In this post we will aim to teach you how to secure a WordPress website, helping you thinking about website security with WordPress and teaching you how to secure against the most common types of hacks and security holes. We will try to keep the steps as simple as possible, yet ensure that if you follow the steps outlined here you will be secured against most types of attacks.
If a web company is supposed to be managing your ongoing web presence and security for you, then you will also gain knowledge about what they should be doing to keep your website secure. In that case you will gain a checklist to question them with and make sure that they routinely spend time safeguarding your online presence.
Security – the biggest issue on the web today
If you didn’t already know; online security has become one of the biggest topics on the web lately and should probably remain so for quite some time. All software – including content management system (CMS) software – needs to be kept safe and secure and will need to be regularly updated in order to do this.
I have lost count of the amount of WordPress websites we have been asked to help with that are experiencing problems due to a security issue. Unfortunately the cure for a hacked website is a cleanup process that is hugely time-consuming and extremely expensive. The clean-up operation on a compromised website can take many hours and hundreds – even many thousands of pounds to fix if the attack was severe and on a large website. What’s more, most of the issues we come across could have been easily avoided!
Probably the biggest problem with security on the web is that most people only start thinking about it after they have a security problem! In that respect is kind of like insurance products. However, to get to the point where it has become and issue is simply far too late.
Unfortunately, a lot of design and web companies who assume responsibility in looking after websites for their clients also aren’t aware of security issues either. This is an even bigger problem as they really should know better and advise their customers properly.
This article is all about getting you to think about security, understand what you can do to help yourself and actions you can perform.
Is WordPress insecure?
No, it’s not. WordPress is hands down the most popular content management systems around (you can see evidence on this here) and whilst that can make it a target for hackers, it also has a large number of expert developers focusing on improving it and working at keeping it secure every day. Because of this WordPress in of itself is one of the most secure content management systems around with more attention being paid to keeping it secure than any other CMS. At its core WordPress is debatably the most secure CMS software available.
5 Simple steps towards safeguarding your online presence
So, how do you go about keeping your WordPress website secure? The steps you or your web company can take to secure your WordPress website are many and varied. Below we have highlighted the 6 most important actions that can be regularly taken to secure you against the majority of attacks.
1 – Use a secure password
This one simple, powerful and most frequently overlooked element is common to all online software and the largest weakness of all online systems. A lot of security compromises with online software arise from the user not securing their account effectively by using a secure password.
There have been a large number of high profile cases where security has been compromised due to user password settings. This does not just effect CMS platforms but all online software with accounts. For example, relatively recently celebrity Apple iCloud accounts were compromised through naively weak passwords being used.
It is very easy to gauge whether you are using a secure password with WordPress, the system even provides a strength meter to help you to determine if you are using a secure password.
Action steps to a secure password: Ensure that each user within your WordPress install has a secure password. Either set the password yourself or let WordPress create one for you (in the users screen you can opt to ‘Generate Password’ which will be secure by default). Pay attention to the strength meter that WordPress supplies. It is very helpful in telling you whether your password is deemed as very weak, weak, medium or strong – obviously you must aim for strong to future proof against hackers.
2 – Keep WordPress, any themes and any plugins up-to-date
Remember that I mentioned that there is a large community of highly skilled developers working on WordPress every day? Well, whilst there are many upsides to this there is a tradeoff. There are frequent updates available to the system itself as vulnerabilities are found and the system is improved. The same also follows for any plugins or themes (additional software to extend functionality and templating features) used to run the website.
This is also the area that we personally see the most problems arising with websites being hacked websites due to very old versions of WordPress running. It is extremely easy to get into older WordPress (or other CMS software) versions as hackers can easily find which vulnerabilities to look out for.
So, this forms tip number two. You absolutely, must keep your system up-to-date. We recommend checking the WordPress admin dashboard for each website that you may be running at least once a week to see if updates are available (there usually are if you are running a few plugins in addition to the system itself).
Action steps to keep your WordPress install up-to-date: Make sure that your web company are actioning regular updates (if they are supplying you with a maintenance package of some kind or are responsible for the upkeep of your website). Or, if you are responsible for keeping your website up-to-date, make sure that you check and action any updates at least once a week.
3 – Protect yourself against brute-force attacks
Brute force attacks are another very common method we to hack website content management systems. A brute force attack can easily be performed by a hacker using software (which is very easy to get hold of) and using that software to repeatedly guess a username and password on a given website in order access a particular user account.
Once access is gained untold amounts of damage can be done, from data theft, through to spamming information to delivering virus payloads to unsuspecting visitors. Any of those are also likely to get you blacklisted by Google (which can detect and act on these things fairly quickly nowadays).
