No website on the Internet is 100% secure, but that doesn’t mean you should design and develop an awesome online home for your business and leave the back, front, and side doors wide open to intruders. As a small business owner, your website is one of the most important assets your business has. It’s how people find and interact with your business online. It’s where you sell your products and services. And, often where you store some important customer data. Therefore, it makes sense to do whatever you can to protect your business’ website. In this article, I want to share 7 basic WordPress website security tips you can use to help keep your WordPress website safe and secure.
1. Keep Your WordPress Website Updated
Keeping your WordPress website updated is crucial for several reasons. First, updates typically include bug fixes and feature enhancements, which can improve the overall functionality and performance of your website. Second, updates often include security patches that address known vulnerabilities, making it more difficult for hackers to exploit your website.
However, it’s not just WordPress itself that needs to be updated regularly. Plugins and themes also require updates to fix bugs, add features, and address security vulnerabilities. In fact, outdated plugins and themes are one of the most common causes of WordPress security breaches.
In a 2016 survey from Wordfence of hacked website owners, over 60% of the website owners who knew how the hacker got in attributed it to a plugin or theme vulnerability. The irony is that the vulnerabilities in those plugins had long since been patched – site owners just hadn’t updated the plugin to protect their site. Don’t be that business owner.
To ensure your WordPress website is always up to date, it’s essential to regularly check for updates and install them soon after they become available. It’s good practice to patch security vulnerabilities as soon as possible, but sometimes it’s better to hold off on updates until you’re confident they’re safe to install because once in a while an update will cause a conflict with WordPress and could take your site down. You can install updates manually by logging into your WordPress dashboard and navigating to the Updates tab. From there, you are able to view and install available updates for WordPress, plugins, and themes. Alternatively, you can set up automatic updates to ensure that your website is always up to date, but I don’t recommend it.
Whenever possible, you should install updates in a safe and separate environment from your live website. Many website hosting providers offer what’s called a staging environment that works great for this. Testing updates in a sandbox provides an opportunity to try each update without consequences. That way, if a worse case scenario happens and an update breaks your website you don’t have to worry about it affecting your real website, your business, or your customers. You can wait until the update is known to be a safe install or you can spend time troubleshooting the conflict on your own.
2. Use Strong Passwords and Usernames
Weak passwords and usernames are a significant security risk for any website, including WordPress. Hackers have access to automated tools used for guessing passwords and usernames. This level of sophistication makes it much easier for someone to gain unauthorized access to your website if your usernames and passwords are weak or generic. Using strong, unique, and complex usernames and passwords makes yours much more difficult to crack.
When creating passwords, it’s highly recommended to use a combination of uppercase and lowercase letters, numbers, and symbols. Avoid using dictionary words or personal information, such as your name, address, or birthdate. Instead, use a random combination of characters that would be difficult for anyone to guess. You could even use a phrase instead of a word.
If you need help generating a strong password try using a password generator. Popular password management services like LastPass and 1Password both offer a free password generation tool. Try them out.
You should also change your password regularly, ideally every three to six months.
For usernames, avoid using ‘admin’ or anything else that is easily guessable. Instead, use a unique username that is not related to your website or personal information. If you have already created a WordPress administrator account with the ‘admin’ username, it’s a good idea to create a new account with a different username and delete the old account.
Don’t reuse your passwords. Instead, use a unique password for every business critical or service you login to. That way, if another company you’re registered with experiences a password leak you’ll only need to update a single password. Imagine how much work it would be if you reused the same password on every site and had to spend a day or two changing them all.
if you’re worried about remembering your passwords, use a password management service. The 2 I mentioned above are both great password managers. They’ll help you generate strong passwords, as well as store them in a safe place. And, each provides a method to share individual passwords with people or employees who require access to them for their work without giving out all the keys to your castle. LastPass has a free (forever) personal account option that’s great for small business owners if you’re the only person storing passwords and 1Password comes with a free trial period. However, both are fantastic low-cost options for teams and families.
3. Install a Security Plugin
Installing a security plugin is a simple and effective way to help secure your WordPress website. WordPress security plugins can help detect and block malicious traffic, monitor your website for vulnerabilities, and prevent brute-force attacks. It’s like having an alarm system installed in your home because it will always look out for you (as long as it’s set up).
There are several security plugins available for WordPress, and each one offers a range of features to enhance the security of your website. For example, Wordfence and Sucuri are two popular security plugins that offer features such as malware scanning, brute-force protection, and firewall protection. Both plugins also offer premium features for those who require additional security measures.
Other WordPress security plugins worth checking out include:
Each plugin offers a paid plan, but you’d be surprised at all of the features you can use for free.
When choosing a security plugin, it’s important to consider factors such as ease of use, compatibility with your WordPress version, and the level of support provided by the plugin developer. You should also regularly update your security plugin to ensure that it’s protecting your website against the latest security threats.
4. Use SSL Encryption
SSL encryption is a security protocol that encrypts data transmitted between a website and its visitors. When SSL encryption is enabled, the website’s URL starts with ‘https’ instead of ‘http,’ and a padlock icon appears in the browser’s address bar.
Using SSL encryption is essential for securing sensitive information, such as login credentials and payment details. It also provides visitors with confidence that their information is being transmitted securely, which can improve their trust in your website.
