WordPress is the content management system (CMS) most targeted by cyber attacks. And for good reason — nearly 2/3 of sites worldwide are created with WordPress, making it the most profitable target. And unfortunately that is not the only reason, since WordPress is generally not complicated to hack — once a vulnerability is discovered, it spreads quickly and everyone takes advantage of it.
Is WordPress Really So Insecure?
WordPress itself is very secure — the White House website uses it, for example (yes, really). In fact, its vulnerabilities do not come from WordPress itself but from installed plugins. If a flaw is present in a plugin, developers will patch it quickly. However, if you never update your plugins, that is where you expose yourself to very significant risks.
5 Steps to Secure Your WordPress Site
Discover our 5 fairly simple and quick steps to transform your WordPress site into something more secure than Fort Knox. Be careful — just because you cannot see anything does not mean your site has not already been hacked. In fact, that is most often how it works.
1. Update Your Plugins
Since vulnerabilities come overwhelmingly from flaws in installed WordPress plugins, the most important thing is to update your plugins regularly. It is also possible to easily set up automatic plugin updates. In general, also avoid downloading plugins that nobody knows, or cracked plugins, and remember to delete extensions you do not use or no longer use — it will be more manageable.
2. Back Up Your Database
If your site suffers an attack, if you regularly back up your site’s database, you will always be able to restore it without leaving a trace, and then apply the advice in this article so it does not happen again. You can either download a plugin to back up your entire site , or switch directly to a hosting provider that handles automatic and/or manual backup creation.
3. Choose a Secure Hosting Provider
Your choice of hosting plays a decisive role in your site’s security. It is possible that your hosting provider does not even bother about DDoS attacks against your site, which is rather standard. And many other things. By choosing a good hosting provider like Kinsta, you can have peace of mind.
Kinsta in a few words on security:
- An SSL certificate that ensures everything your visitors do on your site is encrypted.
- Full automatic daily backups by default EVERY DAY; you can even make your own on-demand backups whenever you want. A feature that SHOULD be included by default with all hosting providers, but is not.
- XML-RPC brute force attack blocking
- Full isolation and the latest security updates
- PHP version from your WordPress site’s HTTP headers is automatically removed
- IP address protection (immediately blocks a spammer attacking your site)
- DDoS attack protection
- Your resources are 100% private and not shared with anyone else, not even between your own sites.
- […]
Interested? If you want the complete list, simply visit their .
I can give you all the advice in the world. It is the best choice for peace of mind. In fact, Kinsta 100% guarantees that your site will be fixed following an attack:
“We have hardware firewalls, active and passive security, and other advanced features to prevent access to your data. But if your site is compromised, we will fix it for free.”
Aware that zero risk does not exist, Kinsta nonetheless reserves the right to 100% guarantee the repair of a hacked site.
4. Change the Login URL and Do Not Call Yourself Admin
WordPress by default is configured the same way for everyone. Your site’s login URL is therefore probably yoursite.com/wp-admin. By changing the login URL, you will avoid being spammed with login attempts (as a bonus, your site might even become faster). And then… change the default username.
For the login URL, I recommend this plugin: perfmatters
To change your username, either delete the account and create a new admin account with a username that is not called admin, or simply change the admin name. In the second case, you will need to use a plugin such as UsernameChanger.
5. Install a Security Plugin
A plugin to secure plugins? While a plugin… Anyway, there are many extensions to secure your WordPress site. Here are the best-known ones:
- WordFence Security
- iThemes Security
In general they do not add much of interest, especially if you have a good hosting provider.
We can however note two-factor authentication, which is a big plus. For this there is the plugin or .
No need for anything more!