Top Three Best Safeguards for Every WordPress Website

Getting a WordPress website is one thing, keeping the website safe from attackers, vulnerabilities and optimizing to make the best out of it is another. All of these require separate actions and controls. In this post, we examine the top five practices that should protect our WordPress website and help you make the best out of your WordPress website.

 

Further reading:

WordPress Security: The Complete Guide

WordPress Security: The SQL Injection

WordPress Security Plugins Compared to Find Which Works Best

WordPress Plugins You Can't Do Without

Useful Tips and Tricks for WordPress Search Engine Optimization

The Ultimate Guide to On-Page SEO

The Complete Guide to WordPress Speed Optimization

SEO Facts Revealed on Google Webmaster Central

 

Safeguarding your WordPress website to get the best out of it would require the following actions

  1. Update your WordPress installation to keep up with the latest version.
  2. Protect your website from security breaches and intrusion.
  3. Optimize the performance of your website for visitors and search engines.

 

1. Updating WordPress

 

Running updates on your WordPress website is a regular activity for every website owner. However, you will need to safely do so to ensure that nothing is broken and your updates do not cause any harm to your WordPress website. Here are recommended update guide:

In a related post we did on a detailed guide to safe website updating, the following was recommended for WordPress:

Updating a WordPress Website

Now let us look at safe update proceedures for popular content management systems (CMS) beginning with WordPress.

Step 1: Backup Your Site

No piece of technology is perfect, and there’s never a 100% guarantee that everything will run smoothly. A good backup of your WordPress website is a good thing. If anything does go wrong, you can simply roll back to the backup and everything is well again while you snoop around to figure out what went wrong. Because this is WordPress, backups are super easy with the right plugin.

Step 2: Deactivate Your Caching Plugin and Clear the Cache

If you’re using a caching plugin like WP Super Cache, W3 Total Cache, WP Rocket, etc, deactivate it now. You want your cached pages to reflect post-update pages, not pages from before or during the update.

Step 3: Update Plugins and Themes

Having updated plugins is every bit as important as keeping WordPress core updated. In the Sucuri security report cited above, 25% of all hacked WordPress websites were hacked via one of the same three out-of-date plugins each time!

When you update your theme, keep in mind that you will lose any custom changes unless you have saved those changes in a child theme.

Step 4: Update WordPress

You’re now ready to update WordPress safely. In your WordPress Dashboard, you can update/check for updates in Dashboard>Updates.

 

2. WordPress Security: Protecting Your Site From Breaches

 

Ordinarily, an updated website is safe and should be free from security breaches. However, you will still need to take additional steps to firmly secure your WordPress website. Here are our recommendations:

 

Here is what we recommended in an earlier post on WordPress security:

 

With the pointers we have discussed so far, that should get your WordPress site to a point where it is reasonably safe from attack, but if you are more technically minded you can go further and do a few more things to help you get your WordPress site as safe as it can be. Some of the following instructions require a bit of knowledge of coding, but other steps are simple to complete. Let’s take a look.

Stop PHP file execution where it’s not needed

Some WordPress directories are not intended to run code, instead these just store files. For example, /wp-content/uploads/. Hackers can, for example, upload PHP code to these directories and then execute the malicious code. Stop hackers from doing so by blocking PHP code execution where WordPress doesn’t need it.

It’s simple to do so, open a pure text editor such as Windows’ Notepad and paste this text:

<Files *.php>
deny from all
</Files>

You then need to save the code to a file called .htaccess and upload it to the directory you want to block PHP code execution in, such as /wp-content/uploads/. However don’t add this code to just any WordPress directory as it can stop your site from working.

Alternatively, simply use a plugin like the Sucuri security plugin to help you, blocking PHP file execution in unnecessary directories is one of the hardening options included in the plug-in.

Change file editing permissions

WP comes with a code editor built-in which allows you to edit the files used by plugins and themes. We recommend that this is turned off. This direct access can cause problems when used by a rogue actor. It’s easy to switch off the ability to edit plugin and theme files. Just add this code to your wp-config.php file:

// Disallow file edit

define( 'DISALLOW_FILE_EDIT', true );

If you have a Sucuri plugin installed, it allows you to change this setting right in the Sucuri plugin’s control panel, ideal if you’re not keen on editing configuration files.

Don’t use “admin” for the administrator account

Older WordPress installations started out with “admin” as the username for the main administrator account so many WordPress website owners still access their sites via the “admin” account. This matters because of a lot of automated WordPress attacks rely on hitting “admin” with a guessed password to get into the WordPress dashboard.

