The growing popularity of WordPress has also created more interest among hackers. Statistics show that of the 80 million WordPress sites, a large proportion (70% +) are vulnerable to attack.

If you think your site is not 70%, you are wrong. If you also think that nobody cares about your small business website or blog, you are wrong again. Attacks can occur because your website is vulnerable to attack and not because a hacker decided to “hack” your business.

When your website is hacked, a lot of bad things can happen in addition to damaging your website’s reputation. You can lose customers, traffic, money, confidential information, not to mention the time, stress, and effort it will take to clean up your site and get back to normal.

Those who have been through this at least once know exactly what I mean. It is at those times that you wish you had taken preventative measures rather than trying to recover from the damage later, especially when your income and business depend on your website.

To tell the truth, I didn’t worry about security, I was thinking, like most people, that it would never happen with my sites. But it happened. And it was a terrible experience.

If you have a WordPress site but haven’t taken any steps to improve security, now is the right time to act. Don’t wait any longer, but make this your priority over SEO or whatever else you may be doing.

It won’t take long, but it can save you a lot of time, money, and frustration down the road.

How To Protect Your WordPress Site

Install Sucuri

I know it may seem too promotional to some, but those who follow my articles know that I do not recommend something (especially if it is a third-party service) unless it is very important and useful and Sucuri is one of them.

Simply put, Sucuri is a company that offers website security services (not just WordPress). They help you ‘clean up’ and recover your site if it is affected by malware, but at the same time, they offer a number of tools to protect and strengthen your site so you don’t have a problem in the first place.

I used Sucuri several times for my website and also for my clients. One of the things I really like is that if your site is compromised and affected by malware, all you have to do is register an account with them, submit a malware request, and they’ll take care of the rest in a reasonable amount of time.

Instead of wasting time wondering what happened and searching the internet to find ways to clean up your website and get your business back, leave it up to Sucuri and spend your time following the preventative measures outlined below to avoid dealing with the same situation again.

What package to use? They have 3 packages, but in most cases, you only need to sign up for the BASIC plan, which costs less than $ 18 per month.

This will give you access to the malware removal service, if you need it, as well as the site’s anti-virus prevention tools.

Follow the simple steps below to activate sucuri on your WordPress site:

The first step is to sign up for the basic plan and then “Add your site” to the dashboard.

Next you need to configure the “Server Side” scanner, giving them FTP access to the files and directories on your site. The server-side scanner is the one that monitors your website (several times a day), identifies the affected files, and also performs cleaning actions, if necessary.

You can enter your FTP credentials in the “Activate via FTP” option or use “Activate manually” by downloading the provided file and uploading it to your root folder.

The file method is better, if you decide to change your FTP credentials, it will not break the functionality.

Install and configure your WordPress plugin. Install the Sucuri plugin from here (as you do with a normal WordPress plugin) and then go to the control panel and connect it to your Sucuri account.

After successfully completing the above steps, Sucuri actively protects your site.

What you can do now is click on SETTINGS (in Sucuri Security) and configure your settings as shown in the image below.

This will ensure that you are notified by email of any changes to your site files or failed login attempts. Furthermore, it will also enable the web firewall feature which automatically blocks suspicious IP addresses from trying to log into WordPress.

Go to the Control Panel (in Sucuri Security) and you will be amazed at the number of bots trying to access your site.

There are many other settings you can review (in Sucuri Security), but the above, in combination with the steps outlined below, will dramatically improve the security of your WordPress site.

Use Strong Passwords

One of the things you should definitely check right now is your wordpress passwords and especially the password you use for admin.

Do not use simple passwords with letters, but create strong passwords that include letters, numbers and symbols.

You can change the password of any user by selecting USERS / ALL USERS from the menu on the left. In the list of users, select EDIT and scroll down to the password field.

Change The Default Admin User Names

The first thing hackers will try to do is figure out the admin username so the usernames like admin, admin, and host are very obvious and you need to change them to something more difficult to identify.

Also, review your user roles and make sure there is only one administrator for the site. Other users (guest authors, writers) can be defined as “Contributors”. Delete any other users that are not valid or set their role to “None”.

Protect Your Wp-login, Wp-config, .htaccess And Wp-admin Folder

This is perhaps the most important step of all the steps you can take to protect your wordpress site.

By protecting and restricting access to your wp-config, .htaccess, wp-login, and wp-admin folder, you’ve already taken a big step in the right direction.

It does not require any technical knowledge, just access the FTP and follow the steps below:

Step 1: Log in to your website with FTP and find the .htaccess file in the root folder (usually public_html or www). If you installed WordPress in a directory, you will find the .htaccess file there.

Step 2: download the file to your computer

Step 3: use any text editor (notepad, brackets, etc.) to open the file

Step 4: Add the following lines to the top of the file:

Important: You must add your public IP in the orange shaded area above, otherwise you will not be able to log into your own website.

Step 5: save your changes

Step 6: Upload the file to your server and replace the existing one.

The function of the above lines is to restrict access to ALL ips trying to access your .htaccess file, wp-config.php or your login page. If your public IP changes frequently, you should edit this file and enter the correct IP in the orange shaded area above. If you enter the wrong IP there, you will not be able to log into the WordPress dashboard. You can add more than one IP (one per line, preceded by the words ‘allow from’).

I know for some this is too much, but it is the best and most efficient way to prevent everyone (except allowed IPs) from accessing your website. This does not affect the functionality of your website or SEO, but it does strengthen security.

The next step is to protect unauthorized access to your wp-admin folder. You can do it by following the steps below:

Step 1: Log in to your website with FTP and locate the .htaccess file inside the wp-admin folder. If there is no .htaccess file, create one (using any text editor), add the lines shown below, and update it in your wp-admin folder.

Step 2: download the file to your computer

Step 3: use any text editor (notepad, brackets, etc.) to open the file

Step 4: Add the following lines to the top of the file:

Important: You must add your public IP in the orange shaded area above, otherwise you will not be able to log into your own website.

Step 5: save your changes

Step 6: Upload the file to your server and replace the existing one.

The same rules as explained above apply, that is, in order to log into your website, you need to add your public IP in the area shaded in orange.

Update WordPress And Plugins To The Latest Versions

Most of the time, hackers can gain unauthorized access to your site through plugins. Free and paid plugins have vulnerabilities and it is always good practice to update them to the latest versions.

Software companies (especially for paid plugins) have started to take security issues more seriously and are trying to close security holes to protect their customers and, of course, their reputation.

In addition to updating, review the list of installed plugins and if you find that some have not been updated for several months, consider disabling them, replacing them with other plugins that are updated more frequently, or removing them.

Bottom Line

You must take steps to protect your WordPress site from hackers. You don’t need to pay for a monthly service if you can’t afford it, but you should certainly review and properly configure the other settings suggested above.

Don’t underestimate the damage hackers can do to your website or business. When faced with this situation once, you will understand how important it is to take all possible measures before it happens.

If you have any questions or something is unclear, please let me know in the comments below.