WordPress is one of the most powerful tools available to anyone wanting to run their own website. The free, open source software comes with many powerful tools right out of the box, but can be augmented to fulfil almost any purpose with a massive library of plugins.

WordPress is used by individuals, small businesses and large enterprises alike to run blogs, advertise their services, and sell products through an ecommerce store.

With this power and popularity, WordPress has attracted many ill-intentioned people who wish to exploit this prominent software. Its widespread use and open source nature make it is easy to find exploits and to find websites to take advantage of.

Therefore it is vital that you protect your WordPress installation from as many of these attacks as possible.

Protect Yourself from Brute Force Attacks

Brute force login attacks for WordPress are common; popular sites may even experience thousands of this type of attack each day. They work by simply guessing lots of different username and password combinations in the hopes of finding one that works. There are several ways to stop these attacks, and the best solution is to use a combination.

Firstly, you can add an additional element of security to your login process by requiring enabling two-factor authentication. While there are several ways to do this with WordPress, they all achieve the same thing. They require users to enter a third piece of information when they sign in. In addition to their username and password they must enter a unique code, typically generated by an app like Google Authenticator. This type of security is used by many organisations, including banks, social media sites, and gaming companies, all using security tokens and SMS validation in addition to passwords.

Secondly, you can install security plugins such as Wordfence which will block a user if they try to sign in too many times. You can choose to block them out for anywhere between a couple of minutes and a few days.

Another solution is to turn off or block access to WordPress’ XML-RPC function if you are not using it. There are several ways to do this, including blocking access to the file via HTACCESS or DNS providers like Cloudflare. You can disable the function in WordPress itself.

You can also make it harder for hackers to find your WordPress login page. By default, the WordPress login page is wp-login.php, so people wanting to bruteforce can easily find it. By changing the URL, with one of the many plugins available, you can make it a little harder for people trying to brute force your website.

Keep Everything Up to Date

Like with all software, there is a constant battle taking place between bad actors who try to find bugs that they can exploit, and developers who try to fix the bugs before (or quickly after) they’re found.

You don’t need to be a security expert to make sure your WordPress site is free of these bugs. You just need to let it run any updates that have been released. This is really easy to do, simply login and you’ll see a little icon of two arrows in a circle in the black bar at the top of the screen. This icon is to alert you to new updates being available, and often has a number next to it which lets you know how many need to be installed.

Simply click the button and follow the instructions on the screen. WordPress will do all of the heavy lifting for you.

Use a Firewall

Your web hosting package should be set up with some security by default, however, it’s unlikely this will be enough.

There are many third-party security plugins available, most with free versions. However, one you should definitely consider is Wordfence. This plugin comes with a scanning feature that can check for any malicious software that has been installed in your WordPress directory.

It also monitors the traffic coming to your site to spot any unsavory activity. This can include people accessing many pages in quick succession, failed login attempts, or attempting to upload files. You can set Wordfence so that it automatically blocks attacks of this kind, removing that person’s access to your website.

Keep a Regular Backup

Sometimes, all the security in the world is not enough to protect you; occasionally, hackers can get lucky and an attack on your website can succeed. So you need a way to protect your site should this happen.

The best way to do this is to keep a regular backup. Backups allow you to quickly restore your site to the state it was in before the attack happened, removing any malicious files and keeping everything else. There are many options available, but the easiest way is to use a backup plugin.

Many of these will run the backup automatically and store it remotely on cloud services like Dropbox or Amazon Web Services. Having automatic backups is important as it prevents you from forgetting, and being left with no way of recovering your site.

There are many other ways that you can protect your WordPress site, but these are some of the most important and provide a solid foundation for later security improvements.