Securing a WordPress Site

In this blog post, I will share my thoughts on steps that you need to take to secure a website. These steps are tailored towards WordPress sites hosted on hostinger, but can generally be used for any type of website.

Strong Unique Password

A strong password is the first step for any security hardening process. Hackers will often try attacking the password as the first attack avenue. If you re-used a password that was compromised, or used a simple password that is easy to guess or crack, then there really is no need to worry about securing any other part of your website. If attackers can get in via password, they have the keys to the kingdom, unless you have a separate power user with differing credentials.

Two Factor Authentication (2FA)

This security method adds another layer to your username and password. This is something that I have been trying to utilize for any website that I use. If your password is ever cracked or compromised, having a 2FA will save the day.

Normally, when accessing a website, entering your username/password is all that is needed to enter. Having a 2FA set up will necessitate one last (usually revolving) piece of information. Once a correct username/password is entered, the website requests that third piece of information (which only you should have). A 2FA can usually be set up with an authentication app on your phone, or with a phone number. If using a phone number, the site will send you a text message with the 2FA to enter. If using an authentication app, you can simply open the app and enter the numbers shown.

It should be noted that using a phone number is generally not considered best practice, as it can be subjected to a SIM swap attack. A SIM swap attack can be mitigated by using a VOIP number instead.

Updating Your Website

WordPress is notorious for getting hacked. Many of the hacks are due to outdated plugins used by WordPress users. You need to verify that the WordPress core, plugins, and themes are up to date for security and stability reasons.

WordPress Backups

While backups aren't always the first thing considered when thinking about security, it is vital to bringing your website back up if disaster strikes. Backups are also necessary for ensuring that you can mitigate an issue when non-security problems arise, such as when performing updates. If your website is experiencing issues after an update, you can roll back out your backup, which has the older version of whatever you recently updated, to verify if issue persists. This will help with troubleshooting and testing any website issues.

Install a WordPress Security Plugin

There are several reputable WordPress security plugins. Some of these are free, and some of them are paid (or offer a mix of the two). These plugins offer hardening services and will perform malware scanning and monitoring.

These are what I consider to be the most important steps of securing a WordPress site, but I recommend taking a look at the wpbeginner website, which goes incredibly in depth.