At WPhost, we take care of general site security for you and work hard to keep on top of the latest WordPress security vulnerabilities.
All our plans include built-in global Content Delivery Network, powered by Fastly. While most WordPress sites don’t need to worry about DDOS mitigation, Fastly’s high-bandwidth, globally distributed network is built to absorb DDoS attacks. We proactively block threats when we can.
There are certain added pieces of optional security that are simply not needed by all sites. We’ve compiled a list of some of those extra ways to enhance your WordPress site’s security, starting with the most basic (and essential), working up to the more advanced options that may not be necessary or practical for everyone.
Always use strong passwords
Many WordPress users overlook this vital security measure. If your WordPress password is short, if it’s something readable, if you use it on multiple sites, or if somebody who knows you well could potentially guess it, then chances are it should be stronger.
Keep your themes and plugins updated
Keeping themes and plugins up-to-date is one of the best ways to ensure your site is secure. Themes and plugins can occasionally have security vulnerabilities, which are patched by the developer as soon as they’re discovered. It’s important to update regularly because many malicious bots specifically search for out-of-date plugins and themes with known vulnerabilities.
We take care of WordPress core updates for you, but if you’re not also updating your themes and plugins regularly, you risk leaving your site exposed. However, we know that managing plugin updates is time consuming and distracts from other valuable work that can grow your business. With WPhost Managed Plugin Updates you can get back to work and trust that your site will always be up-to-date and online.
Uninstall inactive plugins and themes
Even deactivated plugins and themes can have vulnerabilities, and can still take up your server’s resources. It’s best to simply uninstall any plugins or themes that aren’t consistently active. You can always reinstall them later if you need to.
Secure your site with a free SSL certificate
SSL is essential for any WordPress site collecting sensitive user information. Even if that’s not the case, an SSL certificate still helps to secure your site’s transmissions. Plus, Google ranks secure sites higher in search engine results, so you’ll get a little SEO boost as well!
WPhost offers free SSL certificates on all plans.
Add Captcha to your WordPress Login
Captcha forces users who attempt to submit a form to first prove they’re human. It’s easy for people and hard for robots.
The reCaptcha plugin is an effective security solution that protects your WordPress website forms from spam entries while letting real people pass through with ease. Captcha can protect all kinds of forms on your site, including login, registration, password recovery, comments, contact forms and more.
Move your WordPress login screen
Many WordPress hacks come from malicious bots that are programmed to crawl the web looking for WordPress sites. Once they find one, they’ll add “/wp-admin” to the end of the site’s URL to get to the login screen and try to force their way in.
WPhost already protects against this kind of behavior, but you can add an extra layer of security by making your login screen harder to find in the first place.
The WPS Hide Login plugin allows you to change the location of your login screen from “/wp-admin” to whatever you want.
- Once you move the login page, let us know what the new path is so that we can add it to your server’s cache exclusions.
Add Two Factor Authentication (2FA)
More targeted and secure on login screens than Captcha, two-factor authentication allows you to verify your identity through any number of methods including QR codes, email messages and push notifications.
Whatever the method, two-factor authentication is generally much harder to fake than traditional login credentials – and doing so while also logging in with a password is virtually impossible for a hacker, so this is an extremely powerful security solution.
Popular two-factor authentication plugins include miniOrange’s Google Authenticator and Duo Two-Factor Authentication.
Install Wordfence – a comprehensive security solution for WordPress
Wordfence is the best-rated Web Application Firewall (WAF) and anti-malware service to fight against malicious activity on WordPress-based sites.
Wordfence can help patch known vulnerabilities in real-time with their Premium version. Their free version is also very effective and includes an endpoint firewall and malware scanner built from the ground up to protect WordPress. The free version of Wordfence receives firewall rules and malware signatures created by the industry-leading Wordfence Threat Intelligence team after a 30 day delay.
Switching to the Wordfence MySQLi storage engine
Wordfence makes frequent use of the flock() function. When a plugin uses the PHP function “flock”, it puts a request to the file system to “lock” a specific file and restricts any other process from changing a specific file. This is also called “File Locking”. This causes a wait time while the plugin completes the operation.
Our cloud-based file system uses a multi-threading mechanism in order to deliver efficient input/output processing. Using the flock function is not compatible with many file systems and can result in site errors with the file system and possible downtime. When there are multiple file locks, the amount of latency begins to increase.
For most sites, writing attack data to the file system is the most efficient method of doing so. However, if your site is unable to read and write to the firewall files consistently, we can switch you to use Wordfence’s MySQLi storage engine for better performance. This new feature uses a MySQL storage engine for firewall attack data to protect WordPress sites in complex hosting environments.
To switch to Wordfence’s MySQLi storage engine, simply open a support ticket and we’ll check your site’s logs to see if the flock function is a factor contributing to any downtime/performance issues. If necessary, we can make some adjustments to help with the file-locking issue.
Move your DNS to Cloudflare
Cloudflare is a third-party service that acts as a go-between from your site’s server to your users. Cloudflare adds various features related to speed, security, and performance along the way. Free and paid plans are available, but some features are restricted to paid tiers.
To use Cloudflare, you enable your domain to use their nameservers, making Cloudflare the source for your domain’s DNS records and details. This means traffic will pass through Cloudflare on its way to your site’s server. You’ll set up your DNS records in Cloudflare’s dashboard rather than through your registrar to take advantage of an increased level of caching and security.
Cloudflare is fully compatible with all WPhost sites. WPhost is a CloudFlare Certified Partner.