If you’d like to protect your WordPress site but aren’t an IT security expert, then this article is for you. To create a website, you need to invest time, energy and resources. No-one wants to have to start from scratch due to a cyber attack or malware.

Infomaniak implements important security measures that are located far upstream to proactively eliminate threats even before they reach the hosted websites. To complete this system, each website Infomaniak hosts is protected free of charge by Patchman Security Scanner, a professional anti-malware and automated vulnerability correction solution. What’s more, Infomaniak’s web hosting is automatically backed up every 24 hours.

Do you need to secure your WordPress site?

Even when choosing the best web hosting, it is advisable to take a minimum number of precautions to protect the part you manage: the website itself. With a 60% share of the market, WordPress is the most widely used content management system (CMS) in the world. So it goes without saying that there is a high and constant number of threats. Thankfully, all you need to do is take a few simple steps to significantly increase your WordPress site’s security.

1. Updates take priority when it comes to protecting your WordPress site

Updating WordPress

Like all software, WordPress evolves. Its code is regularly reviewed to provide not only new features, but also – and above all else – security patches. As is the case with your computer or smartphone, regular WordPress updates are vital when it comes to plugging security gaps and ensuring your site’s software integrity.

Here’s how to update your WordPress site:

  1. Log into the WordPress console (Need help?)
  2. Click on Updates from the Dashboard section of the main menu on the left
  3. Install the latest version of WordPress if necessary

Updating WordPress plugins and themes

Themes and plugins are code added to WordPress. All too often, unused plugins or themes are left lying around without being updated: this is a security error you might not expect. This obsolete code is very often exploited to inject malicious files and open a breach in a site’s security. So it’s important to update your plugins and themes, even if you don’t use them. Don’t hesitate to remove them to reduce risks and avoid unnecessary maintenance if necessary.

Here’s how to update your WordPress plugins and themes:

  1. Log into the WordPress console (Need help?)
  2. Click on Updates from the Dashboard section of the main menu on the left
  3. Select the plugins and themes to be updated
  4. Click on Update Plugins

Using an updated version of PHP

WordPress uses the language PHP to create the web pages that are displayed to your visitors. As with WordPress, the risks increase if you are using an obsolete version of PHP. Your Infomaniak hosting allows you to test and install the latest version of PHP with just a single click and no need for any prior knowledge.

If needed, this guide shows you how to install a recent version of PHP on your site. If your themes or plugins don’t support the latest version of PHP yet, you will be able to revert to an older version and keep it up-to-date in a few clicks.

2. Securing access and logging into WordPress

The gateway to your site is protected by the WordPress login page. While this page is important, it is also vulnerable. It regularly falls victim to attacks, so here’s how to protect it:

Using a strong password and a customised username

In WordPress, the default administrator account is called “admin”. This name is the same for everyone, and is probably the one you type to log in too. If a hacker already knows your site’s username, it’s even easier for them to get into it. So it’s wise to change this account’s name.

When creating your site with My WordPress Site, you can define a username other than “admin” and, of course, a customised password. We recommend that you use a password manager to generate a password that is at least eight characters long and contains uppercase and lowercase letters as well as special characters (e.g.: !?’:_,+§°, etc.) and numbers. The longer your password, the more secure the access to the WordPress console will be.

Here’s how to change your WordPress password:

  1. Log into the WordPress console (Need help?)
  2. Click on Users from the main menu on the left
  3. Click on your user
  4. At the bottom of the page, click on the Generate Password button
  5. Save this password in your password manager
  6. Click on Update Profile at the very bottom of the page

Here’s how to change a WordPress username:

  1. Log into the WordPress console (Need help?)
  2. Click on Users from the main menu on the left
  3. Click on the Add New button at the very top of the page
  4. Choose a username other than “Admin” and a strong password
  5. Click on Add New User at the very bottom of the page
  6. Then log into the WordPress console with the new username to delete the old one. You will be able to assign all your content to the new user upon deletion.

Changing the URL of the WordPress login page

The login address for your WordPress administration interface always follows the same default syntax: www.mywebsite.com/wp-login or www.mywebsite.com/wp-admin. Again, it’s easy for someone with bad intentions to work out the URL of the login page to your WordPress site from your domain.

To make things tougher for potential hackers, it is advisable to change your site’s login address. You can install and use the WPS Hide Login plugin so you don’t have to make modifications manually. Once the plugin has been installed and activated, navigate to your console’s Settings section and to the WPS Hide Login heading. Simply fill in the Login URL field and save the changes. Then remember to update your favorites and make a note of the new address for accessing your WordPress console.

Limiting WordPress login attempts

Hackers try to guess the username / password combination by varying and multiplying login attempts. If you’ve got enough time on your hands, it is indeed possible to gain access to a site: this method is known as “brute force”. Since these attacks are very frequent, it is advisable that you limit the number of login attempts that WordPress allows. The easiest way of doing so is to install the WP Cerber plugin directly from WordPress. This plugin will automatically block repeated attacks coming from the same IP address to counter brute force attacks.

3. Securing exchanges between your WordPress site and its visitors

Enabling HTTPS with an SSL certificate

When they visit your site, users exchange data with it. Such data might be navigation data, personal data (name, email address, phone number, etc.), or even banking data. Protecting these exchanges is vital if you don’t want a third party to be able to intercept it. Similarly, search engines and browsers penalise unsecured sites. To secure traffic to and from your site, you need to enable an SSL certificate, which is indicated by the small padlock next to your domain name (HTTPS). In this article, you will find all the information you need to choose and enable an SSL certificate.

For e-Commerce sites or those using WooCommerce, you can strengthen your users’ security with a paid certificate from Sectigo, which includes a warranty. This additional protection is activated in one click and is installed automatically if your site is already managed by Infomaniak.

Looking for the best hosting for your WordPress site?

Creation, security, customer service: good hosting must be efficient, secure and easy to use. Whatever your project, at Infomaniak you will find hosting optimised for WordPress and many exclusive services to make your life easier and save you precious time.