We know it can be very difficult for people to protect their websites from a threat they don’t understand. Cyber security is a complex topic, but every WordPress owner can take immediate steps to ensure greater protection.
Here are some of the easiest ways for WordPress owners to protect their site from cyber attacks:
1) Use Two-Factor Authentication
Two-factor authentication drops your vulnerability from cyber attacks to almost zero. With two-factor authentication, a numerical code is sent to your smartphone before you can log in to the WordPress dashboard. You use this code along with your username and password to access the dashboard. Without the code, you can’t access it — and neither can an attacker.
Unfortunately, WordPress doesn’t have this feature coded into the underlying software. Instead, you need a plugin to enable it. You can use plugins such as Google Authenticator or Duo to allow two-factor on your site.
2) Update Your Plugins Regularly
Good plugin developers continually update their code to fix bugs and cyber security issues. If a plugin developer doesn’t keep their code updated, then you shouldn’t use it. Even if you don’t have any problems with the plugin, you could have them in the future.
Newer versions of WordPress display an alert when a plugin update is available. You can also install third-party plugins to help you manage code changes. For instance, WordFence shows an alert as well when an update for a plugin is available.
3) Check for SQL Injection Vulnerabilities
You don’t have to know how SQL injection works to protect your site or to find weaknesses. You can use third-party scanners available from cyber security experts. Sucuri, for example, has a free scanner that you can use to see if any of your plugins are leaving you open to SQL injection. Again WordFence is a plugin that you can install to protect from this attack.
SQL injection is one of the most common vulnerabilities with plugins, so you should always scan your site regularly. Each time you install, you add some form of risk to your site.
4) Limit Login Attempts
Hackers use an attack called “brute force” to gain access to your WordPress dashboard. Brute force works by feeding a script a bunch of dictionary terms and running those words against the login page. You can limit the login attempts to stop a brute force attack, which also means you only get a certain number of attempts before you are locked out, but you can use the “Forgot Password” form to regain access should you forget it.
5) Use HTTPS on Your Domain
HTTPS encrypts the data sent between your server and the reader’s browser. It’s a great way to protect data from being eavesdropped by attackers who have access to sniffers. A sniffer is a software that runs on a machine and intercepts messages between two parties on a network. If the data isn’t encrypted, then the attacker can read anything from account details to passwords.
HTTPS wasn’t required for all pages a decade ago, but now users expect the protocol on the entire site to protect their data. Current browsers and search engines warn users if a website hasn’t enabled HTTPS.
6) Always Update WordPress as Soon as It’s Available
WordPress makes frequent releases available, sometimes several throughout the year. The updates fix bugs and security issues found in the core software. Many WordPress site owners make the critical mistake of ignoring these updates and leaving old code running on the domain. Outdated WordPress sites are a huge target for hackers!
You can set up alerts for WordPress updates and you also get notice at the top of your dashboard when a new version is available. It’s a good idea, of course, to back up your site (both database and the site code) before you perform any updates.
7) Delete Unused Plugins
If you no longer need a plugin, it’s recommended that you delete it. With each plugin you add to your site, you add higher cyber security risks. Plugin code that isn’t maintained is a huge issue for cyber security. Even maintained plugins could pose cyber security risks if the developer accidentally includes vulnerable code. Some plugin developers even purposely leave back doors to your site.
You can avoid these issues by removing unused plugins, but keep in mind that disabling them isn’t always enough. Instead, it’s best to remove them entirely.
For more information about WordPress hosting and security, please visit or website or send an email to askus [at] tier.net.