A large percentage of our users are running their websites on WordPress. The content management platform is incredibly user-friendly and is used by everyone from major corporate websites to small businesses. Unfortunately, WordPress is not very secure on its own, as evidenced by a massive hack which was announced in mid-December. Over 100,000 WordPress sites were infected with malicious malware, reminding everyone just how vulnerable they were. WordPress’ popularity means that it’s one of the easiest to use content managers around, but it also makes it very appealing to hackers and spammers.
While WordPress itself isn’t very secure, there are some things you can do to protect yourself and your website. It’s worth the time investment; after all, this is your business and your livelihood on the line. There are lots of tips and tricks out there, but here are a few things you can do to start.
1: Keep WordPress a Lean, Mean, and Constantly Updated Machine
When you log onto your WordPress dashboard, are you confronted with multiple pop-ups reminding you of how many updates you need to make? There’s a reason why those notifications are so prominent; hackers often exploit security holes in plugins, themes, or WordPress itself. Every update contains security patches which address these issues as they are found, so it’s best to keep WordPress and all of your extensions up to date.
Speaking of: when it comes to plugins, fewer is better. If you have something you’re not using anymore, disable and remove it instead of letting it sit and get out of date (and possibly become vulnerable). If a plugin’s creator abandons it (which happens from time to time, especially with free plugins) you shouldn’t use it unless you absolutely have to. When choosing plugins, try to go with ones that are updated on a regular basis. This is one advantage of premium or paid plugins; the financial investment typically guarantees a secure, regularly-updated product.
2: Delete the Admin Account
Every WordPress site has an admin account by default. Hackers know this, and regularly use ‘admin’ as the username when they attempt to hijack a site or server. So don’t use ‘admin’ as your login name! You can go to ‘Users’ → ‘Add New’ in the WordPress dashboard and create a user with your name. If you make sure to give yourself Administrator privileges, you can delete the ‘admin’ profile and give hackers one less way to get into your site. Also make sure that you go to Your Profile section and set a new nickname to be shown on all your posts, so that your username isn’t being broadcast every time you publish something.
3: Strengthen Your Password
This may be a no-brainer, but it’s scary how many computer-savvy people still have terrible passwords that leave them open to hacking and information breaches. Don’t leave yourself vulnerable to a password hack by having a short or common phrase; create a strong password that contains a variety of letters, numbers, and punctuation marks, and don’t use the same password on two different sites. Use a browser extension like LastPass to help you store your passwords securely if you know you won’t remember a really randomized one.
4: Install a Good Security Plugin
Whether free or paid, there are lots of good plugins available which boost your WordPress security. We’re personally fans of WordFence, which has both a free and a premium version. It provides a complete anti-virus and firewall, and plugs you in to a real-time security network; a threat to one Wordfence-protected site means that the attacker will be blocked on all other sites using Wordfence. There are many options for WordPress security, so do some shopping around to see which service will best suit you—but no matter what, get yourself a reputable, well-maintained security plugin. It may cost you nothing but a few minutes of your time, but will protect you from all sorts of malicious actions down the line.
5: Back Up Regularly
This appears to be one of the hardest lessons to learn, because even computer-savvy people consistently lose their data and don’t have a well-maintained backup copy. It’s a huge risk to take, and believe us when we say that trying to retrieve data the old-fashioned way is time-consuming and expensive. Other security measures may fail, but if you have a backup of your website then you are secured even if the worst happens and you need to scrap everything and start over from scratch. The WordPress Codex has an extensive and well-written tutorial on how to back up your website. There are plugins available that will export your website data automatically, even to a service like Dropbox so you’ll always have a copy. Back up your site before upgrading WordPress as well, just in case something goes wrong.