02 May WordPress Security – How to secure a WordPress website
Concerned about your WordPress security? Want the Ultimate Guide to secure your WordPress website?
Did you know every week Google blacklists around 20,000 websites for malware and 50,000 for phishing?
We often see sites get hacked for many reasons. You probably say… ‘My website isn’t a target, I’m just a little business on the web, why would they want to hack my site’.
To help answer that question… here is a great little video on what motivates spammers:
Bascially, hackers/spammers are just trying to automatically get extra visitors to their own websites by leveraging off your website traffic. e.g. they will access your site and add links to their own website… Doesn’t matter how big or small your business is.
Here are some great tips to help improve your website security today!
It is important to keep your WordPress up to date just like any other software for security reasons. For example your iPhone has regular iOS updates and these updates include security updates, bug fixes, new features etc. Or think about it in terms of every day items such as a car… Caring for or maintaining a website is very much like caring for your car. It’s a lot cheaper and less time consuming to have a professional to reguallry look after it than get repairs when something goes wrong. We are here to help guide you on some simple basics that you can apply to your site today to make it secure. If it feels a little scary or to much, wear are here to help.
Here are a few tips on how to keep your WordPress site secure:
Update WordPress, Theme and Plugins
Ensure your WordPress version, theme version and plugins are updated to the latest version. Read more about this on our blog ‘How to keep your WordPress site up to date‘.
Updates should be done in the following order:
2. Theme files
Note: Plugins should be updated as often as you can as this is one of the biggest areas where hackers can gain access to your site. Make sure you do complete backups before any updates as some updates may break your site as it’s not compatiable with other versions of your theme files or wordpress, or the settings of those updates could have changed a fair bit.
Passwords are very critical to keeping your WordPress secure, especially when you run multiple sites. Here are some tips on how to make sure your WordPress password is secure:
- Include numbers, capitals, special characters (@, #, *, etc.)
- Be long (10 characters – minimum; 50 characters – ideal)
- Can include spaces and be a passphrase (Just don’t use the same password in multiple places)
- Change passwords every 120 days, or 4 months
A great way to do this is to automatically generate your wordpress password:
You can also use iTheme Security Plugin to help enforce strong passwords and set password expiry dates.
The most obvious usernames to avoid are ‘Admin’ and ‘Administrator’, they are the most common usernames attempted in brute force attacks. Also avoid using your domain name, company name and the names of people who are writing for your blog or are listed elsewhere on your website.
Avoid using common usernames as well as your company name or names of people who write your blog (authors) or listed on the site. Don’t us the following usernames as they are the most common usernames to get hacked:
- admin – DON’T use this… it’s always the first one tried when hacking a site.
- domain name
- company name
- team members/company owners
Add WorFence plugin to help monitor your site. The free version is great and you can also pay for a Pro version for more advanced features such as country blocking.
Once you have added WordFence, enable the login security…
- enforce strong passwords – this is useful if you have multiple people managing your site, that way you can ensure people use strong passwords when they set their own.
- limit login attempts – go to WordFence > Options and limit your login attempts e.g. Set your login attempts to 2-5
- locking users out after a number of forgotten password attempts. You can also say that if they have been locked out, they can be locked out for a period of time, e.g. 6hrs, 3o0 days and so on.
- In options you can automatically lock out people who attempt to use specific usernames such as admin, administrator, domain name, company name.
There are manymore
Two Factor Authentication
Need an extra layer of security if your passwords aren’t strong enough? iThemes Security Pro’s WordPress two factor authentication requires users to enter both their regular password as well as a second code sent to their smartphone (Android or iPhone). This adds an extra layer of security that verifies it’s actually you logging in and not someone who gained access (or even guessed) your password. You would be surprised how many robots crawl your site guessing different login options.
WordPress Malware Scanning
You can install a free plugin Securi Security. With this plugin you can scan your site for Malware as well as get alerts for any successful logins or changes to your site.
Check your site today for Malware: Site Check – Scan your Website
Here is a video overview of the plugin:
[tvideo type=”youtube” clip_id=”RwEwJgL2-m8″ autoplay=”false”]
For extra security we can install Sucuri for you. This is a good option if you dont have time to keep your website up to date each month (even though this is highly recommended). Features of Securi include:
- Automatic scans every 4-12 hours for Malware and attacks
- Malware removal
- Advanced website protection: cloud-based protection platform, a custom Website Application Firewall (WAF) / Intrusion Prevention System (IPS), proactively mitigates attacks against a website. Stop attacks including: Distributed Denial of Service (DDoS), Brute Force, and automated attacks looking to exploit software vulnerabilities.
- Website Blacklist Monitoring & Removal
- Distributed Denial of Service (DDoS) Mitigation
The cost for this is $285 + GST per year. We set Securi up on your site and if there are any hacks we will manage the removal for you. Contact Robyn – email@example.com to get this activated.
A good host takes extra security measures to protect sites. Keep in mind shared hosting can also impact your website. For example if another website that is using the same shared hosting and they get hacked, there is a chance your site can be hacked too. This is often referred to as cross-site contamination. A very popular host is WPEngine.
Always keep backups of your website. Check with your hosting provider what their backup policy and costs are. Some hosting providers don’t provide backups and it’s up to the customer to do the backups, while others do daily backups, monthly backups etc. If your hosting provider does not have a backup option, you can install BackupBuddy to do your own manual backups and keep them on your computer or dropbox.
If all this seems too much for you or sounds a bit scary, contact Robyn – firstname.lastname@example.org for our maintenance packages. As part of our maintenance packages we will take regular daily website backups, update WordPress, theme and plugin versions when available, clean the database.
Here is some more resources for you if you would like to learn more about wordpress security or extra steps you can take such as disabiling your editor, hiding your we-admin login page etc.
- 10 Tips to Improve Your Website Security
- WPBegginer has put together a very good in-depth guide on how to make your site secure – The Ultimate WordPress Security Guide – Step by Step (2017)
- Understanding WordPress Vulnerabilities
- Site Check – Scan your site for Malware
- Has Google Blacklisted Your Website?
- Is your website infected? Hacked?
- Learn more about WordPress Security?
- Monitor WordPress for Security Issues?
- Need more info on PCI Compliance?
- Website under a DDoS Attack?
- Worried about Software Vulnerabilities?