Recent versions of WordPress force users to choose a different administrator username so that “admin” is no longer the default for a new installation. That said some auto-installers that do a one-click install can still make use of “admin”. If you see that your administrator username is “admin” you should change it.

You do have three options to change this. First, you can create a new administrator account with a different name and delete the old one. The “Username Changer” plugin can also do it for you. Finally, you could simply hack into the WordPress database via phpMyAdmin and make the change yourself.

Change the WordPress database name

WordPress assigns a “wp” prefix to the WordPress database, and all its tables. This hasn’t changed and hackers can try and search for WordPress tables using this prefix. Changing it can trip up hackers, but you must be extremely careful when you make this change as it can break your WordPress site.

Set a password for the WordPress login and admin pages

Make life harder for hackers by setting up further password protection server-side that asks for login details before your server presents the WordPress wp-admin directory and the login page inside of it.

Each hosting solution will have a different way of making this change, but it can prevent hackers from running a DDoS attack or some other tricks that try to access the WordPress admin directory.

Stop directory browsing and indexing

Hackers can try to find out whether your site has a vulnerability by browsing the content of your site’s directories. Many hosting solutions leave directory browsing enabled by default providing an opportunity for hackers.

It’s not just hackers you need to be worried about. Directory browsing lets anyone who is curious hunt through the files on your website to find images and other documents or to copy down your directory structure. We strongly suggest that you disable the ability to browse directories as there is rarely any purpose for doing so.

To stop directory indexing you need to edit the .htaccess file for the root directory on your website. You can do so using the file manager on your website’s control panel. You need to add this line to the .htaccess file:

Options -Indexes

Do that and you will stop unwanted users from exploring the file content of your website’s directories.

Disable XML remote procedure calls

XML remote procedure calls, or XML-RPC, can magnify the impact that a brute-force hacker attack has on your WordPress website. It is a powerful protocol and though it is useful on the one hand (you can connect other websites and apps using XML-RPC) it does carry risks.

XML-RPC has been enabled by default since WordPress 3.5 but it can open the door to hackers. Instead of using 500 individual password attempts on your site, a hacker can simply use system.multicall, a function in XML-RPC, to try these login attempts. In fact this function can try thousands of password with just twenty to fifty XML-RPC requests.

If you are not using XML-RPC the general recommendation is to disable it so that it does not open the door to hackers. You have three options: the most direct and least resource-heavy is doing so by using .htaccess. Alternatively, you can use the Sucuri WAF to do it for you.

Put a cap on the number of chances to login

Hackers often use a technique called “brute force” to try and get into a website if they don’t know the password. They simply keep trying the username against a list of potential passwords. WordPress usually allows users to try to log in as many times as they like, but you can change this. First, a website application firewall can do this for you as it will automatically block brute force attempts.

Alternatively, download a plugin called Login LockDown and install it. You have to set up the plugin once you’ve installed it, visit the Settings > Login LockDown page to do so.

Put a time limit on idle users

Hackers don’t always work from faraway corners in the world. When your administrator walks away from their PC while logged into WordPress they can open your site to security risks. Just as a lot of important sites like financial services force a log out after a period of inactivity you should also consider forcing a log out when a user is idle.

One way to do so is using the “Idle User logout” plugin. Once you’ve installed it go to the Settings > Idle User Logout page and set up the plugin. Here you can set the time duration that you prefer. Make sure to uncheck the “Disable in wp admin” option for maximum security.

Mix up the WP login screen with a security question

Again, you can make it more difficult to get past your WordPress login screen by setting up a separate security question which hackers won’t expect.

Thwart unauthorised access by installing a plugin. We recommend “WP Security Questions”, again easy to install as a plug-in if you follow our simple instructions. To activate this plugin go to Settings and then to the Security Questions page where you can customise the security question.

 

Additional Measures Recommended for WordPress Security

 

Install a WordPress Security Plugin

 

We recommend you use a WordPress security plugin. We take a look at five WordPress security plugins recommended in an earlier post we made on WordPress security:

 

1. Security Ninja

This is not one of the popular products out there, but it's certainly a good one to give a try. This is a top-rated product which takes plenty of preventive action to make sure that there is no chance for compromise, rather than waiting for attacks to happen.

Essentially, SecurityNinja looks for potential problems, vulnerabilities, 0-day exploits, versions of old software, including the software actually running on your server (such as PHP versions, MySQL versions, Apache versions and tests).

Now, the difference between this and other products is that Security Ninja does not perform any changes on your installation - it allows you to do the changes yourself, essentially making sure that you can decide what actions you want to take to fix the problems which have been identified.

This makes a lot of sense - essentially, you might know about specific things and have valid reasons why they are in place. Moreover, it might be that if you actually have a 3rd party tool making changes to your site, things can break without your knowledge.

