5 Simple ways to improve your WordPress Security

WordPress is known from the most popular and most exposed CMS system in the world! 

Based on the above a lot of large and famous organisations are represented online based on WordPress CMS. For example Microsoft, with their blog, Walt Disney, 007.com and many, many more.

Question is: “If WP is so vulnerable why are these big brants putting their names at risk? ” 

The answer is simple: “Because they do things properly! Considering all security risks and optimising system for business needs!”

Hold on… so if the WordPress so excellent and 99% free why all websites in the world are not built using this CMS?

Because not all online business needs can or should be served using WordPress. It is your developer’s responsibility to advise customers about all pros and cons. It’s their job to advise about the best technology for your project! That is why we would never advise banking website to be build using WP or in that matter, any other CMS!

OK, that’s it, this intro is too long anyway. Let’s get to the business…

To come up with these we have to go through 5 most popular processes to secure the WP website. 

1. Hide login/admin Page
2. Create Custom login URL
3. Block “Brute Force” IP addresses
4. Security plugin Firewall and Spam
5. Hide WP version

To achieve this above we’ve been testing most popular security plugins 

1. WordFence
2. Cerber Security
3. iTheme Security 
4. WPS Hide Login
5. WP Security Question

Starting from the WordFence. In our opinion, this plugin is in the top 3 best security plugins available. The biggest downside of it is its size. With a ton of security features, the WordFence will slow your website. Despite this, its still impressive and reliable free protection.

In a free version, you will have spam and firewall protection with IP blacklisting and tons of other features. Unfortunate for this plugin (in our opinion) is lack of options for hiding the login page option. In fact, is their policy there are strongly going against hiding the admin login page. 

Our opinion on to this is different. As another layer of protection, you should hide your login page from the default URLs. “If you can’t see me, you can’t catch me”! To have login page hidden you have to use WPS hide login as well. This will still increase the plugin folder size. And if you wish to minimize plugin numbers, not the ultimate solution.

The second one on our list is Cerber Security. Much smaller in size and quite good in all features. Tested for spam & firewall protection and custom login page, this plugin also allows for an admin to hide wp-login.php & /admin or /login.php which is VERY handy. Unfortunately, we’ve encountered a few problems with this function. For example, when activating these options the first redirect away from our hidden URL was successful! But then hitting it the second time the plugin redirected to the hidden URL exposing our hidden URL! Not very good if we’ve crucified our development time to have this page hidden. To make it work you would have to add WPS hide login separately, which mean, yet another plugin.

So what is the best free protection for small and medium-size websites?

This leads us o the last plugin which in our opinion with WP Security Question is one of the best solutions out of all 3.

iTheme Security has in the free version the IP blacklisting, spam and firewall, database backups, hide back end, and brute force protection.

What you need to do first, is to download this plugin and follow these steps:

1. Download and install the plugin

2. Go to the plugin Settings and run “Security Check“

3. In the Settings turn on: 

– brute force protection & database backups

– hide backend (in the search bar type “hide to see” this setting)

– test wp-login.php and wp-admin.php typing just /login / dashboard /admin – to see if it will trigger 404 or 403 to block users.

To get your Security Question on top of the Security plugin please go to your plugins and install “WP Security Question“. After installation, navigate to the plugin and choose your security question + answer.

Please DO NOT logout but first note the question and answer and test your login page in separate browser!!!

If you need a CMS website but you’re concerned about users data or any other security issues, please feel free to contact us for consultation.