You hear about hacking, phishing, mining and brute force attacks and wonder about WordPress security. You might also wonder if you really should be worried about it. After all, why would someone want to target the website of the coffee shop you just opened in your town? In a way, you would be right in thinking that. Most likely no one is directly trying to harm you. However, these attacks are automated and hackers release scripts which randomly attack many sites till they find one that is vulnerable. Once successful, they either hijack the site and ask for ransom, add malicious scripts or just plain vandalize it. Here you can read a brief article about why your small business website would be of interest to a hacker. Bottom line is that it is not personal (usually!) but it is an issue to be concerned about. There is no need to panic, just play it safe.
When I design a website or provide hosting services I take every precaution to make sure that my clients’ sites are protected. However, security is an ongoing concern and once the site is in your hands there are a few things to be aware of.
9 WordPress Security Steps
1. Reliable Hosting
Having a hosting provider that is reliable is very important. Your website might be secure but if your hosting provider is not, it almost doesn’t matter what you do. Unless you like dabbling with server software or have staff that dedicate time for an unmanaged server the best solution is Managed Hosting on a VPS (Virtual Private Server). Such a platform does the mundane tasks for you. What you should look for in a managed hosting platform is:
- Automated Updates
- Backups (we get into that soon)
Managed hosting on a VPS is more expensive than shared hosting and is not for everyone. If you have a simple landing page and a generally light website you can make do with shared hosting. Beware of cheap 1$/month free-unlimited storage/bandwidth hosting services. They deal in bulk and overload their servers and what they save in costs they sacrifice in security and speed and general quality of service. Stick with a company you can trust, there are many good providers out there. We host over 250 sites and know every client by name. Contact us and we’ll send you tips on server management along with deals on our hosting services.
The lazy man’s security! Who cares about security if you have a fresh copy stashed away? Well, that’s the basic idea. If you have a recent backup you can revert your site to its previous state. Obviously, it doesn’t mean you should not keep the site secure in general, but it is a final safety net. We keep weekly backups of all our hosted sites on the amazon cloud in addition to the routine backups performed by our servers. This is enough, but you should also keep local backups of your site as well, even daily if you produce a lot of content. You will sleep better knowing you have your own backup in addition to the one’s your provider keeps. Backup Buddy is f-a-n-t-a-s-t-i-c backup plugin.
3. Secure your admin account
Obviously you need a complicated password, but your username should not be very obvious either. Do not use admin, administrator, your site’s name, or your name as your login. In addition, your user ID number shouldn’t be 1. In order to do that first go to Users –>All Users and click the number where your posts are.
In the new window, you can see your user ID number in the browser address bar.
So, if your username not a safe one and/or your user ID is 1. Take these 2 steps
- Create a new User with a proper name such as “badasspizzaman” or anything you like and will remember. Give this user
- Delete the old user. (You will be asked if you want to transfer all the posts the old user had to the new one – say yes!)
- Use a secure password. WordPress security (any security actually) depends on that. The password WordPress suggests might seem like a drag but use it anyway (or create one just as complex).
- WordPress security is not that difficult.
4. If you work on your site in public areas create an Editor account
If you like to sit in cafes and work on your site, write articles etc, create an Editor account for yourself. The WiFi (or wee-fee as they call it here in Spain) in those places is very insecure. This way you can create and edit posts but have no access to the root of your website. This way if you are hacked the hacker only has limited damage he can cause.
5. Always keep WordPress and your plugins updated.
No need to say much about this except that these updates are often made in response to vulnerabilities or actual attacks, and often plug holes in the website’s wall of defense. Always, always.
6. Do not download free things
That is not exactly true, there are many many great free plugins and themes – it is one of the things that makes WordPress so amazing. You have to be careful, though, from where you get these plugins. Plugins and themes from the WordPress repository are usually fine. A good indicator is the amount of people who have downloaded the plugin and the reviews it has gotten. And do not download anything from untrustworthy sites. Themes from a torrent site, for example, are almost guaranteed to carry malicious code in them. Be careful. the themecheck website scans themes and checks for their safety as well as the Theme Check plugin.
7. Delete things you are not using
Do not simply deactivate unused plugins and themes, delete them. I was participating in a discussion about WordPress security when someone asked if “unused plugins are a security risk?” well, they actually are not more or less of a risk than a plugin that is being used. Every plugin or theme might have a vulnerability, so by limiting ourselves to only having the ones we need on our system we also reduce the change of something happening. Also, and I speak for myself as well, most people don’t tend to update themes and plugins that are not in use.
8. Protect yourself locally
If someone can hack into your mac or pc then they can access your site site as well. This is an obvious precaution but make sure you have a current antivirus software and a firewall.
9. Get a security plugin
Unless you want to spend your time learning about htaccess files, how to edit your website’s code to limit login attempts, ban IPs, I strongly recommend a security plugin. I use one, almost every professional developer or webmaster has a plugin handling WordPress security for him. There are a few great free ones out there, and I always install ithemes Security on all my client’s sites. I install the free one but recommend the pro version. The benefit of iThemes Security if huge. When you get your first reports of various attacks on your site that were blocked (by the way, almost all of them are attempts to login with the username ‘admin’ ) you will see how powerful this plugin is.