According to WPBeginner each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. That is a scary statistic and one that should not be taken lightly.
WordPress is so popular that it has become the target of security attacks. A Content Management System (CMS) that powers an estimated 43% of the internet will no doubt attract the attention of anyone wanting to insert malicious code, take sites down or steal data.
So what can you do to prevent your website from being attacked?
Backup, Backup, Backup
What use is having a website if you do not have a backup? What happens if your website is hacked and you do not have a backup? What happens if something breaks? Make sure you make regular backups or one day you could very well regret it. Most web hosts offer free backups. If your web host does not offer free backups then you should consider using a service like CodeGuard or VaultPress which not only backups your website but also constantly monitor and scan for security breaches.
Install WordFence Security Plugin
WordFence has a host of WordPress security features that will protect your website without any setup or complications. Best of all it is free and used by over a 1+million users worldwide.
Keep WordPress, Themes & Plugins Updated
This is one of the most important rules that you should never ignore. Hackers target vulnerable code and the only way to stay ahead is to make sure that your plugins and themes are always kept updated. This also applies to WordPress. As soon you see a notification that requires you to update a plugin or theme do so straight away.
Another good tip is to also remove/delete plugins and themes that you no longer use as these forgotten bad boys can also be targeted.
Password Protect Your Login Directory & Limit Login Attempts
*Avoid using admin as a username on your website, a lot of hackers and bots will attempt to use admin to login as this was WordPress’ default username once upon a time.
Password Protect Your WP-Admin Folder and Login File
Password protect your WordPress admin login folder and wp-login.php file as there are no restrictions in place for hackers to access these areas.
Limit Login Attempts
By default, WordPress allows users to try to log in as many times as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to log in with different combinations. To limit the number of login attempts made on your website install the Login LockDown plugin. WordFence will also block out users after too many login failures.
Disable XML-RPC
XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments
However, because of its powerful nature, XML-RPC can significantly amplify brute-force attacks.
To disable XML-RPC, there are several plugins to choose from in the official WordPress repository.
For a comprehensive security guide with an in-depth look at improving your WordPress security, check out WPBeginners Ultimate WordPress Security Guide. It is fantastic.