Things You Can Do to Secure WordPress and Divi
1. Updates
Keep the WordPress core, themes, and plugins updated. WordPress and third-party developers release security patches to fix vulnerabilities in the code. Often, hackers find these holes and gain access to your website or files. Also, make sure plugins and themes have recent updates and good support from the developers. Check all updates on a test site before applying them to your live site.
There’s also DNS caching which takes place on DNS servers. Servers can store recent DNS lookups in their cache; they then don’t need to query nameservers and can instantly reply with the IP address of a domain.
2. Passwords
Use secure passwords that someone won’t figure out easily. Never use the word Password, or letters or numbers in sequential order. Password123 is the equivalence of not having a password when it comes to hackers trying to gain access to your website.
3. Password Manager
A password manager can help keep your passwords secure and even restrict them to authorized devices.
4. Admin Username
Change the admin username from the default “admin”. This is the most common username and it’s easy for hackers to use this name to gain access to your website because they already have part of the information they need.
5. Login URL
Move the login URL from the most common location “wp-login.php” to a new location. Bots and hackers have automatic access to the login screen if you keep the default location. This can be done with a plugin or manually by editing the wp-config.php and .htaccess files.
6. Limit Login Attempts
By default, anyone can attempt to log in as many times as they want. This means they can guess at your password until they guess it correctly. This allows hackers to use brute force attacks, where they use bots to attempt to log in thousands of times per second. Use a plugin that blocks the users after a certain number of failed attempts.
7. User Roles and Permissions
Set roles and permissions for each user based on what they actually need and restrict access to everything else. You’ll find roles in the Users dashboard menu. Set Divi permissions based on user roles in the Divi Role Editor (in the Divi dashboard menu) where you can select which users have access to which Divi features.
8. Backups
Keep recent backups of your website in a secure location. This includes your theme customizations, plugin settings, and content. Regardless of what goes wrong, you’ll be able to get your website back to its most recent good condition with a backup.
9. Firewall
Web Application Firewalls (WAF) are firewalls that are designed specifically for WordPress. They create a wall between networks to filter incoming and outgoing traffic on the network. You can add them with a plugin.
10. SSL Certificate
Secure Sockets Layer (SSL) is a method of encrypting links between the server and the browser. You can add this certificate to your hosting and change HTTP to HTTPS in your WordPress settings. Certificates can be purchased through your host or a third-party supplier.
11. Two Factor Authentication
2FA requires two steps in order to login to your website. Rather than gaining access automatically, authentication is needed. This can be a code that’s sent to your phone or email, or it can be a fingerprint, voice authorization, retina scan, keychain fob, or some other type of authentication. Some require this authentication before you have access to login with your username and password. Others require the authentication after your initial login.
12. CAPTCHA
Add CAPTCHA to comments and login areas. This will help keep bots out and reduce spam, plus it will help keep bots from uploading files with malware in forms that allow file uploads.
Security Plugins
Security plugins give you the tools to scan for malware, block users and IPs, and perform the things on this list. It’s always a good idea to have a security plugin installed. You’ll see a list of our favorite security plugins near the end of this article to help you choose the best option for your Divi website.
13. Delete Unused Installations
having multiple installations of WordPress with Divi is great for testing and developing new creations, but they can be easy to forget which can leave old versions of WordPress, themes, and plugins on your server with security issues. It’s always best to delete any WordPress installations that you’re not using.
The Role of Hosting in Keeping your WordPress Website Secure
Server Security
Hosts can use security packages such as ModSecurity to monitor and log suspicious activity, and other services and configurations such as suEXEC, Cloudflare, and more. Some store your files in high-security data centers, especially those that host eCommerce sites.
Some include features such as malware scanning and hack and DDoS protection. If hosts determine that your site is a target of a brute force attack, they might move your login in order to keep people or bots from further attempts. Some hosts keep backups, so if your site is attacked and your data is corrupted you can restore it easily.
Extra Features
Many hosts include security features with your hosting plan and offer premium features as add-ons such as the premium version of Jetpack. Lots of hosts offer a free or paid SSL certificate with HTTPS encryption that you can add to any domain on your hosting plan.
Hosts should also follow good security practices such as keeping PHP up to date. Hosts can keep your WordPress up to date by installing security patches as soon as they’re released. Those that provide updates should audit and apply security patches as soon as possible.
Support
Make sure your hosting plan has good support and are easy to contact. The amount of support they can offer will depend on your hosting plan, but you’ll need to get in contact with them quickly for the support they do provide.
For more information about hosting, see the Divi Space hosting page.
Plugins to Improve WordPress Security
1. All-in-One WP Security and Firewall
All In One WP Security uses a grading system to measure how well your site is protected. It has both a free and a pro version. Features include a firewall, security for user accounts, login, database, file system, .htaccess, wp-config, blacklisting, brute force prevention, spam filtering, security scanning, text copy protection, and more.
2. Divi Client Safe
Divi Client Safe lets you hide key elements from your client’s WordPress dashboard including Divi theme options, themes, plugins, widgets, settings, the editor tab, and more. You can also remove update notifications for the WordPress core, themes, and plugins so users don’t try to perform updates that you haven’t tested yet.
3. iThemes Security
iThemes Security provides over 30 ways to secure your website. The pro version includes 2FA, security keys, malware scanning, password security and expiration, reCAPTCHA, user logging, and more. It also includes protection from brute force attacks, makes backups, moves URLs, forces SSL, monitors your site and reports changes, etc.
4. Jetpack
Jetpack’s premium version has lots of security features including activity reporting, real-time backups, backup and security scanning, spam filtering, plugin update monitoring, blocking malicious login attempts, monitoring downtime, brute force protection, and login authentication using WordPress.com to match accounts with emails and adding Two Factor Authentication. Each of these areas provides detailed information.
5. Sucuri
Sucuri has both a free and pro version that adds lots of security features including site hardening, activity auditing, file integrity monitoring, remote malware scanning, blacklisting and monitoring, and email notifications. It also includes post-hack security actions to help solve problems after an attack. The pro version adds a firewall.
6. Wordfence
Wordfence is the most popular security plugin for WordPress. It’s available in both a free and pro version and includes a firewall, security scanner, login security with 2FA and reCAPTCHA, IP, user, and country blocking, live traffic monitoring, file scanning, and lots more.
Ending Thoughts
How to you secure your Divi WordPress website? Let us know about your favorite tools and practices in the comments.
Thanks for your great post. Can you share some tips or tools to protect WordPress media files as well?
Great recommendations for securing Divi WordPress website to keep it safe from hackers. I use Wordfence and have not had any problems. It has given me satisfactory results.
how can you put wordfence on ur list but not WPMUDefenderPro? In my personal opinion wordfence shouldnt be on the list to begin with as its not secure and very problematic.
Ever since I switched to Defender not a single one of my client website have been hacked or compromised in any way. I have tried every plugin mentioned in this article and every one of them and my sites got hacked while using them. The WMPU launched defender after all these came out already and since then 100s bro 😀
WPMUDefenderPro is legit in everyway and they are the only people who offer super support if anything doesnt work. Just login and they investigate for you. #likeaboss.
Defender is another good option you failed to include
Hi Chuck, although Randy has not included Defender in his list, we have written about Defender here https://aspengrovestudios.com/wpmu-defender-pro/
We at Aspen Grove do love and often recommend WPMU products.
Personally I recommend Secupress that I use on all my sites