Note: Modifying server config files via SSH console is a complicated process and may break your site if not done perfectly. If you are not an SSH expert, We highly recommend upgrading to PRO version and let our premium support handle / help with this server setup.

WordPress being widely used by newbie bloggers and non-technical users, it’s super important to determine several easy ways to secure WordPress site without any technical knowledge. Luckily, there are plenty of steps you could take to safeguard WordPress site. Below are 10 most important yet easy methods to follow:

Implement SSL Certificate

Secure Socket Layer (SSL) Certificates are an industry standard used by millions of websites to protect sensitive data of their customers. Securing your site with SSL Certificate & enabling HTTPS facilitates secure data encryption between your server and end user, thus making the data transmission private and secure.

Generating and installing an SSL Certificate for your site should be the very first priority task to be completed by every new website owner. Several hosting companies provide easy & convenient solution to implement SSL certificate. If your hosting company is not one of them, you could easily generate free SSL certificate and install it on your hosting server using WP Encryption WordPress plugin.

Don’t Use “admin” Username

Default WordPress installations like one click installers usually create your administrator account with username as “admin” which is the most favorite username for hackers to perform brute force attacks. Always make sure to check advanced options of one click installers and set a custom secure username. If you already have a WordPress site running, please double check Users list to make sure “admin” username is not used. Otherwise, replace “admin” username immediately.

Use a Recaptcha Plugin for Admin Side

Adding Google Recaptcha verification to wp-admin further enhances the security against brute force attacks. There are various recaptcha plugins available you could use to easily setup a recaptcha challenge for wp-admin login form, one of our favorite is Login No Captcha Recaptcha plugin.

Setup & Use a Vulnerability Scanner

It’s quite common to notice vulnerabilities in open source platforms. Every WordPress site requires multiple plugins to achieve certain requirements and hackers are majorly focused on exploiting vulnerabilities within the plugins to gain access to the site and data. You can easily run a frequent Vulnerability scan in WP Encryption WordPress plugin to determine latest vulnerabilities found in plugins, themes and WordPress core. If your site is using any vulnerable plugin, theme or Core, please make sure to update it as soon as an update  / patch is released.

Install a Security Plugin

WordPress security plugins comes bundled with plenty of security features & real-time monitoring to fight against common loopholes of WordPress and safeguard the site. Its ultimately required to install & configure a good security plugin to add some extra layers of protection. Some of the well known WordPress security plugins are listed below,

  • Sucuri Security
  • Wordfence Security
  • iThemes Security

Keep WordPress Updated

As WordPress eco-system is completely open source, attackers are always in search of loopholes in WordPress core, plugins & themes. Vulnerabilities are found & patched almost every day in WordPress plugins, themes & core. So it’s super important to update your WordPress core, themes and plugins frequently to stay secure. Outdated plugins are great source for attackers to exploit the site.

Run Frequent Backups

Taking a frequent backup could save your time in uncertain times and you can easily restore the backup when your WordPress site is exploited. Use some easy backup plugins like Backup Bolt to take current backup of your site and store locally.

Hide Your WP-Admin login page

Hiding your wp-admin from public frontend adds additional layer of security against attackers trying to password guess / brute force the site. WPS Hide Login is one of the well known plugin particularly made for this purpose. You can easily replace wp-admin to a custom phrase you could remember to access the login form.

Disable XML-RPC

WordPress uses an implementation of XML-RPC protocol to extend functionality of software clients. This Remote Procedure Calling protocol allows commands execution remotely.

As most users don’t need this XML-RPC functionality, it’s good to disable it completely to avoid security exploits. Various security plugins like Wordfence allows you to easily disable XML-RPC with a simple option.

Use A Web Application Firewall

Triggering a Distributed Denial-Of-Service (DDOS) attack on your site could simply take down your site without the need of exploiting any vulnerability on your site. DDOS attacks are malicious attempt to disrupt the normal traffic of targeted server by overwhelming it with a flood of internet traffic. Simple DDOS attacks could easily cause downtime of your site if you are using shared hosting platforms with less resources. To block DDOS attacks, you can setup & route your domain DNS to some good Web Application Firewall like Sucuri which in return routes the traffic to your original hosting server after blocking suspicious attacks.