WordPress is ridiculously popular. It’s used to power over a quarter of the world’s websites. This popularity, coupled with its open-source nature, makes it a prime target for hackers. In fact, if you have a WordPress website, did you know that people are trying to break into your site all the time? It's critical to secure your WordPress site.
If it’s ever happened to you, you know being hacked isn’t nice. Hackers can infect your website with viruses, inject adverts, steal the computing power for spam, encrypt or delete your content. When that happens, sensitive data is stolen, Google blacklists you, visitors and customers lose faith in you, and your SEO rating plummets. And if you don't have a backup, you end up spending an inordinate amount of time and money cleaning up the mess.
So, how safe is your WordPress site?
Although it’s impossible to ensure 100-percent security, there are some simple steps you can take to secure your WordPress site and reduce your chance of becoming a victim. Most cyber attacks are automated, run by bots that constantly probe for specific exploits.
Hackers pick off the weakest: WordPress users who don’t keep up to date with installs, or those who fail to take basic security precautions.
With millions of WordPress users around the world, there will always be tens of thousands of potential victims out there. Don’t be one of them.
Here’s my checklist for staying safe:
1. Use the latest version of WordPress and WordPress themes and plugins
Making sure that you always install the latest, updated versions for WordPress Core plus themes and plugins as they’re released is by far the easiest and most important way to shore up your security and functionality whist avoiding bugs.
Identify which version of WordPress you are using. If you’re not using the latest stable release of WordPress, install it now. It’s extremely quick and easy. Or, use a Managed WordPress provider that offers this service.
2. Only Install good WordPress themes and plugins
Be extremely cautious with the WordPress themes and plugins you install, as some plugins and themes may be insecure, hacked, bloated or out-of-date. There are more than 40,000 free plugins out there, and as you’d expect, not all of these are secure. So whatever you do, be extremely cautious with the plugins you install:
- Only install plugins from developers who have a solid and well-established reputation.
- If you’re using a premium plugin, look through the plugin’s history to see if past security vulnerabilities were dealt with quickly.
- If it’s a free plugin, ensure that it has a large number of downloads, high ratings and that it brings out regular updates.
3. Guard your logins
The WordPress login page is a prime target for brute force attacks. Using weak passwords and usernames is like leaving your front door unlocked, and once hackers are in, they have can do virtually anything.
What’s more, if you use the same username or password for other accounts, the hacker can easily leverage their access, leaving you the victim of identity theft, account spanning or worse. Always use unique usernames and passwords for every different account you own.
To keep your logins secure:
- Change your WordPress Username from the default – here’s how.
- Choose a strong password, either by using a Password Manager App or a passphrase (a random collection of words, such as happy long elephant go). If you do use a password, mix upper and lowercase letters with punctuation and special characters. It should be meaningless, and at least 10 characters long.
- Limit the number of attempted logins from a single IP address. Here’s how.
4. Use a reputable web service provider
If you pick the wrong web host, your site is much more vulnerable to getting hacked. Poor web host providers run their systems on software that’s out-of-date or poorly maintained, so any past vulnerabilities are open for exploitation. They might have other bad security practices such as storing your passwords in a non-hashed format or a lack of access controls.
How to choose a good web hosting provider:
- Use a well-established company with a strong reputation and a good track-record for security. They should have a protocols separating their servers from unauthorised access, account isolation, a 24-hour monitoring system and a means of backing up sites on a daily basis.
- Managed WordPress hosts, like GoDaddy Managed WordPress, are a great option. If you can afford to use a managed option, you should.
5. Use two-factor authentication
Two-factor authentication is one of the strongest ways to keep your login safe, as it makes brute force attacks much more difficult to pull off.
There are a number of plugins that provide this service; I recommend this free plugin: https://wordpress.org/plugins/two-factor-authentication/.
6. Get an SSL certificate
SSL (Secure Sockets Layer) is an encrypting technology that keeps private correspondence between users and the web service provider secure. Without it, third parties can potentially listen in to communications between your website and the end user, leading to private data being stolen.
Having an SSL certificate prevents this kind of eavesdropping; the padlock icon at the top of the web page address not only assures users that their data is safe but also validates your website’s identity — assuring them that they are not visiting an imposter site.
You should be able to apply for and purchase an SSL certificate from your web host.
7. Use SFTP Instead of FTP to access the server
File Transfer Protocol (FTP) is a well-established way of using the Internet to transfer data between computers. When you open up an unencrypted FTP connection, the whole transmission between host and user can be snooped on by anyone who can see the network packets, and unauthorized users have the opportunity to compromise the system.
Using Secure File Transfer Protocol (SFTP) instead means that data is communicated over a single secure, efficient connection through the firewall.
SFTP encrypts the entire login session, making it much more difficult for an outsider to view and collect passwords. You can learn more about transferring data using SFTP here.
An encrypted version of the traditional FTP protocol is also available, but this requires you to carefully set up your FTP program to use it, and might be more difficult to work with.
8. Use security plugins
It’s worth installing security plugins to further tighten your site’s security and reduce the chance of being hacked.
A great security plugin is your WordPress site’s bodyguard: it can detect malware and vulnerabilities, suspicious activity and bots. It also can offer other features to help you stay on top of other security measures, such as tools to update WordPress automatically, to change your Admin username and to test password strength (for example).
There are a number of good WordPress security plugins out there, each with different features, so you might want to explore what each offers before you make a decision.
9. Always back up!
Making regular backups of your website plus all files and databases is vital. You might take every single security precaution going, but the reality is, being 100-percent safe is a journey, not a destination. You need to keep regular backups, so that if something terrible did happen, you could restore everything in a matter of minutes to a safe location away from your live site.
Backup plugins make it easy to keep your WordPress data safer. When choosing a provider, ensure that it’s secure, trusted, well-established, easy-to-use and comprehensive. Check out its features and capabilities, too.
Not all backup plugins are created equal. It’s best to get one that encrypts your databases, does automatic pre-update backups, seamless restores, is fully supported and kept up to date. Backup plugins like UpdraftPlus WordPress Backup are worth exploring.
So there we have it: nine things that will help you secure your WordPress site. Being aware of the risks and taking measures to protect yourself is a no-brainer. Like health and safety, practicing good cyber security isn’t something people get excited about, but it is incredibly important.