How to Keep your WordPress Website Secure

WordPress powers over 30% of websites around the world (W3Techs). Unfortunately, due to its popularity, hackers often target it. On the bright side there is a large community of WordPress experts and when a security vulnerability is reported they work hard to release an update to fix any issues. Therefore if you are not using the latest version of WordPress, then your website is more vulnerable to being hacked.

WordPress updates are crucial for the security and stability of your website and should not be overlooked. In Sucuri’s report they found that 39.3% of hacked WordPress websites recorded outdated installations in 2017.

We are also not surprised to see that in 2017 (WP White Security) 73.2% of the most popular WordPress websites were not running the latest version of WordPress and were therefore vulnerable to attacks.

By default, WordPress will automatically install minor updates; however major update releases will need to be manually carried out. It is also important to remember to update any plugins and themes that are installed and delete any that are unused.

Please note that it is important that before carrying out any updates that you:

• Take a full backup of your website.
• Review the release notes of any plugins to check if any changes will have a negative impact on your website.

Fully check your website after an update to ensure it is working as expected and that the themes, plugins and extensions are compatible with the latest version of WordPress.

Weak passwords are also a common reason why WordPress websites are often hacked.

Any website users with accounts should have strong passwords. They should also be unique and not used for any other online accounts. If you use the same password multiple times and someone hacks one website that you have an account with they will then be able to login to your accounts on other websites.

All passwords should contain at least one uppercase character, 1 lowercase character, 1 digit and 1 special character. There should also be no repeating characters and the letters should be random. WordPress comes with a password generator so this can be used to ensure that they are strong.

Your email password should also be strong because if a hacker can gain access to your emails they can then use this to reset your website’s admin password and again access.

You can also force strong passwords for any other users who sign-up for an account on the website by using a plugin such as Force Strong Passwords.

One of the main reasons people do not like to use unique and strong passwords is that they struggle to remember them. You can opt to have your browser remember the password (don’t do this on public computers) but to be extra secure you can use a password manager such as LastPass.

Using a password manager eliminates the need to write down your passwords.

Another common mistake is that users have the username admin, which is easily guessed by hackers.

When you are on shared hosting your website will be on a server along with many others. If one website gets compromised (perhaps because it has an out of date version of WordPress installed) a hacker can then easily infect other websites that are on the same server.

You could opt to have a dedicated server where you are the only website on the server, this does however have cost implications. Alternatively, you could choose a managed WordPress hosting package where things like your updates are taken care of automatically and therefore so is everyone else’s on the server.

We recommend to all of our WordPress customers that they invest in a security plugin such as Securi or Wordfence.

They come with a firewall to help to prevent malicious traffic reaching your website and you will quickly be alerted if your website becomes compromised. They also come with a range of tools to help to further protect your website, for example you can limit login attempts and block IP addresses and countries. You can also setup what is known as two-factor authentication. With Wordfence once two-factor authentication is enabled you will be sent a text message when attempting to login to admin area which will provide you with a pin number to login to your account.

A SSL certificate creates an encrypted connection, which in turn will make your website more secure. They help to protect the transfer of sensitive information such as credit card numbers, passwords, and usernames. Additionally, Google now provides a slight ranking boost to websites using HTTPS.

You will need to pay an annual fee for a security certificate; the best place to purchase one would be via your hosting provider.

If you implement the suggestions above you will be well on your way to maintaining a secure WordPress website. There are also things that your web developer can do if you want to tighten your security even further including:

• Disable file editing
• Disable PHP file execution in certain WordPress directories
• Change the WordPress database prefix
• Password protect login page
• Disable directory indexing and browsing
• Disable XML-RPC
• Automatically log out idle users
• Add security questions to the WordPress login screen