VentraIP is not affiliated with the creators of the plugins recommended in this article. The intended use of this article is as general advice only.

Keep your website updated

When a WordPress website gets compromised, it’s almost always due to an insecure plugin or theme being installed on the website. Most plugin/theme updates are security updates, so when new versions of your plugins/themes are released, you should update them as soon as you can.

Using Auto Update

To simplify this process, you can set WordPress to automatically update. However, keep in mind that sometimes updates can break your website due to incompatibilities between plugins. To resolve any problems caused by updates quickly, you should ensure that you have a backup of your website ready to go. If you’re not sure how to restore a backup, you can follow this guide.

Protect against brute-force attacks

A brute-force attack is when a hacker uses a bot to throw thousands and thousands of login attempts at your website in an attempt to guess the correct password and gain access. Here are a couple of ways to stop that from happening:

Hide the login URL

It’s a widely known fact that your WordPress website will use https://your-domain-here.com/wp-admin as the login URL by default. You can use a plugin to adjust the login URL for your website, to hide the login page.

Change the admin user’s username

Setting the site administrator’s username to “admin” is too obvious for a malicious person to guess. From there, all they have to do is guess the password. You can make it harder for them by changing the administrator’s username to something harder to guess. You can change your website’s username inside the Users section of the WordPress admin dashboard.

Using complex passwords

Using a short or easy-to-guess password will only make it easier for a malicious person to gain access to your website via a brute-force attack. It’s best to use a password that is at least 8 characters long and includes upper/lower case letters, numbers, and special characters.

Enabling Two Factor Authentication

Setting up Two Factor Authentication on your website is a great way to add an extra layer of security. This will help stop someone malicious from gaining unauthorized access to your website, even if they manage to obtain username and password information. There are a number of plugins available that you can use to enable Two Factor Authentication on your website.

Monitoring

To help you keep an eye on things, you should use a monitoring plugin that logs all of the changes that occur on your website.

Security plugins

Securing your website doesn’t need to be difficult; you can use a security plugin to help you along your way.

Setting up SSL

To ensure that your website loads securely and any data transferred between your website and the web browser is secure, you can install an SSL Certificate. Here are the steps you need to take to ensure that your website loads securely (HTTPS):
  1. Install an SSL Certificate. You can do this by using AutoSSL.
  2. To ensure that your website always loads securely (https://), you can install the Really Simple SSL plugin.

Disable directory listing

By default, it is possible to publicly view your website’s file and directory structure via a web browser. To stop this from happening, you can add the following code to your website’s .htaccess file: Options All -Indexes. You can add the code by following these steps:
  1. Log in to cPanel.
  2. Click on File Manager under Files.
  3. Navigate to the folder your website is in (this is normally public_html).
  4. Ensure that the Show Hidden Files (dotfiles) setting is enabled.
    1. Click on the Settings button at the top right of the page. cPanel File Manager Settings
    2. If it isn’t already, check the Show Hidden Files (dotfiles) setting on.
    3. Click Save.
  5. If the .htaccess file already exists, right-click on it and click Edit.
    1. If your .htaccess file doesn’t exist yet, then:
      1. Click on the +File button to the top left of the file manager interface cPanel File Manager Create File
      2. In the New File Name field, input .htaccess.
      3. Click Create New File.
      4. Right-click on the file, then click Edit.
  6. Add the following line of code to disable Directory Listing: Options All -Indexes.
  7. Click Save Changes.