10 Tips To Keep Your WordPress Site As Secure As Possible
Did you know that about 30,000 sites are hacked a day? On average, a website is hacked every 5 seconds.
Keep in mind – there is no such thing as 100% safe and secure. However, the more locked doors and walls put in place on your site, the harder it is to get into.
In light of the recently leaked “Panama Papers” from the Panamanian Law Firm called Mossack Fonseca, I thought it would be a good idea to go over 10 simple ways to keep your WordPress website as secure as possible.
- Keep Files Up-To-Date. Did you know that 83% of websites that get hacked are because they’re not up-to-date? Now that you know, keeping WordPress, themes, and plugins updated with new bug fixes, security updates, and performance tweaks should be a no brainer. When theme and plugin authors release a new update you should update your website as soon as possible. By doing this, the chance that your site could be hacked is reduced, and it also fixes any issues that plugin or theme could have had. The WordPress Core updates are no different – get those put in place ASAP (it’s even easier since there’s an auto-update feature).
- Don’t Use Admin for a Username. Using the default admin account is a very common mistake to make in security. What login do you think a hacker will use first when trying to get into your site? Get creative and use a unique username for your login. If you are already using “admin” as an account, simply make a new account with a unique username and assign admin rights to that user before deleting the old admin user account. When you delete the old admin account make sure to assign any posts from that account to the new admin account.
- Use Strong and Unique Passwords. Just like your online accounts for banking, e-mail, and social media use strong passwords, your website should too. Why? Your website is the online home base of your brand – protect it. You can use online secure password generators like this one or this one. To see the top 25 most used passwords in 2015, click here.
- Backup Often. Make sure either you or your website host backup your site files and database often. You’ll need those backed-up files and data if your site is hacked to restore it to its former (pre-attack) glory. It’s also a good idea to have those backups stored offsite and if possible not on the same server as your website files, as they might get infected too. This tip is more for being prepared in case of a security breach than it is for up front security. Learn more about this by checking with your website host.
- Add Security Plugins. There are several WordPress security plugins out there, but the one that we love and use at BLU on all of our WordPress sites is Wordfence (http://wordpress.org/plugins/wordfence/). Don’t install more than one security plugin as they might have compatibility issues or overlapping functionality. Here is a list of security plugins to choose from:
- Close Comments & Add Spam Blocker. This won’t be for everyone, but if you are getting hit by a lot of spam comments on your blog you can try closing the comments after 30 or 60 days (or less). Doing this has cut down on our spam comments and our clients’ spam comments drastically. In addition, using a spam comments blocking/filtering plugin like Akismet or WP Spam Shield is a must, it will help with security and save you time. Also, make sure your comments are set to require your approval before appearing on your site.
- Lock Down File Permissions & Write Access. Take your site security one step further by locking down the files on your server and who has write access to them. This can be done through a plugin or hosting settings in cPanel. I’d suggest you contact your website host to make these updates, as they can break things if not done right.
- Securely Connect To Your Server with sFTP. Connecting to your website server using a Secure FTP (sFTP – secure file transfer protocol) connection keeps your files protected as they transfer to or from your website by encrypting them.
- Use A Unique Database Prefix. Spammers and hackers can run automated codes (in a mass attack) for SQL injections by targeting the default prefix “wp_”. The easiest way to protect your database is to change the default database prefix to something unique right away when you start the site build. If you already have a site setup with this database prefix, it will take a few steps to change it properly without messing up your established website. Here is a good video tutorial on how to change the WordPress database prefix on an existing site.
- Consider Logging In With Two-Step Authentication. Normally logging into a WordPress site would require your username and password – this is one-step authentication. Up your security with two-step authentication, also called two-factor authentication (2FA) like an SMS code, Google Authenticator, or Cell Phone Sign-in (offered by Wordfence Premium). Using two-step authentication is a good idea for some sites depending on the company and what should be protected. If you have a simple site / blog you may not need it.
If your site does get hacked, it’s a hassle to get it back to where it was. You lose valuable time that you could have put to better use, and there’s also the headache and hassle of going through file and database investigation and restoration. In addition, your search engine optimization can be harmed if the hacker was able to put malicious code on your website to redirect users, malware, etc.
Overall, use your new WordPress security knowledge to be proactive and check your site for security issues. You can start small with updating your username and password, and then move up to updating your core, theme, and plugin files. If you need any help, or have questions or concerns, give us a call at 608-519-3070 or e-mail us at firstname.lastname@example.org.