To enable SSL encryption on your WordPress website, you will need to purchase an SSL certificate from your hosting provider or a third-party SSL provider. However, it’s also possible that your web host provides one as a part of your website’s hosting package. In fact, it’s fairly standard if you’re paying for managed WordPress hosting. But not always if you’re on a shared hosting plan. Once you have the certificate, you can install it on your website and configure your website to use it. Double check that all the internal links on your website are using the ‘https’ protocol to ensure a secure connection throughout your site.
Alternatively, if you’re looking for a free SSL certificate try Punch Salad’s SSL Certificate Generator. If your web host allows, you can install the certificate you generate manually (for example, using cPanel if you have it). The difference between this and purchasing an SSL certificate directly through your web host is it involves knowing how to manually install it and it’s going to expire every 90 days, whereas a certificate from your web hosting provider should last an entire year before requiring you to renew.
5. Monitor Your Website’s Uptime
Website uptime is the amount of time that your website is publicly accessible and functioning correctly. Downtime is when it’s not. Website downtime happens for many reasons, including server maintenance, technical issues, and security breaches. When your website is down, it can affect your site’s traffic, sales, and your customer’s overall experience.
You can monitor your website’s uptime to keep tabs on the quality of your web host. It’s helpful to know if downtime occurs, when it occurs, how often it happens, and what the reason is. If your business’ website is frequently experiencing downtime and your hosting provider is unable to provide an acceptable reason why, it’s time to start thinking about switching to a new more reliable website hosting provider for the best interest of your business. If that’s you, I recommend checking out FlyWheel hosting from WP Engine.
Generally speaking, uptime monitoring involves using a tool or service to check your website’s availability and alert you if it goes down. Knowing is half the battle. Troubleshooting, resolving, and apologizing to customers for any inconvenience is the rest.
There are several free and paid uptime monitoring services available, such as Pingdom and UptimeRobot. These services check your website’s availability from various locations around the world and send alerts via email or SMS if your website goes down.
It’s like having an employee check if your website loads every minute, 24-hours per day, 7-days a week. Pretty cool, right?
By monitoring your website’s uptime, you can quickly identify and address issues that may be affecting your site’s availability. You can also use uptime monitoring data to determine the best time for scheduled maintenance and WordPress updates.
6. Regularly Backup Your Website
#6 might be #1 to me. Backup your website. Make backups of your backups. Store them as long as you can. And keep them in different locations in case something happens to the storage area. It might sound like a lot, but if your website ever breaks or goes down, trust me, you’re going to want a non-broken copy available to quickly restore your business.
Regular website backups are critical for protecting your website’s data and content. Backups allow you to restore your website in the event of a security breach, server failure, or any other event that may cause data loss. It’s a lot easier to restore a backup than it is to build a new website.
There are several ways to backup your WordPress website. You could use a backup plugin. You could create manual backups. You could use a backup service provided by your web hosting provider. Or you could hire a website management service to create backups for you. Regardless of how you do it, I recommend creating backups in multiple ways. Use 1 backup method as a failsafe against the other because sometimes software fails. And, if your backup plugin stops running you’ll still have your manual backup or the ones your web hosting company made.
In addition to having a backup, it’s important to have a current and error-free backup. That’s why you should save your backups for as long as you can. Saving backups for 30-days is great, but saving 90-days worth of backups is better. Hacks or vulnerabilities in your WordPress website don’t always show themselves right away. You don’t want to install a backup of an infected site, so having multiple backups available affords you the peace of mind that you can restore from a version before the infection was injected.
Backup plugins, such as UpdraftPlus and BlogVault, are easy to use and allow you to schedule automatic backups at regular intervals. They also offer features such as backup encryption and remote storage options, which can enhance the security and accessibility of your website backups. Sweet.
Manual backups involve downloading and saving your website’s files and database. As in, literally exporting a copy to your local computer or an external storage device. Manual backups usually require more time and effort, but they also offer more control over the backup process and allow you to store backups on multiple devices.
7. Harden Your Website
Website hardening involves implementing additional security measures to protect your website from attacks. Hardening your website can help minimize the risk of security breaches and prevent unauthorized access to WordPress.
There are several ways of hardening your WordPress website, including:
- Changing the default database prefix: By default, WordPress uses the prefix ‘wp_’ for all database tables. Changing this prefix to a random string of characters can help to prevent SQL injection attacks.
- Disabling file editing: WordPress allows you to edit your website’s files directly from the WordPress dashboard. Disabling this feature can prevent hackers from modifying your website’s code.
- Limiting login attempts: Limiting the number of login attempts can prevent brute-force attacks, where hackers attempt to guess your login credentials using automated tools.
- Changing the login URL: Changing the URL you use to login to WordPress can help prevent automated scripts from finding your login page and gaining access.
- Using two-factor authentication: Two-factor authentication adds an extra layer of security to your website login process by requiring a second authentication method, such as a code sent to your mobile phone.
- Implementing a web application firewall (WAF): A WAF can help to block malicious traffic and prevent attacks such as SQL injection and cross-site scripting (XSS).
By hardening your website, you’re reducing the likelihood of security breaches and ensuring WordPress is more resilient to attacks.
Securing your WordPress website requires ongoing effort and attention. By implementing the tips I’ve outlined in this article, you can significantly reduce the risk of security breaches and help your website be protected against the latest security threats. Remember to keep your WordPress website updated, use strong passwords and usernames, install a security plugin, use SSL encryption, monitor your website uptime, regularly backup your website, and harden your website to enhance its security and protect your visitors’ data.
If you’re starting to feel overwhelmed with maintaining your website or like it’s taking up too much of your time, please reach out. I offer routine WordPress maintenance and website management services that can help.