Securing Your Real Estate WordPress Site


We know selling real estate properties anywhere in the world is no slice of cake. You know the time, effort, and investment that goes into closing a sale. The challenge has become bigger with the impact of the Coronavirus on the real estate market. Digital avenues remain the only way to engage with prospective customers. Real estate websites are now the real dealmakers in property buying and selling. The last thing you want is to see hackers gain control of your website!


What happens when your site is hacked? Well, plenty. Here are just some of the things that could go wrong.

  • Your online customers may not be able to view listed properties on your site
  • Your traffic may be redirected to phishing sites lowering your customers’ trust
  • You may be denied access to your property or customer records
  • You may face a significant data breach, forcing you to build your customer leads from scratch


To avoid all of this, ensuring complete security for your WP website should be your priority. Based on recommendations from cybersecurity experts, we have compiled the top ten WordPress security tips for you. These measures are simple to execute and do not require any assistance from a WordPress expert. Let’s get started.


1. Invest in a Reliable WordPress Security Tool

Hackers look for security vulnerabilities in WordPress sites, irrespective of the size of the website. While you can manually keep your site clean and free from online threats, the process is usually complex and time-consuming.


In real estate, lead generation and relationship building can leave you with very little time for much else. And predictably, website maintenance might take a backseat. An effective investment then is a WordPress security plugin like Sucuri or  MalCare.


Apart from being fast and effective, these tools are user-friendly and can be used by novice users with even basic computer skills. For busy agents like you, we recommend MalCare for its 1-click WordPress malware scanning and clean-up. Apart from this, the plugin also sends email notifications if it detects any suspicious activity on your site.


2. Back Up Your Website Data

In these extreme times, you cannot afford to lose your business data even for a few hours. The only feasible guard against this is to take regular backups of your website and database. In the event of your website crashing, you can quickly restore your site to the latest backup version.


How do you do this? Periodically create a copy of your website files and database records and store them at a safe and independent location. Manually taking a backup every time can be exhausting. This is where a WP plugin like BlogVault can come to your rescue. The plugin is easy to install and can perform automated backups, saving you time and effort.


3. Keep Your Website Updated

Hackers often exploit known vulnerabilities in outdated WordPress sites to hack and damage them. Now is the right time to inspect your website. Is your website operating on the latest version of WordPress? What about plugins and themes – are they updated to the latest version?


If the answer to either of the above was a no, you must update your website. Like any other software product, WordPress and plugin/theme developers fix security bugs through patches and release updates. For all WordPress users, these latest updates are free to download and install.

You can apply all your updates from the WordPress account dashboard. If you are operating multiple sites, most WordPress management plugins enable you to update all your sites from a centralized dashboard.


4. Use Stronger Usernames and Passwords

The login page is among the most targeted pages in any WordPress site. Why?  Simply because it allows hackers to access your server and backend files and infect them with harmful code or entries.

Hackers deploy automated bots (or programs) that try to guess your username and password to your WordPress account page. Using weak usernames like “agent1” and passwords like “password123” makes the hackers’ job much easier.


You can prevent this by using:

  • Unique usernames that are difficult to guess.
  • Strong passwords with at least 8 to 10 characters in length, and having a combination of uppercase and lowercase alphabets, numbers, and special characters. Example, “[email protected]


5. Use Two Factor Authentication

While creating strong passwords can keep hackers at bay, you should consider two-factor authentication or 2FA for an added layer of security. 2FA comprises of a two-step process where any WordPress user has to:


  1. First, enter their login credentials to access their account.
  2. Second, enter a special 2FA code that is sent only to the user’s device like a smartphone/email account.


This step makes it hard for hackers to break in and access any account. You can implement WordPress 2FA for your site using plugins like MiniOrange or Google Authenticator.


6. Use SSL Certification

One of the key steps in ensuring the protection of your website is ensuring that it is SSL-encrypted. SSL certification is a leading safety standard for websites. In fact, search engines like Google also rank SSL-certified websites higher in their search results.

If you have a non-SSL-certified website, here’s what could happen – hackers can intercept confidential data (such as your customer’s info, credit card numbers, or any property purchase) transmitted from your user’s browser. This can result in data loss and as a result, denting your brand reputation.


You can obtain an SSL certificate from hosting companies like SiteGround and Kinsta, which offer free SSL certificates for their customers. Alternatively, you can install plugins like Really Simple SSL or WordPress HTTPS to get an SSL certificate for your website.


7. Protect Your Website with a Firewall

Just like your office security guard prevents robbers from coming in; similarly, a firewall prevents hackers from accessing your website and injecting malware.


Typically, here’s how firewalls work: anyone trying to access your website does so through a connected device – example, a smartphone, desktop, tablet, or laptop. Each of these connected devices has a unique IP address. Your firewall monitors every incoming IP request and blocks suspicious addresses that could belong to hackers or cybercriminals. This prevents them from accessing and compromising your site.


Your web hosting company can help you install firewalls for your website. If you have a security plugin like MalCare installed, you could make use of the in-built website firewall.


8. Implement Website Hardening

Website hardening is a set of 12 recommended actions from WordPress to safeguard your site from hackers. Some of these measures include disabling any file editor on your installation and blocking any plugin or theme installation.


As you may have guessed, implementing each of these 12 hardening measures can be complicated without adequate knowledge of WordPress. Thankfully, security plugins like MalCare make this much easier by integrating these steps into their security features.


9. Assign Admin Rights Only to Trusted Users

Hackers often try to gain access to admin user accounts as they have the highest user privileges among WordPress users. By gaining control over these accounts, they can create or edit file content, change plugin/theme code, or even install malicious plugins.


As a rule, limit the number of admin users for your WordPress site or assign admin privileges only to a few or trusted users. For other users, assign roles with lesser privileges such as editor, author, or contributor. Even if hackers manage to break into their accounts, they cannot inflict much damage because of their limited privileges.


10. Block Selected Countries

Remember, we talked about website firewalls in point 7? Well, apart from blocking IP addresses, firewalls can also be used to block users from various countries where your services may not be applicable. This geo-blocking feature is an effective method to rule out potential hackers from other countries.


If you have activated the MalCare firewall, you can log into the dashboard and view the list of IP requests along with the country of origin. After identifying the countries that need to be blocked, you can easily use the GeoBlocking tab to block users in select countries from accessing your website.

(Source: MalCare)


The current viral pandemic has created a lull in several industries, including the real estate market. In these times, online platforms are the only way forward to keep businesses alive. It goes without saying that your website is now your biggest asset. To ensure that your business runs smoothly, you must keep your site functioning at all times.


These simple yet effective security tips can go a long way in securing your website.  Have you already implemented any of these on your sites? Are there any tips we’ve missed? Let us know in the comments below.