Securing a self-hosted website and website security is a very crucial factor. Especially important if you have moved or planning to move to a self-hosted site on WordPress or any other platform. You mustn't take security lightly.
You do not want your hard work to be destroyed by malicious attackers or hackers who are determined to break your site. It would be a nightmare to find your data completely erased or re-directing someplace else. The hackers usually either install malware or try to get important confidential information.
There are simple ways to secure your site for free using plugins and some other simple options that are listed below. Hope you find them useful.
GOOD HOSTING PROVIDER
A good web hosting provider will take care of almost all your security concerns. They will have multiple layers of security, take regular backups, and keep your content secure. I have been using Siteground and they are one of the top contenders due to their dedication to excellent customer support, security, uptime, and speed. They are the number one hosting favorites in many surveys and polls on Facebook as well.
Recently on the occasion of their 15 years of successful completion, they added some cool features to some of their plans. The basic startup plan has been upgraded to have free backups. So we will now be able to use the restore tool for free. They keep 30 automatic backup copies which are very useful in case your website becomes inaccessible due to any issues. In terms of security, they have a web application firewall that protects clients from security breaches, runs virus and malware scans, uses http/2 technology, and sends proactive patches when there are threats. I would highly recommend Siteground as one of the best hosting providers.
UPDATE PLUGINS , THEMES AND WORD PRESS VERSIONS TO LATEST:
A good web hosting provider may solve most security concerns. But this does not mean that you do not do your part to keep your hosted site secure. Always ensure that you are updated to the latest versions of plugins and themes. There are often many releases of patches with minor bug fixes or security fixes which should not be ignored. Delete any unused plugins or themes. Just deactivating is not enough, it is best to completely remove what you are not using as the inactive files can be used to hack into your hosting account. It is also suggested to use fewer plugins as much as possible. Update Word press versions to the latest always to be secure.
AVOID NULLED THEMES:
Some premium themes may be illegally available cheaper or for free. They are called nulled or cracked themes. They are dangerous for your site and may contain malware codes which could cause many problems and is best to avoid them.
USE SECURITY PLUGINS:
The importance of using security plugins cannot be stressed enough. They help minimize brute attacks, provide malware scans to minimize vulnerabilities, send emails, and alerts if any threats are observed, and block certain IPs based on their activity. Some of the top-rated security plugins are Wordfence, iThemes Security, All in one WP Security, and Sucuri Security.
I use the free version of Word Fence and am pretty happy with it. You can view your live traffic, filter the traffic by human/bot or blocked users, etc. You can set up malware scans to scan your site along with WordPress files, plugins, themes, and alerts of issues. The file repair feature can even help clean by replacing the hacked file with the original file. The paid version provides many more cool features and helps make your site hard and unbreakable. They are also simple to set up and use.
SECURE YOUR LOGIN PAGE URL BY RENAMING:
We all know the login page to WordPress can be accessed by wp-login.php or wp-admin added to the website's URL. This URL can be used to brute force and hack into your site. One way to protect yourself is to rename the URL . There are plugins to do this . One such plugin is the WPS Hide Login. This helps you to rename wp-admin or wp-login.php to whatever you want. So then your login page URL for example could become > and this will redirect to your admin page. This rename of the login page URL makes it difficult for the hacker to get access.
CHANGE DEFAULT ADMIN USERNAME:
When you install WordPress, remember not to choose “admin” as the username, (which is the default ) for your main administrator account. This can be easily guessed as the username. Using this name and a combination of passwords will make it easy for hackers to get into your site.
DISABLE FILE EDITING:
To disable editing of your plugins and themes file, add the following code to your wp-config.php file define(‘DISALLOW_FILE_EDIT’, true); This will ensure that if the hacker gets access to your admin panel, they cannot access the code editor to edit the themes and plugins from Appearance> Editor or Plugins>Editor. They can add malicious code from here. For any reason you want to re-enable it back, just delete that line from the wp-config.php file.
