Browse by Popular
Domain Name
- What is a domain name?Eligibility criteria for registering .AU domain namesPremium domain names explained
Web Hosting
View All
Email Hosting
View All
Google Workspace
- Getting Started with Google WorkspaceGoogle Workspace support resourcesTransferring an existing Google Workspace service to VentraIP
Account
- How do I reset my VIPcontrol password?How do I create a VentraIP account?How can I see who accessed my VentraIP account?
Troubleshooting
- How do I clear my browser cache?Troubleshooting a ‘500 internal server' errorTroubleshooting with a ping test
Hardening your WordPress site’s security
VentraIP is not affiliated with the creators of the plugins recommended in this article. The intended use of this article is as general advice only.
Keep your website updated
When a WordPress website gets compromised, it’s almost always due to an insecure plugin or theme being installed on the website. Most plugin/theme updates are security updates, so when new versions of your plugins/themes are released, you should update them as soon as you can.
Using Auto Update
To simplify this process, you can set WordPress to automatically update. However, keep in mind that sometimes updates can break your website, due to incompatibilities between plugins. To resolve any problems caused by updates quickly, you should ensure that you have a backup of your website ready to go.
If you’re not sure how to restore a backup, you can follow this guide.
Protect against brute-force attacks
A brute-force attack is when a hacker uses a bot to throw thousands and thousands of login attempts at your website, in an attempt to guess the correct password and gain access. Here are a couple of ways to stop that from happening:
Hide the login URL
It’s a widely known fact that your WordPress website will use https://your-domain-here.com/wp-admin as the login URL by default. You can use a plugin to adjust the login URL for your website, to hide the login page.
Change the admin user’s username
Setting the site administrator’s username to “admin” is too obvious for a malicious person to guess. From there, all they have to do is guess the password. You can make it harder for them by changing the administrator’s username to something harder to guess.
You can change your website’s username inside the Users section of the WordPress admin dashboard.
Using complex passwords
Using a short or easy to guess password will only make it easier for a malicious person to gain access to your website via a brute-force attack. It’s best to use a password that is at least 8 characters long and includes upper/lower case letters, numbers, and special characters.
Enabling Two Factor Authentication
Setting up Two Factor Authentication on your website is a great way to add an extra layer of security. This will help stop someone malicious from gaining unauthorized access to your website, even if they manage to obtain username and password information.
There are a number of plugins available, that you can use to enable Two Factor Authentication on your website.
Monitoring
To help you keep an eye on things, you should use a monitoring plugin that logs all of the changes that occur on your website.
Security plugins
Securing your website doesn’t need to be difficult, you can use a security plugin to help you along your way.
Setting up SSL
To ensure that your website loads securely and any data transferred between your website and the web browser is secure, you can install an SSL Certificate.
Here are the steps you need to take to ensure that your website loads securely (HTTPS):
- Install an SSL Certificate. You can do this by using AutoSSL.
- To ensure that your website always loads securely (https://) you can install the Really Simple SSL plugin.
Disable directory listing
By default, it is possible to publicly view your website’s file and directory structure via a web browser. To stop this from happening, you can add the following code to your website’s .htaccess file:
Options All -Indexes
You can add the code by following these steps:
- Log in to cPanel.
- Click on File Manager under Files.
- Navigate to the folder your website is in (this is normally public_html).
- Ensure that the Show Hidden Files (dotfiles) setting is enabled.
- Click on the Settings button at the top right of the page.
- If it isn’t already, check the Show Hidden Files (dotfiles) setting on.
- Click Save.
- Click on the Settings button at the top right of the page.
- If the .htaccess file already exists, right-click on it and click Edit.
- If your .htaccess file doesn’t exist yet, then:
- Click on the +File button to the top left of the file manager interface
- In the New File Name Field, input .htaccess.
- Click Create New File.
- Right-click on the file, then click Edit.
- Click on the +File button to the top left of the file manager interface
- If your .htaccess file doesn’t exist yet, then:
- Add the following line of code to disable Directory Listing:
Options All -Indexes - Click Save Changes.
