Your WordPress security is critical when it comes to protecting your website investment. Welcome to our simple guide on WordPress security that you can perform yourself with very little assistance.
With over 100,000 websites being hacked everyday it is more important than ever to make sure your website security is a priority. The following steps and tips will help you to move forward with some best practice security for your WordPress website.
Secure WordPress Hosting
Making sure you choose a good quality and secure hosting provider is the first most important step in securing your website. Security starts at the server level and by using good quality reliable hosting (yes it won’t be the cheap kind) your business website will have the best head start to being secure. Good quality hosting will help you to be protected from things such as Malware, Phishing and DDoS style attacks.
It is important to choose hosts based on functionality, features and support and ignore the overwhelming need to go with something cheap just to save a dollar or two. In a previous article this month we covered in more detail how to choose the right website hosting for your business.
Use The Latest PHP Version
WordPress is a platform built using PHP as its core. Each new version of PHP comes complete with improved security and patches and fixes. By updating your hosting server or choosing a host that uses the latest PHP version then you are effectively putting another layer of security into the mix.
Many website owners who choose cheaper hosting options often don’t realise that many of those hosts are still using a much older PHP version such as PHP 5.6 as opposed to the current version of PHP 7.3 or newer. Over 78% of all websites globally are using out of date or no longer supported versions of PHP.
Use Better Usernames & Passwords
It might seem common sense but with a huge percentage of WordPress website hacks being caused by poor username or password selection this is important. According to a study performed in 2018 by Splash Data the most commonly used password is “123456” followed closely in 2nd place by “password”.
Make sure you choose a good strong password that contains a mix of upper and lower case characters, numbers and symbols. A good password should be at least 8 characters in length contain at least one upper case letter, one lower case letter, one number and one symbol.
Just like choosing a poor password opens you up to attack so does using a common username such as “admin”, “test” and “administrator”. Make sure that your username is unique and why note use a similar method to creating a password when it comes to creating your username.
Always Use The Latest Versions of WordPress, Plugins and Themes.
We mention and harp on this a lot but you really need to make sure that your WordPress core, your plugins, and your themes are kept up to date at all times. We recommend looking at updating these items at least once a week and if you do not have time to do this yourself then pay someone else to do it for you.
Change Your WordPress Admin URL
One of the simplest ways you can work to secure your WordPress website is to secure your login by changing the admin URL. There are a wide range of plugins available to help you change your login URL. By default the WordPress login URL is yourwebsite.com.au/wp-admin
Because this login URL is a default address it is common for hackers and bots to look for it. Whilst you may think changing that URL may only slow them down in actual reality most scripts simply skip over your site if they don’t find the login page at that address.
By adding a 2 factor authentication option to your login you can easily add yet another layer of security to your website. This type of authentication means that to log into your website you will need a username, a password and typically a code generated by a third party app on your phone or via email.
This effectively means to log in your will need to have your phone or email access to complete the login process. This makes it much harder for a hacker to utilise a brute force attack on your website. This is all due to the hacker also needing access to your phone or email in order to log in. There are many options for this and a simple search for two factor authentication on the WordPress repository will provide options.
Purchase an SSL Certificate
Make sure that your website incorporates and SSL certificate in order to protect all data transmitted to and from the website to the browser. This will help to protect your clients data as they input it on the site, It will help with SEO as Google and other search engines now frown upon insecure sites, and it builds Trust and Credibility.
Most website hosts now provide free SSL certificates as part of your hosting plan however we do recommend that you look at purchasing your own premium SSL certificate. Whilst the free certificate is adequate for most website types a premium SSL certificate is critical if your site is mission critical or contains eCommerce or any other type of money collection including eLearning and membership systems. Premium certificates provide far better coverage and trust then a free certificate.
Use WordPress Security Plugins
One of the best ways to secure your website is to use a security plugin to help secure the site actively. Two of the best plugins are Sucuri Security and WordFence Security both of which are freely available in the WordPress Repository. These types of plugins will help you to perform tasks on your website such as:
- Generate or force secure password use
- Expire passwords and force regular password changes
- Log user activities allowing you to see who is doing what behind the scenes
- Malware Scanning
- WordPress Firewalls
- IP Banning and Whitelisting
- Website Monitoring
- Malicious Attack Blocking
Always Backup Your Website
By backing up your website regularly you are protecting your investment in more ways than one. Firstly you’re creating a way to recover your site should something go wrong with an update or content change. Next you’re protecting your site by having a restoration point should a hacker succeed in breaking into your site.
There are many backup plugins for WordPress including Duplicator and Updraft Plus both of which have free versions available on the WordPress repository. We recommend that you backup at the least weekly however daily backups should be taken wherever possible. We also suggest storing your backups away from your website either in a cloud storage or other storage environment. Where possible make sure your backup is kept secure by using password protection on the storage.
This article is in know way a complete guide because there are literally so many different methods of applying security to your website. If you are looking for a more in depth article we suggest dropping by https://kinsta.com/blog/wordpress-security/ as this article is quite in depth and a great starting place for learning more.
In most cases your website developer should have already performed much of these tasks when they set up your website. If securing your site is something that your not comfortable doing yourself then we recommend employing a website designer or developer to complete it for you.