How To Keep Your WordPress Website Secure
This post contains affiliate links, which means that if you click through and make a purchase we may earn a commission. You can read my full affiliate disclosure by clicking here.
While it’s something that we often don’t pay much attention to, security is probably one of the most important aspects of owning a website.
You might not have been in the situation yet where you get hacked, but I promise it’s not a good place to be, and therefore the more steps you can take to prevent it, the better.
Why would a hacker be interested in me? You might ask. After all many of us run small businesses and we don’t see the value of our ‘little’ website. However, the truth is websites get hacked for multiple reasons, and there are people out there trying to break into sites every day. Maybe they want to plant malicious code; add links that forward your readers to dodgy sites (think adult, gambling, and worse); or maybe they want to use your site for bitcoin mining. The thing is they aren’t doing this slowly site by site, they are using bots and software that automates everything.
Whatever the reason, you want to protect one of your most important business assets.
I can’t give you one cure-all solution for that, or guarantee that you aren’t going to run into issues, but the more levels of protection you have in place, the better. Therefore, let’s look at what can help to protect your site.
Backups
WordPress is what’s known as open source code and that’s amazing in many ways, but it also means that all those plugins and themes need to be constantly updated. It’s vital to make sure that your website is backed up so that if it experiences any issues when you are running these updates, or if the worst happens and you do get hacked, you always have a backup that you can restore.
First, check with your hosting company and see whether they run backups. Some do, some don’t as part of your package, so you will need to check. If they do, ask them how long they keep the backups for. Many will be 30 days. if it’s any less than that you may have a problem, because what happens if you don’t immediately notice you have been hacked? By the point you do realise something is wrong all the backups might be infected. So the longer you can keep backups for, the better.
There are free plugins for WordPress you can use, one of the best known ones is Updraft Plus. This is a great option, but one thing you need to check is where you are going to store these backups. You can get them emailed to you, but if the size of the backup is over 25Mb it won’t go through email. Therefore you will have to make sure you set up an alternative like Dropbox or another service.
What I use for my own backups is Blogvault (which also has the option of adding a security level too). It is a paid service, but it’s one where they keep backups going back for at least 90 days (longer on some packages) and it’s very easy to restore the site should you run into any issues. I’ve done it!
Whichever path you choose, make sure you instigate at least one backup method. If you lose your site you can lose weeks, months or even years of work – and no-one wants that!
Strong Passwords
Passwords can be accessed and used by others if they aren’t strong enough. It’s not like it is in the movies where one guy is sitting there trying to figure out the name of your first pet (although it could be like that if it’s someone closer to home!) Instead, it’s software that can work through thousands of permutations in a very short time.
Therefore, make sure you create random passwords made up of a mixture of upper and lower case letters, numbers and other characters. When WordPress assigns you a password it is usually 24 characters long, that’s a great length. Don’t go for anything below 16 characters – a strong password like that, made up of multiple random characters, would take a long time to break.
Also, we hear in the news that data breaches happen every day, so don’t use the same password for more than one site and change your passwords regularly. Plus keep them in a safe place!
If others log into your website, also make sure they are using strong passwords.
Another tip is to make sure that your user name isn’t ‘admin’ on your account. Change it to your full name or even your email address.
You can go to additional levels, like adding captcha, which makes it more difficult for bots to hack sites or even add 2 step authentication, so a code is sent to your phone each time you want to log in.
Keep Your WordPress Dashboard Updated
When you log into your WordPress dashboard you will often see that there are updates that need doing. These can be to the WordPress framework itself, to your theme or to plugins.
First, if there are any plugins or themes in there that are deactivated and that you aren’t using – then delete them. They are an extra load on your site and, if they aren’t getting updated, can be a security risk.
Next run your updates regularly. Add a reminder in your calendar to log in at least once a week and do them. Always make sure your site is backed up first, because it’s when you are running updates that things can sometimes go awry with incompatibilities. Better to be safe than sorry and have the site backed up.
Use a Security Plugin
There are many plugins out there that can help with security and some hosts also offer protection at the server level. You may need to shop around and find what’s best for you.
Even if you don’t have a budget you can use a plugin like Wordfence (which has both free and paid options). One of the ways these types of plugins help is to minimise login attempts, so if a bot is trying to bombard your site in an attempt to log in, after a certain amount of attempts they will be blocked. They also offer firewall protection.
Another option is to go with a service like Sucuri, who can also clean up malware from your site if you are already infected.
Get An SSL Certificate
An SSL certificate is what turns your browser address from http to https. SSL encrypts data and makes sure there is a secure data transfer between the user’s browser and the host server.
Furthermore, implementing an SSL certificate on your site is something that the search engines encourage and Google has stated that it is starting to derank sites which don’t have one in place. Another definite advantage to adding one to your site.
These certainly aren’t the only ways to secure your site, but they are a good place to start. It’s also impossible to guarantee that you won’t get hacked, but again that’s why the ability to restore from a backup is so important.
Every type of website, whether WordPress or another platform, is vulnerable to someone gaining access to it. It’s not worth losing sleep over, but it is worth putting the foundations in place to protect your site so it can continue being a valuable asset.
My choice for WordPress hosting - great speed, reliability, customer service and security. Plus free SSL Certificate and email addresses.
If you found this post helpful I would love if you would share it, to help others out there who don’t have these security measures in place. Let’s spread the word to help make the internet a safer place.
Thanks for this Alison, helps me to feel more secure to be implementing these suggestions
Thanks Josephine. Really glad it was helpful ☺