WordPress is a powerful platform for building your online presence but there’s one issue that keeps cropping up. The downside to WordPress’ popularity is it becomes an obvious target for hackers, which makes security an important topic.
So today we’re going to run through all the key points you need to know about WordPress security and how to keep your website safe.
What are the security concerns with WordPress?
WordPress is an incredibly secure piece of software that’s constantly improving. However, no platform is 100% secure and there are a number of reasons someone might target your site:
- Steal user information
- Install malicious software
- Hijack your site and demand ransom (ransomware)
- Target your users with malware
- Damage your search ranking
- Phishing scams
These threats are very real for any kind of website, not only WordPress. In March, Google reported that more than 50 million website users had been warned about visiting an infected site – up from 17 million in 2015. The search giant says it blacklists around 20,000 sites every week for malware and roughly 50,000 others for phishing.
Needless to say, website security is becoming a more pressing concern every year. So let’s get on top of things shall we?
Security steps when launching your WordPress site
Here are the key steps to take when you’re setting up your WordPress site, before launch. Don’t worry, there’s nothing too stressful or technical involved but these points are important.
Talk security with your hosting provider
A good hosting provider is the best ally you can have as a website owner. They play a big role in the speed, general performance and security of your website – so it’s worth doing your homework before you sign up to any provider.
Generally speaking, shared hosting is a bad idea for anything but small or non-commercial websites. You’ll sharing the same server with other websites, meaning there’s always the risk another site could infect yours if they get hacked.
So speak to your provider about security and get clear information on what’s included in each package. Compare notes from different providers and make sure security is one of the factors in deciding who to go with.
Use a password management tool for extra security
The most common type of attack against any website is known as password cracking. As the name suggests, this means stealing, guessing or recovering your password and gaining access to one of your accounts.
This could be your WordPress site, your hosting provider account, email accounts, FTP and anything else with a log in process. So, even if passwords aren’t the most interesting topic, they still need to be taken seriously. Especially when there are so many automated hacking tools that can ‘guess’ your passwords.
Luckily, there are also plenty of tools that make it easier to make password management easier and more secure for you, too. It shouldn’t come as a surprise to know there are various password management plugins for WordPress. However, it’s a good idea to go with a third-party option on this one – something like LastPass Enterprise. This allows you to create unique, secure passwords for every account linked to your site without the risk of forgetting them and locking yourself out.
The best password management tools available right now, according to PC World, are:
- Sticky Password
- Keeper Password Manager
- Password Boss
- RoboForm Everywhere
- RoboForm Desktop
- True Key
- Zoho Vault
Each one comes with its own unique features so you’ll have to see which one meets your needs most. Most of them also come with a free version but the added features and security that comes with the paid versions is normally more than worth it.
Keep your user permissions in check
Sooner or later you’re going to need to give access to your WordPress site to someone else. Whether it’s a designer, content writers or some marketing whizz, handing over your account details always presents an element of risk. Your job is to minimise it.
The best way to go about this is to create a new account for every person and only give them access to the features they need. For example, your content writers don’t need to add new pages or change the theme of your site. All they need to to create a new post and publish it – so limit their access to these functions.
Finally, when anyone with access to your site finishes their job, delete their account so they can’t access your site again in the future.
Security steps when your site is up and running
Once your site is up and running, the one-time steps are over. Now it’s a case of making security a long-term habit that keeps your site (and its users) safe for the duration.
Get yourself a trusty security plugin
There aren’t many plugins we would say are absolutely essential, but this is one of the few exceptions. There are various WordPress security plugins that provide an extra barrier of protection. Just as important as helping to protect your site, though, is many of them alert you when something suspicious is going on.
The best WordPress security plugins, according to Elegant Themes, are:
- iThemes Security
- All In One WP Security & Firewall
- Sucuri Security
- BulletProof Security
Again, these all come with free and paid versions and you’ll find some plugins make drastic changes to your core site files. So always read instructions carefully and back up your site before installing any security plugins.
