How to Secure WordPress Site in 2019. There are a lot of things you can do to improve website security to prevent hackers and vulnerabilities from affecting your WordPress website or blog.
In this post we are sharing some tips, strategies, and techniques you can use to make website secure and stay protected.
Is WordPress Secure?
In general the answer is yes and no. As a site owner you need to follow the below steps to keep your site secure.
Keep WordPress Core Up to date
For WordPress to be secure you must keep your WP core up to date. WordPress version comes with three numbers separated by dots. The left number is the major update release and the far most right is the minor update release.
The security updates are released in the minor version. WordPress is configured to update the core automatically. If you have disabled the automatic updates, you need to make sure your core application is up to date.
Themes and Plugins
The themes and plugins are not updated automatically, so you need to update them when a new update is released. Don’t use nulled themes and nulled plugins. If possible avoid free plugins which are not updated frequently.
Some hackers find a security flaw in a plugin and randomly requests the WordPress site with the hacked URL in the plugin. So if you are using a hacked plugin then the possibilities of your site getting hacked are high. For example, if you monitor your error log maybe you can see this kind of request path.
This is a backdoor to enter your website. So avoid bad themes and bad plugins.
Protect yourself with Security Plugin
Wordfence plugin is one of the best WordPress security plugin which secures your website from malicious attacks and reduces your attack surface.
These are some features provided by Sucuri plugin.
- Block malicious traffic.
- Malware scanner which blocks requests which inject malicious code.
- Limit login attempts.
- Enforce strong password.
- Protection from brute force attacks.
- Scan your WordPress files for any file changes or dangerous codes and deletes them effectively.
- Email you on admin login and many more.
Secure your server
Choosing a good host is one of the most important parts of website security. We recommend you to choose Google Cloud Platform or Kinsta which is a managed WordPress hosting provider built over Google Cloud Platform.
Set up Firewall (UFW)
Uncomplicated Firewall is a server-level firewall that should be in place before installing WordPress on the server to keep it well-protected even during the WordPress installation and website construction phases.
You can also block a set of specific IP addresses using UFW.
Set up Fail2ban
Fail2ban is a tool which works alongside your firewall. It functions by monitoring intrusion attempts to your server and blocks the offending host for a set period of time. It does this by adding any IP addresses that show malicious activity to your firewall rules.
You can setup fail2ban easily with the following commands.
sudo apt install fail2ban
sudo service fail2ban start
Here you can see the server setup guide to secure your server.
Web server Security Tips
You can also enable the following security options using your web server like Nginx.
- Prevent XSS attacks.
- Content Security Policy.
- MIME Sniffing.
- Referrer Policy.
- Protect wp-admin amd wp-login.php
Secure your website using Nginx and PHP.
WordPress security Tips
- Don’t use admin as your username, instead use something which is hard to guess.
- Change your WordPress db prefix while installing.
- If you can, you can hide your admin or allow access to wp-admin only from your IP address.
- Monitor your error log and fix all errors and warnings.
These are some of the security tips for 2019 to secure your WordPress site.