Protecting Your Website
I’m sure you will have heard time and time again that keeping your WordPress website up to date and secure is of paramount importance. Or, maybe you’ve never heard this before, in which case I will be the first to tell you.
As part of our new Virtual Support offering, we’ve been doing a lot of support work recently and by virtue of this unimportant fact, we’ve been taking a peek under lots of WordPress bonnets.
Now to be honest we’re a little concerned by what we’ve been seeing.
So many sites we’ve stumbled across are running on older versions loads of plugins, themes and sometimes even the WP core.
But we get it, especially when you do a DIY build, you don’t always know what you need to do in order to keep on top of your WP protection.
Don’t make the mistake of thinking you can just install a security plugin and job done!
The Cardinal Rules
Below is a list of the key steps that will help you mitigate your risk of being hacked and better prepare you to be able to resolve any issues with minimal disruption should the worst happen.
Note: this is by no means an exhaustive list. There is so much you can do to protect your site, ranging in levels of complexity, but the following is a simple guide that will put you well ahead of the curve.
1. Do not use ‘admin’ as your username
Admin is the default and by failing to change your username you are doing 50% of a hacker’s job.
2. Use a strong password and change it regularly
WordPress measures the strength of your password, anything below medium is a disaster waiting to happen, but ideally you want a strong password (a mixture of letters, numbers and symbols). If you are struggling to keep on top of your passwords use a tool such as LastPass which will do the job for you and don’t forget to change your password on a regular basis!
3. Limit login attempts
WordPress will allow you to enter your login details as many times as you like. This may seem like a great thing when you can’t quite remember your password, but it’s also leaves you vulnerable to brute force attacks – where a hacker will try and break into your site using a variety of username/password combinations.
You can use a plugin such as Login LockDown to limit login attempts
4. Backup your site regularly
This is such an important habit to get in to, not least because it can save you a lot of stress should the worst happen. Regularly backing up your site can literally be the difference between getting a site back online within hours (sometimes even minutes) and having to do a full rebuild. It can also be the difference between a full restore and lost posts, pages, projects etc.
There are so many plugins you can use to do this, one of our favourites is Backup Buddy. Your host may also do backups for you, but if you are going to rely solely on these (not recommended) always check they/you are backing up both the database and the files.
5. Keep WordPress up to date
As WordPress is an open source platform, it is constantly being developed and updated. When updates are made to the WordPress core you will get a notification on your WordPress dashboard. Don’t ignore it. As well as bringing new features, updates often patch some type of security vulnerability that has been discovered.
6. Keep themes and plugins up to date
As mentioned earlier, we have been behind the scenes of so many sites recently where plugins and theme files have not been kept up to date. On one site there were 20+ outdated plugins. It is so important that you monitor and act on these updates. WordPress flags them with a little orange circle and a number and you can check to see what each update includes by clicking on details.
If it’s a major plugin or theme update then it’s always wise to make sure you have a backup of your site first. Sometimes updates may present a conflict on your site and cause things to go a bit skew-whiff. Having a backup means you can roll back if you need to.
7. Delete any plugins and themes not in use
It’s a common misconception that if a plugin or theme is not active you don’t need to worry about updating it. However, that is not the case and you still have to maintain these files. To save you a little hassle and reduce your risk, as a rule of thumb, if is deactivated delete it!
8. Use a good security plugin
Cleaning up hacked sites has sadly taught us that no single security plugin will pick up every issue on a site. However, there are some pretty amazing plugins in the marketplace that will help put you in a position of prevention rather than needing a cure. Our favourite is WordFence and though they offer a premium solution, the free version is extremely robust. We definitely recommend you install and utilise it to complete regular scans of your site.
They will also send you frequent security notification emails pertaining to your site’s security, which you should pay attention to.
9. Choose a good host
In the dreaded worst case scenario, having a good host can make the world of difference. When selecting a host be sure to see what, if any, security solutions they offer and also check out reviews regarding their customer service. Having a host that you can’t get hold of, or one that takes forever to get back to you is no good. Equally having one is clued up in diddly squat, or is unwilling to help you in a crisis is also pointless.
We love Siteground and use them for all of our client builds. So far there hasn’t be an issue they couldn’t solve.
10. Install an SSL certificate and force HTTPS
Many people believe that HTTPS is only essential if you are running an e-commerce site or processing personal data. This isn’t strictly true.
Forcing HTTPS has security benefits that even a blog or static sites can benefit from as it ensures that a secure connection is maintained between the site and the browser. What does this mean in English? Essentially password data is encrypted and this can stop hackers or would be fraudsters gaining access to your site.
In addition, so many people look for the green padlock nowadays that it really does no harm to show them you have a secure site. Many hosts now offer free SSL certificates via Let's Encrypt.
The Importance of Consistency
Establishing a solid routine is vitally important in keeping your site secure. Just as you schedule social media posts or marketing content, you need to do the same with carrying out your website security check.
Don’t set plugins up and rest on your laurels – after all even a security plugin is still a plugin and so susceptible to exploitation.
Whilst you can undoubtedly automate a lot of what is required, you need to be proactive in ensuring the solutions you have in place continue to work for you!
You should be actively looking at your site at least once a week and more so if you run a high traffic site, an e-commerce site or a membership site.
If you don’t feel you have the knowledge, time or inclination to manage your WordPress security then outsource it.
Here at Defined Digital we offer a range of packages that can take the stress and hassle away from you. We help our clients keep their sites secure and should the unthinkable happen (which we can openly admit that it has) we are on hand to rectify the problem as quickly and painlessly as possible.