Things You Can Do to Secure WordPress and Divi
Keep the WordPress core, themes, and plugins updated. WordPress and third-party developers release security patches to fix vulnerabilities in the code. Often, hackers find these holes and gain access to your website or files. Also, make sure plugins and themes have recent updates and good support from the developers. Check all updates on a test site before applying them to your live site.
There’s also DNS caching which takes place on DNS servers. Servers can store recent DNS lookups in their cache; they then don’t need to query nameservers and can instantly reply with the IP address of a domain.
Use secure passwords that someone won’t figure out easily. Never use the word Password, or letters or numbers in sequential order. Password123 is the equivalence of not having a password when it comes to hackers trying to gain access to your website.
3. Password Manager
A password manager can help keep your passwords secure and even restrict them to authorized devices.
4. Admin Username
Change the admin username from the default “admin”. This is the most common username and it’s easy for hackers to use this name to gain access to your website because they already have part of the information they need.
5. Login URL
Move the login URL from the most common location “wp-login.php” to a new location. Bots and hackers have automatic access to the login screen if you keep the default location. This can be done with a plugin or manually by editing the wp-config.php and .htaccess files.
6. Limit Login Attempts
By default, anyone can attempt to log in as many times as they want. This means they can guess at your password until they guess it correctly. This allows hackers to use brute force attacks, where they use bots to attempt to log in thousands of times per second. Use a plugin that blocks the users after a certain number of failed attempts.
7. User Roles and Permissions
Set roles and permissions for each user based on what they actually need and restrict access to everything else. You’ll find roles in the Users dashboard menu. Set Divi permissions based on user roles in the Divi Role Editor (in the Divi dashboard menu) where you can select which users have access to which Divi features.
Keep recent backups of your website in a secure location. This includes your theme customizations, plugin settings, and content. Regardless of what goes wrong, you’ll be able to get your website back to its most recent good condition with a backup.
Web Application Firewalls (WAF) are firewalls that are designed specifically for WordPress. They create a wall between networks to filter incoming and outgoing traffic on the network. You can add them with a plugin.
10. SSL Certificate
Secure Sockets Layer (SSL) is a method of encrypting links between the server and the browser. You can add this certificate to your hosting and change HTTP to HTTPS in your WordPress settings. Certificates can be purchased through your host or a third-party supplier.
11. Two Factor Authentication
2FA requires two steps in order to login to your website. Rather than gaining access automatically, authentication is needed. This can be a code that’s sent to your phone or email, or it can be a fingerprint, voice authorization, retina scan, keychain fob, or some other type of authentication. Some require this authentication before you have access to login with your username and password. Others require the authentication after your initial login.
Add CAPTCHA to comments and login areas. This will help keep bots out and reduce spam, plus it will help keep bots from uploading files with malware in forms that allow file uploads.
Security plugins give you the tools to scan for malware, block users and IPs, and perform the things on this list. It’s always a good idea to have a security plugin installed. You’ll see a list of our favorite security plugins near the end of this article to help you choose the best option for your Divi website.
13. Delete Unused Installations
having multiple installations of WordPress with Divi is great for testing and developing new creations, but they can be easy to forget which can leave old versions of WordPress, themes, and plugins on your server with security issues. It’s always best to delete any WordPress installations that you’re not using.
The Role of Hosting in Keeping your WordPress Website Secure
Hosts can use security packages such as ModSecurity to monitor and log suspicious activity, and other services and configurations such as suEXEC, Cloudflare, and more. Some store your files in high-security data centers, especially those that host eCommerce sites.
Some include features such as malware scanning and hack and DDoS protection. If hosts determine that your site is a target of a brute force attack, they might move your login in order to keep people or bots from further attempts. Some hosts keep backups, so if your site is attacked and your data is corrupted you can restore it easily.
Many hosts include security features with your hosting plan and offer premium features as add-ons such as the premium version of Jetpack. Lots of hosts offer a free or paid SSL certificate with HTTPS encryption that you can add to any domain on your hosting plan.
Hosts should also follow good security practices such as keeping PHP up to date. Hosts can keep your WordPress up to date by installing security patches as soon as they’re released. Those that provide updates should audit and apply security patches as soon as possible.
Make sure your hosting plan has good support and are easy to contact. The amount of support they can offer will depend on your hosting plan, but you’ll need to get in contact with them quickly for the support they do provide.
For more information about hosting, see the Divi Space hosting page.
Plugins to Improve WordPress Security
1. All-in-One WP Security and Firewall
All In One WP Security uses a grading system to measure how well your site is protected. It has both a free and a pro version. Features include a firewall, security for user accounts, login, database, file system, .htaccess, wp-config, blacklisting, brute force prevention, spam filtering, security scanning, text copy protection, and more.
2. Divi Client Safe
Divi Client Safe lets you hide key elements from your client’s WordPress dashboard including Divi theme options, themes, plugins, widgets, settings, the editor tab, and more. You can also remove update notifications for the WordPress core, themes, and plugins so users don’t try to perform updates that you haven’t tested yet.
3. iThemes Security
iThemes Security provides over 30 ways to secure your website. The pro version includes 2FA, security keys, malware scanning, password security and expiration, reCAPTCHA, user logging, and more. It also includes protection from brute force attacks, makes backups, moves URLs, forces SSL, monitors your site and reports changes, etc.
Jetpack’s premium version has lots of security features including activity reporting, real-time backups, backup and security scanning, spam filtering, plugin update monitoring, blocking malicious login attempts, monitoring downtime, brute force protection, and login authentication using WordPress.com to match accounts with emails and adding Two Factor Authentication. Each of these areas provides detailed information.
Sucuri has both a free and pro version that adds lots of security features including site hardening, activity auditing, file integrity monitoring, remote malware scanning, blacklisting and monitoring, and email notifications. It also includes post-hack security actions to help solve problems after an attack. The pro version adds a firewall.
Wordfence is the most popular security plugin for WordPress. It’s available in both a free and pro version and includes a firewall, security scanner, login security with 2FA and reCAPTCHA, IP, user, and country blocking, live traffic monitoring, file scanning, and lots more.
How to you secure your Divi WordPress website? Let us know about your favorite tools and practices in the comments.