No matter what premium Security Plugins you use, if you have not followed these basic security steps, you may be compromising your security. I also suggest you first understand how WordPress security works by reading this article on Do you really need WordPress Security Plugins?
Below are the steps you can follow to secure your WordPress without any plugins.
- Secure Trusted Hosting
- Trusted Plugins and Themes
- Email Alerts
- htaccess Rules
- Regular Updates
- External Backups
- Offline Security
- Personal Security
Secure Trusted Hosting
The most important factor as explained in this article is to purchase trusted hosting. Always remember that Hosting Companies have full access to your files and database. Hence, purchase only those hosting which you can trust for years. More than trust, the hosting itself must be secure against hacking. There was a large breach on one of the hosting providers in December 2021 where managed WordPress sites were compromised.
If you want to make Search Engines happy, install SSL. This is the basic security step that needs to be followed since 2014. SSL adds an extra layer of protection between the visitor’s computer and the server. In simple terms, Unauthorised access to your site is not allowed if a valid SSL is installed.
Always purchase hostings that provide SSL by default. Manually installing SSL is a tedious job since you have to renew it every 3 months. You can also utilize SSL from Cloudflare for Free!
Trusted Plugins and Themes
Have you installed any Premium Plugins or Themes from sites that provide you those for free or at a lower price? I mean Nulled/ Pirated? If Yes, you are risking your site since you, yourself has NO idea what’s inside your WP installation. It doesn’t matter how many times the Plugin/Theme has been scanned through VirusTotal.
Pirated/ Nulled Themes/ Plugins may contain malicious code within which when activated, will create a new user with admin rights. OR, they run some dirty codes in the background which can be only be detected after they are indexed by Search Engines with Chinese texts in search results.
Always install Plugins and Themes from WordPress Repo, Themeforest, and Plugin Author Websites.
Most developers of Premium Themes and Plugins are kind enough to provide a ‘Money Back Guarantee’ on their products where you can ask for a refund if you are not happy and No Questions will be asked.
When you have installed Themes/ Plugins from Trusted Sites if in case there is any Vulnerability found within them, the only way to notify you for ‘Urgent Update’ is through E-mail. Hence provide an Email address which you frequently operate.
Patching up the vulnerability is very important. Most WordPress websites have their Plugins/ Themes they use and their version numbers viewable to the public in the Source Code. Any delays may cost hefty.
The .htaccess file is present inside the WordPress Home Directory i.e. inside the public_html folder. Inspite of being a very small file, it can control the whole site configuration. It is the connecting file between the web-server and the website.
Any requests to the website have to be passed through the htaccess file. If any rule is written against the request, that request will never be executed.
Only web servers with Apache have this File. NGINX doesn’t support htaccess. It has its own directive for that. Considering the amount of freedom, rewriting rules in htaccess is superior. Hence all the web hostings that use NGINX and Litespeed always run Apache along with their servers.
Hence you can utilize .htaccess to secure your site by adding these htaccess Rules to Keep WordPress Secure
Updates are released for a reason. For features and bug fixes that increase stability and security. Hence it is always a better idea to update regularly.
Always take a backup before updating. We always suggest keeping auto-updates disabled. Some updates break your site, particularly WordPress Feature Updates.
Some updates are Security Patches for Vulnerabilities found in any of the Plugins/ Themes which must be acted upon quickly.
You already know how important backups are. More important is to keep the Backup Files away from the Hosting Account. All your backups must be Secure and Encrypted. What if someone got those Backup Files? They have a copy of your website running on their domain. All your personal data, site data and customer data is exposed. If it is possible, ‘Password Lock’ backup files.
It is very important to know, when you reinstall backup on the same domain, you will upload those backup files to the ‘public_html’ folder and run some commands. In the meantime, if someone visits your site, they can directly download those files themselves.
To avoid this you can use htaccess rewrite rule to disable direct files access to viewers, which I have explained in the article, How to Restore WordPress Backup with Duplicator Plugin.
This security has nothing to do with your WordPress or Hosting. It is all about keeping your Computer safe. We, developers, can’t remember huge ultrasecure passwords. Hence what we do is either save them in the browser or have a text document on our PC with all the credentials. If you do so, you need to be worried.
What if someone purposefully stole your computer? You are messed up. You may assume, your computer is safe with login password. That’s utter BS!!.
If you use Windows, it takes less than a minute to remove the login password. Linux and Macintosh may or may not be breached. Now don’t be happy that you use Mac. Here is the reason. You generally save passwords in your browser. Your browser saves that password in a file inside its installation directory. If the Hard Disk of the computer is accessed externally, no matter what kind of operating system you use, you are not secure.
For any reason, your computer has been stolen, using any other computer, revoke all the existing browser logins, later change all the passwords which have been previously saved in the browser memory.
Also, don’t use any pirated Softwares and Games for your Computer. Use good Internet Security Software. Either use Open Source Softwares or Purchase Premium. Pirated Softwares may run codes like keyloggers which memorize everything that is typed on the PC Keyboard as is shared with its developers.
This security is all related to your Mobile Phone. When you save your Website Credentials in Chrome Browser on your computer, in order to access it from another browser, you will have to log in to your account. You require your Email address and password.
What if someone knows your Email ID and got access to your phone sim card? There is a chance they can reset the password for your google account with OTP verification. Your Google Account is compromised.
It is always a good idea to use ‘Two-Step Verification’ for your Google Account by ‘answering security questions’ where the password cannot be reset inspite of having OTP.
These were the core basics of Keeping your WordPress Secure. If you have learned something useful, please let us know in the comments. We would love to answer.