Elsewhere in this course, we covered making logins more secure and adding two-factor authentication. But there are a few more things that we can do as an administrator to protect our site.
The first thing you want to do is make sure that your WordPress site is always up to date. If you look at the dashboard, you’ll see if there’s an update for WordPress available.
WordPress notifies you and makes it easy to update by clicking the link.
Updating WordPress is so simple; there’s no reason that you shouldn’t keep your site up to date.
Back Up WordPress
Beyond keeping your site up to date, you should also run backups of your WordPress site. That way, if someone breaks in, you can restore it to the way it was before the site was compromised.
Again, there are many different options, and with most web hosts, we will have some sort of utility built in to perform backups.
If there is no solution for backups on your host, you can always use a plugin. A plugin that I like for this is UpdraftPlus.
This plugin offers the ability to back up your WordPress site to Dropbox or Google Drive. This plugin is not limited in any way, and with over a million installs, it certainly is very popular.
Control User Permissions
Another thing an administrator can do is be very careful when assigning permissions to users.
Do not assign anyone as an administrator if they don’t need to be. Only give a minimum of permissions needed when creating a new user.
User management is essential to protecting your site. Also, make sure that any inactive accounts are deleted.
Change Your User Name
As an alternative, we can change our site to use an email address as our username. Presently, WordPress will not accept special characters such as the @ symbol in our username, so we can’t use an email address. But obscuring the user name as much as possible helps. So using email as a user name is a bit more secure as it is harder to guess an email address.
When we create an account, we have to use a valid email address. This has to be unique, so it works as an identifier for an account. Then, if we add the Email Login plugin, we can now use the email address that we signed up with as the account name.
After that, we will no longer use the user name as the login.
Obscure the Login Page
The best defense for your site is to conceal anything that can be used to break in. A common thing everyone knows is the URL to the WordPress login page. The brute force attacks to break into your site are performed against this login page.
As another layer of security, we can obscure the login page so that it’s not easy to find. A really nice plugin I found to change the login page URL is called WPS Hide Login.
Once we add this plugin, we can change the URL of the login page on the settings page.
When we’ve changed it and save the settings, we can then log in with a new URL.
Restrict Login Attempts
Although we’ve obscured the login, attackers can still figure out what you changed it to. For better protection, we should also limit the number of logins allowed. Remember, a brute force attack is just running random passwords against the login.
Since restricting login attempts is not built in to WordPress, a good plugin for this is Loginizer.
This plugin will actually block an IP from logging in after a certain number of retries, and it can also blacklist or whitelist an IP address. This determines which IPs are allowed to log in to the WordPress site.
Of course, this is just one plugin, and there are many more that provide this same functionality.
Watch the Full Course
In the full course, WordPress Security Top Tips, you’ll learn some of the most important things you can do to secure your WordPress site from attackers. I’ll show you some of the top plugins and key configurations that will help keep hackers out of your site.
You can take this course straight away with a subscription to Envato Elements. For a single low monthly fee, you get access not only to this course, but also to our growing library of over 1,000 video courses and industry-leading eBooks on Envato Tuts+.
Plus you now get unlimited downloads from the huge Envato Elements library of 400,000+ creative assets. Create with unique fonts, photos, graphics and templates, and deliver better projects faster.