Let's have a look at few of the excellent features:

  1.     50+ checks to find any issues with your install
  2.     brute forces your website so that it is prepared for such attacks
  3.     WP core + external software tests
  4.     Checks for known and common behaviours which can result in getting hacked

This is a tool for those who are serious about protecting their website.

PROS: Does not actually change or tweak files on your installation so that you are in full-control.

CONS: If you are not actually familiar or technical with some of the more serious problems and how to fix them, you might be left with question marks on whether your WP is protected or not, since SecurityNinja does not perform changes.

There is a free version of the tool which you can download from here.

Price: Free for the standard versions, starts from $29 for the PRO version

Download Security Ninja

 
2. iThemes Security Pro


iThemes Security is one of the best WordPress hardening plugins in the WP official directory, (formerly known as Better WP Security). With 30+ ways to protect your website, it ensures that your website is not an easy target for hackers.

If you would like to try their free version before switching to a premium user, you can download it from here but of course, the Pro version offers much better protection for a very good price.  

Some of the pro features include but are not limited to

  1.     Two-factor authentication
  2.     WordPress user check
  3.     Enforce strong passwords for all users
  4.     Regular malware scan with Sucuri Sitecheck
  5.     iThemes Sync Integration for up to 10 websites for free

You can easily review and take action if you find any potential threats. Once you logged in to WordPress admin navigate to Security>> Settings to assess the current state of your site and enable only those protection features you need.

 Pros: One of the best WordPress plugins for any kinds of WordPress website with advanced features you’ll ever need.

Cons: Like any other advanced products to secure your installation, it also has the potential to cause problems because it could make significant changes to database and files. This is not the right tool if you’re on a shared hosting platform because it could consume lots of resources during the scan.

Pricing

The pricing starts from just $48, so it is worth every penny. Indeed, it is one of the most advanced WP security plugins in the market and quite possibly, the only one you’ll ever need.

    Personal- $48 for 2 sites

    Freelancer- $60 for 10 sites

    Developer- $90 for unlimited sites

    Plugin suite- $149 for developer license for all of the iThemes plugins

Download iThemes Security Pro

 
3. Malcare

Essentially, this is a security service for your website, which does things slightly differently than the rest of the services which we've discussed. Malcare has a full dashboard of all of the sites which you manage. So besides the standard hardening functionality (such as firewall, core file changes scanning, theme and plugin updates etc.), you will be able to manage all of your sites directly from one place.

In terms of features, it will give you an overview of any problems which you have on your site. The beauty is that thanks to the helper plugin which gets installed on your site, you can perform any security changes and updates directly from this dashboard. This is an essential feature for those who manage websites for other companies (or their clients) - because you can just log in to this dashboard and perform all security updates from the same place.

Pros: One single dashboard to monitor and manage all sites under your care.

Cons: none that we are aware of right now

We find the dashboard to be an excellent feature of this plugin. It also has the ability to install the helper plugin directly through the dashboard, making literally the only place you need to log on to. We do believe it's one of the best options out there for those who manage and secure multiple WP websites.

Price: $59/month for up to 20 sites which works out at about $3/site/month for developers. If you are looking for a personal plan, it starts at $99/year, which is very fair.

Visit Malcare now

 
4. Sucuri


When you enable the Sucuri products such as CloudProxy (Sucuri products are not your typical WordPress plugins - they do protection on their site, not yours), your entire traffic goes through Sucuri’s cloud proxy firewall before reaching your web host. That means the firewall blocks most of the brutal attacks before it reaches your site.

CloudProxy comes with the website security bundles and it needs some DNS changes to activate it, so it's not directly related to our list - yet it will still provide as much (if not better) protection.

Best of all, it sends only legitimate traffic to your website it consumes less bandwidth and improves performance. Unlike all other WordPress plugins we featured in this post, Sucuri is billed annually.

As of now, the pricing starts from $199.99/year.

If you’re looking for a free version, you may download it from here. The free version offers seven key features including activity audit logging, file integrity monitoring and blacklist monitoring, etc.

By installing the premium version, you can take an in-depth scanning which helps you to figure out if there are any server-side or theme/plugin issues.

Pros: Sucuri is a company that creates tools and plugins for securing websites on different platforms including WordPress. No other option here can secure your installation with a DNS level firewall. Best of all, it improves the performance of your WP.

Cons: The price is significant comparing to other WP plugins.

Sucuri plugin is the best bet if you’re looking for the most comprehensive protection. If the price is OK with you, I’ll strongly recommend you to start using their service. For more information, visit our review Sucuri vs Wordfence.

