Smart, Not Standard: 3 Little-Known Ways to Harden WordPress Security
There are many websites owned by Sri Lankans that are WordPress-driven. WordCamp Sri Lanka, held in 2017, saw 183 local users come together to share ideas and grow the community—proof that WordPress has a strong presence here. However, with popularity comes risk. When it comes to WordPress security, most blog posts echo the same advice—use strong passwords, install a security plugin, use 2FA, and keep everything updated. While these are essential, they barely scratch the surface. In a world where attackers are evolving rapidly, your security strategy needs to go deeper. This post introduces three often overlooked but highly effective techniques that can make your WordPress site significantly harder to compromise. These aren’t your run-of-the-mill tips—they’re drawn from real-world scenarios and add protection where it counts. If you’re ready to move beyond the basics, these smart but non-standard strategies might be exactly what you’ve been missing. Let’s dive in.
Secure cPanel with 2 Factor Authentication
If you’ve installed WordPress on a Linux shared hosting environment, there’s a good chance you’re using cPanel to manage your websites, domains, email accounts, databases, files, and more. (cPanel is also available with VPS and Dedicated hosting plans.) Let’s say you’ve already taken all the right steps to secure your WordPress installation—including enabling two-factor authentication (2FA). But what if someone gains access to your cPanel login? As you may know, WordPress login credentials and even the admin password can be reset through phpMyAdmin—accessible via cPanel. And disabling 2FA on WordPress can be as simple as deleting the plugin or renaming its folder using the File Manager in cPanel. That’s why it’s crucial to secure your cPanel account with two-factor authentication as well. Without it, your other security measures could easily be bypassed.
Enable 2FA on the Customer Services Portal
By customer portal, I’m referring to the central dashboard where users manage all their products and services—such as domain management, hosting, email services, billing and subscriptions, security settings, SSL certificates, and apps or add-ons. Now, let’s assume you have a well-secured WordPress installation, and access to your cPanel is protected by two-factor authentication (2FA) in addition to a strong username and password. Even so, there’s a critical risk: many hosting providers allow cPanel access directly through the customer portal, bypassing cPanel’s own login and 2FA. This means that if someone gains access to your customer portal login, they could enter your cPanel without needing the 2FA token. From there, they could disable WordPress 2FA, reset usernames and passwords, change admin email addresses, install backdoors—or worse, delete your entire site and database. That’s why enabling 2FA for your customer portal is essential.
Switch to Secure File Transfer Protocols
There are at least four secure file transfer protocols available today: SFTP (SSH File Transfer Protocol), FTPS (FTP Secure), SCP (Secure Copy Protocol), and HTTPS (for Web-Based File Transfer). However, I’ve seen many people ignorantly using plain old FTP for transferring files between their server and local devices. Regular FTP sends login information and other data in plain text, making it vulnerable to Man-in-the-Middle (MITM) attacks, where attackers can intercept data while it’s in transit. In contrast, secure FTP protocols encrypt your data end to end, making interception technically impossible. I don’t need to elaborate on the damage an attacker could cause if they gain access to your server via unencrypted FTP—especially for critical applications like WordPress or your website. If you aren’t already using a secure file transfer protocol, make sure to switch to one as soon as possible.
Wrap Up
I’d like to conclude with two bonus points. First, there are many apps for iOS and Android designed to generate Two-Factor Authentication (2FA) tokens. In the past, I’ve used apps like Google Authenticator, Authy, and other popular ones. However, as of this writing, I’m using Microsoft Authenticator. Available for for both iOS and Android, it’s easy to install and offers a great feature: the ability to back up your accounts to a Microsoft account of your choice. Google Authenticator didn’t offer this feature initially, but it does now. Second, not all web hosting services allow you to secure your cPanel and Customer Portal with 2FA, especially if you’re on a Shared Server. I chose Namecheap many years ago after using two local resellers and BigRock Hosting, and I haven’t looked back. You may have your own preferences regarding Microsoft Authenticator and Namecheap, but they are my personal favorites, and I encourage you to give them a try.
If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.
I would like to clarify that I am not a cybersecurity expert; my knowledge in this field merely scratches the CONTINUE READING
Sri Lanka Telecom in the late 90s introduced the worst metaphor I have ever heard when they referred to their CONTINUE READING