WordPress is a great tool for managing your website, but WordPress security isn’t a given. Due to its popularity, there are various bad actors looking to hack WordPress websites. That’s why we’ve compiled this quick guide to making sure your WordPress website is secure.
1. Choose a good quality hosting provider
Your website is only as secure as the server it runs on. By choosing a proactive hosting provider that keeps servers up-to-date, running the latest versions of software, and applies security patches as soon as they become available you’re ensuring that your website has a good solid secure foundation to run upon.
As well as keeping things up to date, servers should be equipped with a firewall to keep out malicious traffic and stop attacks before they gain any level of access to your website.
2. Always use a strong password, and don’t use the built-in username
By default, WordPress will suggest the username “admin”, which should always be changed. If attackers don’t know the admin username for your website you are much less susceptible to brute force attacks. We also suggest avoiding combinations like company_admin, or firstname.lastname.
Strong passwords will also go a long way to protecting your WordPress site. Take a look at this list of the top 200 passwords – if your password is here please change it immediately.
By selecting a secure password, such as Carrot-Dog-Laptop-9, brute force attacks (where the attacker will try thousands of password combinations, starting with the most common) are virtually impossible, with our example password taking 5 hundred quadrillion years for a computer to guess. (Source: https://howsecureismypassword.net/)
3. Install a WordPress security plugin
There are many great WordPress security plugins out there. Our #1 and the one we use on all of our hosted websites is WordFence.
WordFence includes various tools and security additions including firewall, brute force protection, cross-site scripting (XSS) protection, leaked password protection, and file change detection.
By running regular WordFence scans on your website you can see where changes have been made, any plugins which have vulnerabilities, and in the worst-case scenarios restore your site using official plugin and theme sources.
4. Enable 2-factor authentication
Thanks to increased adoption across websites and services, you’re likely to have seen 2-factor authentication before. This is where you are sent a code via text, or via an authenticator app which you have to enter before logging in.
This is available on WordPress via wordfence. We recommend that users turn this on for eCommerce websites or any website that handles customer data.
5. Don’t use nulled themes and plugins
Nulled themes and plugins are versions of premium software that have been modified to remove the need to purchase a license.
Under no circumstances should these be installed on sites. You cannot verify the integrity of a nulled plugin/theme which could be opening all sorts of backdoors and points of entry for bad actors.
Conclusion – keep WordPress Security a priority
When taking the right precautions your WordPress website will be safe and secure. Follow our advice above and make sure you’re applying regular updates to your website to ensure you run the latest secure version of WordPress and any themes/plugins.
We are here to help – if you need some assistance with securing your site, or would like a security audit then contact us via firstname.lastname@example.org and we’ll do our best to assist.