Get a developer on board to beef up security
Everything we’ve looked at so far can be done by anyone with a WordPress site. You don’t need any coding expertise or technical knowledge to cover the basics, but it’s always worth getting a developer to take website security to the next level.
Here’s a list of the more advanced security steps a developer will be able cover:
- Change your default admin usernames
- Change the URL of your login page
- Limit login attempts
- Disable PHP file executions
- Disable file editing
- Disable directory indexing and browsing
If you’re comfortable with doing these things yourself, then go right ahead. Each of the items on that list changes some of the default WordPress settings that hackers can use to their advantage. By making these changes, it’s unlikely hackers will ever find your login page, let alone manage to gain access to your site.
Things to do on a regular basis
The most important part of website security is habit. By covering the essentials on a regular basis, you create additional layers between hackers and the most important parts of your website.
Keep your WordPress site updated
As with any piece of software, the first thing you should do is keep up to date with the latest version. The guys over at WordPress are constantly working to improve security and each update aims to make it more difficult for hackers to get into the back end of your site.
The same goes for any themes and plugins you use. Keep everything up to date to minimise any gaps they could be leaving.
Regularly back up your site
Aside from regular updates, backing up your site is the first line of defence against any security issues. Once again, the whole process of backing up your WordPress site is made incredibly easy thanks to the power of plugins.
Choose a reputable backup plugin for your site and you can automate everything to be taken care of for you. All you need to do is check in make sure everything is updating as planned (probably once a week) and you’re pretty much set.
As for how often you should update, even small websites should be doing this at least once a week and larger sites every day – or multiple times throughout the day.
The most important thing is to store your backups on a third-party cloud service like Amazon, Dropbox or elsewhere. Do not rely on your hosting provider to take care of backups for you.
Do regular health checks
The reason backups are so important is because you can wind the clock back and remove any nasty changes hackers have made. This is vital if you can’t track down the file or code causing problems and remove the threat. The only thing is you have to know how far to wind the clock back – a safe point before your site got hacked.
With regular health checks you can spot problems quickly and simply rewind back to the last check, knowing everything was in order. Otherwise, you might have to go back further than you want and lose a lot of content or other updates.
Chances are you can always rewind back one month without losing anything too valuable, so we recommend a monthly health check for your site. If you can get away with longer, then fine – you need to make that call.
It’s also a good idea to run checks after making any major changes to your site. Once you know everything is OK, back up again so you have a restoration after your changes were made. This way those changes are protected and you save a whole lot of work if security problems come your way.
What do I do if my site gets hacked?
If the worst happens and you fall victim to an attack, there’s not need to panic. If you follow all the steps we’ve covered in this article, you’ll be able to spot any breaches quickly, pinpoint where the problem is and put things right quickly.
Prevention is always the best cure, but the steps we’ve looked at so far will also minimise any damage if you do get hacked. So stay calm and run through this quick checklist:
- Scan your device first: To make sure it’s not your computer with the problem, rather than your site.
- Scan your website: Next, scan your site using your WordPress security plugin to confirm your site has been breached.
- Find the infected file: If your plugin fails to pinpoint the infected file, follow these instructions to find it yourself.
- Remove the infection: Which could involve bringing that developer back again (we love those guys!)
- Or restore to a safe backup: If you can’t find the file/code causing problems.
- Contact your hosting provider: To find out if the infection is unique to you (especially if you’re on a shared hosting package).
Once you’ve removed any suspicious files/code from your site, it’s time to run through our list of steps again. Update to the latest version of WordPress, change all your passwords and get your trusty developer to move access points to new URLs once again.
Hopefully, you can see why regular backups are so important. These are your emergency exits from particularly tricky hacks that can be hard to find and without them your only option could be to shutdown your site and start from scratch!
The vast majority of hacks are completely preventable but too many website owners find this out the hard way. You don’t need to make the same mistake. Give WordPress security the attention it deserves and cover the essentials on a regular basis – that’s normally all it takes.