!, $, %, @, #).
Restrict the number of files
Second, limit the number of themes and plugins installed. With the tens of thousands of themes and plugins available, it is the responsibility of the website owner to check the security of themes and plugins. Although WordPress has a team of volunteers who check each theme and plugin, most times the team only becomes aware of a security threat when someone reports the issue. Ensure that you check the WordPress News blog to stay on top of security issues.
Keep files updated
Third, update the core WordPress files, themes, and any plugins on a regular basis. Security patches are one of the first items fixed whenever WordPress publishes an update. Soon afterwards, plugin authors will confirm the compatibility of their plugin with the new release version or issue an update. Install all updates as soon as possible to close any security holes. Enable the automatic core update feature and your website will automatically install minor version updates as they are released.
Create regular backups
Finally, make regular backups of your website. As WordPress is simply a combination of PHP files and a database, you can copy the files to another location and export the data from your database. This effort requires some technical knowledge, especially SQL commands. Luckily, there are numerous backup plugins available. I use several different backup plugins for different purposes. For my regular backups, I use BackupBuddy Premium version. Once installed, it is easy to create regular backups of the websites I manage. I set the schedule and the location of the backups and start the process. The plugin does the rest. I use an offsite storage location for my backups (popular options include Amazon S3, Google Drive, DropBox, and Stash). As with any backup solution, ensure that you test reinstalling from a backup. It is too late when something happens, and you realize that the backup cannot restore your website.
It is not overly difficult to harden WordPress. You must enforce high-security policies and processes, use strong usernames and passwords, limit the number of themes and plugins, keep files updated, and make regular backups. It is up to you to harden your WordPress website.