By powering approximately 40% of all content management systems (CMS) worldwide, WordPress has emerged as one of the top CMS platforms in the market. WordPress is versatile, easy to use, and open source which means that it’s completely free. While WordPress offers a wide range of benefits, it has some areas for improvement. One of them is website security. WordPress, amongst other popular CMS platforms, has some innate vulnerabilities that create opportunities for hackers to maliciously enter a website. To strengthen a WordPress site’s website security, you can use the following approaches:

1. Create a custom login URL

   The default login URL for WordPress websites is www.yoursite.ca/wp-admin. Using the default login URL makes your website vulnerable and easier to hack because hackers know the specific page path to enter your website. To strengthen your website security, create a custom URL that only internal staff would know. For example, you can change your WordPress login URL to www.yoursite.ca/staff-member-login. To create a custom login URL, use the WPS Hide Login.

2. Limit login attempts

   You can limit the number of times a user can attempt to login to a WordPress site. If a user fails to login a website after a certain number of times (i.e. 3 times), your WordPress site can lock the user out for a specific timeframe (e.g. 30 minutes). If the same user continues to try to enter the website but fails to do so, the WordPress site can lock the user out permanently. Alternatively, the WordPress site can prevent WordPress users in a specific IP address from attempting to log in your website. There are several WordPress plugins to help you protect your login from hostile IP addresses.

3. Stay updated

   Update your theme and all your plugins when new updates are available. When a development team of a theme or plugin releases a new update, it generally means that the team has fixed some vulnerabilities that can help to strengthen your website.

4. Use two-factor authentication

   Two-factor authentication is a tool which authorizes a user to access an account(e.g. WordPress website or an application) after the user successfully presents two or more pieces of evidence to an authentication mechanism. A common two-factor authentication method for WordPress is requiring a user to download an app such as Authy or Google Authenticator on their phone and integrating the user’s app with their WordPress user account. Once the integration is complete, the user would be required to generate a code using the two-factor authentication app and to enter both the code and their password into their WordPress before being granted accessd. This additional layer of security is a strong deterrent to would-be hackers.

5. Don’t use ‘admin’ as a username

   “Admin” is oftentimes the default username for a WordPress website. While this username is simple to remember, it creates an opportunity for hackers to use “admin” as the username, and then continually guess the password until they find a match. To deter potential hackers, always choose a unique username.

6. Use credible plugins

   There are approximately 54,000 WordPress plugins available and some of them aren’t as secure as others. To avoid using plugins that are less secure, only activate plugins from credible or established developers.

   There are two indicators of a plugin’s credibility:

   • The date of the plugin’s latest update
   • The plugin’s rating and its number of reviews

   
   Yoast is a well-known WordPress SEO plugin and it has excellent ratings and it updates regularly.

   If a plugin’s last update was over 12 months ago, it’s likely that the plugins’ developers aren’t actively implementing security practices to strengthen its security. If a plugin has very few reviews or low rating score, it means that the plugin hasn’t satisfied enough customers and enticed them to write positive reviews. Both kinds of plug-ins should be avoided.