Price: $199/year

Get Sucuri premium

 
5. All in One WP Security & Firewall

all in one wordpress security

Looking for a complete and convenient protection that enforces a lot of good practices on your WP? Then, all in One WP Security & Firewall plugin is one of your first stops and definitely worth trying.

This is one of the highest rated plugins for securing your installation in the official WordPress directory.

Incidentally, if you want to implement WordPress security to prevent hacking, we've got you covered, if your WordPress has been hacked, we've got you sorted too.

All in One Security and Firewall is a comprehensive and powerful security tool which will take a proper care of your site’s safety. It monitors your entire website and checks it for vulnerabilities, malware, force login attacks, and any issues or problems occurring on your server.

The settings for malware scanning are fully customizable.

The plugin uses an outstanding points grading system to measure how well your website is protected based on the features activated.

It also comes with an awesome firewall functionality that will take your firewall protection to a whole new level and block out malicious scripts before they even hit your site code.

 

It is a fully featured product despite being a free one. It comprises almost every WordPress hardening features you'll ever need.

    User account protection
    User log in protection
    Database hardening
    File system hardeing
    Blacklist and firewall functionality

Pros: This is the only options in the list that doesn’t offer a pro version. Undoubtedly, this one is the best free WordPress security plugins.

Cons: It may create a conflict with other functions if the advanced functionality is enabled. You may need to test it before enabling it on your live installation.

As the name denotes, the plugin is an all-in-one solution for most of the beginner bloggers will ever need. Since it is free, there is nothing to complain about it. It works as it describes.

Price: Free

Download the All in one WP security and firewall

 

Activate an automatic backup solution

Here are some WordPress backup plugins recommended:

 

BlogVault

This is an excellent backup plugin for WordPress.

Features:

  • Automatic daily backups.
  • WordPress multisite support.
  • Complete backups of your database and WordPress files.
  • Unlimited on-demand backups.
  • Incremental backups to reduce server load.
  • Offsite storage and independent access so you can restore from your BlogVault dashboard.
  • Backups are stored securely on Amazon S3 servers.
  • Staging environment is included (great for testing website changes).
  • Restore your website in a few clicks.
  • Migrate to a new domain, host, or server easily.
  • Website management functionality.
  • White-label option (great if you have clients).
  • Email notifications for backups, migrations, etc.

Price: Starts from $7.49/month (billed annually) for backups, or $12.40/month (billed annually) with the addition of security powered by their sister company, MalCare.

There is also a specialist plan for WooCommerce backups starting from $20.75/month (billed annually). This includes order syncing, 365 day backup history and additional security from MalCare.

 

VaultPress

Features:

  • Automatic daily backups (real-time is available on higher plans)
  • Storage is included so you don’t need to connect to a third party platform like Dropbox.
  • Restore your site with the click of a button from your dashboard.
  • Customer support is available to help you if you need it.
  • Daily scans for malware.
  • 30-day money back guarantee.

Price: Starts from $39/year (includes other Jetpack subscription perks)

 

Sucuri

 

Features:

  • Automatic daily backups.
  • On-demand backups.
  • Backups stored securely in Sucuri’s cloud infrastructure.
  • Support team available to help you if you need it.
  • Reporting that shows you what files have changed since your last backup.
  • Backups retained for 90 days.
  • Automatically restore your files, and/or, your database right from your dashboard.
  • Backup notifications so you know your site has been successfully backed up.
  • Works with other content management platforms too, not just WordPress (e.g. Joomla, Drupal, Magento etc).

Price: $5/site/month but you’ll need to sign up for their Website Security platform first (It’s $299/year for the SSL ready plan).

 

Optimizing the Performance of Your Website

 

Website optimization is good not just for users but for search engines as well For instance, website speed has become a known ranking signal to be taken seriously.

To optimize your website, there are certain practices we recommend and here they are:

 

  1. Optimize Page Titles & Descriptions
  2.  Fix Duplicate Blog Content
  3. De-index Tag & Archive Pages
  4.  Optimize Site Images
  5. Optimize for Mobile Traffic
  6. Don’t over-optimize
  7. Build Your Content Around Keywords

 

Summary

 

Running an online business or blog is serious business. You must do everything to safeguard your site from intruders and cyber criminals. This post provides the basic steps you should take to keep your website safe and optimally performing. Keep in mind that you must do the following:

  1. Update your WordPress installation to keep up with the latest version.
  2. Protect your website from security breaches and intrusion.
  3. Optimize the performance of your website for visitors and search engines.

Best of luck. If you have further comments or suggestions, let us have them in the comment box..

Share this post

Comments (0)

Leave a comment