INSTALL SSL CERTIFICATE:
This is usually mandatory for sites that process sensitive information like payments but is helpful for all sites. Google provides sites with SSL certificates for better traffic and ranking in its search results. So having an SSL certificate is worth it. It ensures secure data transfer between user browsers and the server and hackers will find it difficult to breach. Good hosting companies even sometimes provide free SSL certificates.
MODIFY FUNCTIONS.PHP FILE
By adding the following three lines of code in the functions.php file, the WordPress platform version is unreadable from the XML-RPC file. This is useful as this makes the current version of WordPress used to be hidden or unknown to hackers who are looking out for it.
remove action( ‘wp_head’, ‘wp_generator’ );
remove action( ‘wp_head’,’rsd_link’ );
remove action( ‘wp_head’,’rsd_link’ );
By adding the following two lines of code in the functions.php file, you protect yourself from giving out your wrongly spelled passwords while logging in. As these errors are saved in a log file, they can be used to gain access and the hackers could try various combinations to log in.
function no_errors_here()
{
return 'nothing';
}
add_filter( ‘login_errors’, ‘no_errors_here’ );
STRONG PASSWORDS:
Last but not least, use strong passwords that cannot be easily guessed. It is good to use a complex password, or even better an auto-generated one with a variety of numbers, nonsensical letter combinations, and special characters like % or @ which makes it difficult to guess.
There are many simpler tricks and advanced techniques to make your website hardened and unbreakable. These are however some of the basics that every beginner can easily follow. Website security gives you peace of mind and the more you work on taking care of the simple stuff mentioned above, makes it harder for your site to be hacked into.
Disclaimer :*Please note this post contains affiliate links, I recommend the products here only because I find them useful. The opinions in this post are all my own and based on my blogging experiences * .
Megala
It is a wonderful article that every self hosted website builder must read.
InspiresNish
Thank you Megala for the feedback appreciate it!
Richa
These are some excellent tips Nisha! Sadly, I'm stuck with the "admin" username - I wish I knew this before!
InspiresNish
Hi Richa, Thank you for the feedback. There are workarounds to achieve it. You can create a new user , grant admin privileges to the new user , logout of the admin user ,login back as the new user and delete the admin account . I have not tried this but it seems like a great solution.Here is a link with details . Hope this helps.
Richa
Thank you so much for this Nisha.. I will surely look into it! 🙂
InspiresNish
You are very welcome 👍🏻
Caz / InvisiblyMe
Security when you're self-hosted is so important! Some providers are quite good at keeping on top of things, but it's a good idea to do what you can with keeping plug-ins updated, passwords changed regularly etc. You've made some excellent suggestions, and thanks for the security plug-in tip, I'll have to check out the free version of Wordfence as I'd not come across that before.
Very helpful post!
Have a lovely weekend, Nisha xx
InspiresNish
Glad to hear this post is useful Caz. Sure please do check it out , the free version of Wordfence has been very useful in blocking some bad IPs and with generating warnings and errors in case of issues with every malware scan .This helps us check proactively . Hope you had a nice weekend as well!
Smitha
Amazing Tips Nisha ! Thanks for sharing
InspiresNish
Thank you so much Smitha, glad it is helpful!
Diane
Awesome tips thank you!
InspiresNish
Thank you Diane for stopping by and glad to hear it is useful, appreciate it!
Neetha
Very informative article. Thanks for sharing
InspiresNish
Thank you so much Neetha , glad that it is useful to you!
Ngobesing Romanus
I am really impressed with this post. You have generously provided information that will help many. Thanks indeed.
InspiresNish
Thank you so much for the kind words, truly appreciate it!
Jacqui Murray
Good suggestions. I have several self-hosted websites and a few through others. Each has pros and cons, don't they?
InspiresNish
Thank you. Yes I agree there are pros and cons using self hosted and free sites .On self hosted ,you need to take care of lot of stuff whereas majority of the stuff is taken care of in the free sites ,so you can just concentrate on posts and content. On the contrary self hosted sites have many advantages of being in control of your site etc. It all depends on what works for each of us.
Louis Dallara
Thanks for the great info, btw I'm self hosted WP on Siteground also.
InspiresNish
You are very welcome! Wonderful to hear that you use Siteground as well.