Protecting Your Website
I’m sure you will have heard time and time again that keeping your WordPress website up to date and secure is of paramount importance. Or, maybe you’ve never heard this before, in which case I will be the first to tell you.
I’ve been taking a peek under lots of WordPress bonnets lately and honestly I’m a little concerned with what I’ve been seeing.
So many sites I’ve come across are running outdated versions of plugins, themes and sometimes even the WP core.
Look, I get it! I understand that especially for DIY’ers you don’t always know what to keep on top of your WP protection.
But don’t make the mistake of thinking you can just install a security plugin and job done!
Here’s some guidance that will hopefully help you stay on top of things.
The Cardinal Rules
Below is a list of the key steps that will help you mitigate your risk of being hacked and better prepare you to be able to resolve any issues with minimal disruption should the worst happen.
Note: this is by no means an exhaustive list. There is so much you can do to protect your site, ranging in levels of complexity, but the following is a simple guide that will put you well ahead of the curve.
1. Do not use ‘admin’ as your username
Admin is the default WordPress username and by failing to change it you are doing 50% of a hacker’s job. Some hosts will force you to change it at setup, but if not, keep in mind that this is something you should do yourself.
2. Use a strong password and change it frequently
WordPress measures the strength of your password, anything below medium is a disaster waiting to happen, but ideally you want a strong password (a mixture of letters, numbers and symbols). If you are struggling to keep on top of your passwords use a tool such as LastPass which will do the job for you and don’t forget to change your password on a regular basis!
3. Limit login attempts
WordPress will allow you to enter your login details as many times as you like. This may seem like a great thing when you can’t quite remember your password, but it’s also leaves you vulnerable to brute force attacks – where a hacker will try and break into your site using a variety of username/password combinations.
You can use a plugin such as Login LockDown to limit login attempts
4. Backup your site regularly
This is such an important habit to get in to, not least because it can save you a lot of stress should the worst happen. Regularly backing up your site can literally be the difference between getting a site back online within hours (sometimes even minutes) and having to do a full rebuild. It can also be the difference between a full restore and lost posts, pages, projects etc.
There are so many plugins you can use to do this, one of my favourites is Backup Buddy. Your host may also do backups for you, but if you are going to rely solely on these (not recommended) always check they/you are backing up both the database and the files.
5. Keep WordPress Core up to date
As WordPress is an open source platform, it is constantly being developed and updated. When updates are made to the WordPress core you will get a notification on your WordPress dashboard. Don’t ignore it. As well as bringing new features, updates often patch some type of security vulnerability that has been discovered.
6. Keep themes and plugins up to date
As mentioned earlier, I have been behind the scenes of so many sites recently where plugins and theme files have not been kept up to date. On one site there were 20+ outdated plugins. It is so important that you monitor and act on these updates. WordPress flags them with a little orange circle and a number and you can check to see what each update includes by clicking on details.
If it’s a major plugin or theme update then it’s always wise to make sure you have a backup of your site first. Sometimes updates may cause a conflict on your site leading things to go a bit skew-whiff. Having a backup means you can roll back if you need to.
7. Delete any plugins and themes not in use
It’s a common misconception that if a plugin or theme is not active you don’t need to worry about updating it. However, that is not the case and you still have to maintain these files. To save you a little hassle and reduce your risk, as a rule of thumb, if is deactivated delete it!
8. Use a good security plugin
Cleaning up hacked sites has sadly taught me that no single security plugin will pick up every issue on a site. However, there are some pretty amazing plugins in the marketplace that will help put you in a position of prevention rather than needing a cure. My favourite is WordFence and though they offer a premium solution, the free version is extremely robust. I definitely recommend you install and utilise it to complete regular scans of your site.
They will also send you frequent security notification emails pertaining to your site’s security, which you should pay attention to.
9. Choose a good host
In the dreaded worst case scenario, having a good host can make the world of difference. When selecting a host be sure to see what, if any, security solutions they offer and also check out reviews regarding their customer service. Having a host that you can’t get hold of, or one that takes forever to get back to you is no good.
I love Siteground and use them for all of our client builds. So far there hasn’t be an issue they couldn’t solve.
10. Install an SSL certificate and force HTTPS
Many people believe that HTTPS is only essential if you are running an e-commerce site or processing personal data. This isn’t strictly true.
Forcing HTTPS has security benefits that even a blog or static sites can benefit from as it ensures that a secure connection is maintained between the site and the browser. What does this mean in English? Essentially password data is encrypted and this can stop hackers or would be fraudsters gaining access to your site.
In addition, so many people look for the green padlock nowadays that it really does no harm to show them you have a secure site. Many hosts now offer free SSL certificates via Let’s Encrypt.
The Importance of Consistency
Establishing a solid routine is vitally important in keeping your site secure. Just as you schedule social media posts or marketing content, you need to do the same with carrying out your website security check.
Don’t set plugins up and rest on your laurels – after all even a security plugin is still a plugin and so susceptible to exploitation.
Whilst you can undoubtedly automate a lot of what is required, you need to be proactive in ensuring the solutions you have in place continue to work for you!
You should be actively looking at your site at least once a week and more so if you run a high traffic site, an e-commerce site or a membership site.
If you don’t feel you have the knowledge, time or inclination to manage your WordPress security then outsource it.
Over at DefinedWP we offer a range of packages that can take the stress and hassle away from you. We help our clients keep their sites secure and should the unthinkable happen (which we can openly admit that it has) we are on hand to rectify the problem as quickly and painlessly as possible.