Action steps to protect yourself against brute-force attacks: Install one of the leading plugins that can protect against brute force attacks shortlisted below:
- Loginizer – https://wordpress.org/plugins/loginizer/
- Brute Force Login Security – https://wordpress.org/plugins/wp-security-pro/
- Brute Force Login Protection – https://wordpress.org/plugins/brute-force-login-protection/
- Jetpack – https://wordpress.org/plugins/jetpack/ (Jetpack is a suite of plugins created by some of the core contributors to WordPress. One of the modules within Jetpack is a Security module that carries brute-force protection).
4 – Only use a few high quality, reputable plugins and themes
We often see WordPress websites that contain 20 or more plugins. This not only makes a website very slow and ensures a lot of work to do in keeping all of them up-to-date but also presents a potential security risk.
As mentioned previously, WordPress at its core is definitely very secure, but here’s the rub, the plugin ecosystem is huge, hard to police and contains many plugins of variable quality. There are literally tens of thousands of plugins and themes available for WordPress and a number have had security issues. So, whilst this is an uncomfortable situation, there are also extremely high quality plugins and themes available too which are well monitored, adhere to security guidelines and are updated often.
The simple fact is that the more plugins you use on a WordPress site, the higher the chance of you adding security holes onto your website. So, it’s essential to make sure of three things:
- You only use the plugins that you absolutely need. Uninstall any superfluous plugins.
- You must perform due diligence in investigating the plugin reviews and ratings to make sure that they have a good track record
- Update your plugins. If updates are available, generally you should update the, and accept the risk of that update breaking things on your website. Better that than the security risk of not updating.
You should also use themes from a reputable supplier (which is not Themeforest or many of the most popular marketplaces)
Action steps to keep your plugins secure: reduce the amount of plugins you use to the ones you absolutely need in order for your website to function. Make sure the plugins and themes you use are rated as reliable (avoid Themeforest themes). Keep your plugins up-to-date.
5 – Back your website up
This is perhaps the second most important step and I debated adding it as a step 2. However, because most hosting companies have some form of backup process, you are at least partially covered with most types of hosting, hence it appearing as a point number 6 here.
In essence you really should have a website backup system in place. Maybe your website security has been compromised in-spite of your best efforts or maybe you have broken something that yo cannot fix. Either case will see you footing an expensive bill depending on what the problem is. If however, you have a recent backup of your website you will save yourself a LOT of money.
Backups are very technical to reinstate and beyond the capabilities of the average content manager. This is unless you have some software managing backups for you in the form of a system offered by your hosting company or plugin software available for WordPress.
The problem with backups provided by hosting companies are:
- They often don’t take frequent enough backups, often only once a month. This means that you may end up having to revert to losing 31 days worth of any updates that you have made.
- The backups taken do not contain all of the information needed due to a lack of knowledge in how WordPress works. For example many hosting providers take a database backup only, or files only backup, leaving you without critical content.
- There is a charge to restore to a backup. This is sometimes in the small-print of a default backup service. Some hosting is so cheap that backups cannot be covered at all, or, there is a charge for the restore service.
- Only a few restore points are kept. This is a problem with nearly all backup systems provided by hosting companies. They will keep a minimal amount of backups. So if your website was hacked over a month ago and you didn’t realise until after the latest and only backups were taken, your backups will be of the hacked version of the website.
The best backup systems for WordPress to an average user is plugin software such as BackupBuddy. This is software built specifically for WordPress and allows you to schedule numerous restore points and avoids nearly all of the potential issues that can be seen with backup systems employed by hosting companies.
Action steps to backup your website regularly: subscribe to a service such as BackupBuddy and gain peace of mind knowing that your online presence backed up.
One simple method to employ in keeping your WordPress website secure
The main mistake that people make with their WordPress websites is in failing to periodically keep a maintenance schedule going. Failure to take your online presence seriously WILL result in your website being hacked at some point and a hefty bill to fix the problems.
Book a maintenance schedule (such as provided below) in as a weekly event. Or, ensure that your web company are doing something similar. If you are leaving your website maintenance and security to a web company you really need to ensure they are securing your website properly. Ask them whether they are following something similar to the below schedule.
Set a security maintenance schedule
A simple schedule to follow would be to book a 20 minute slot in your calendar once a week to maintain your website. The schedule would involve logging into your WordPress admin system and actioning the following:
- Make a backup of your website using BackupBuddy or check to see that the backups are working (if scheduled backups are in place).
- Check to see if your brute force protection software is installed and working.
- Check to see if WordPress needs to be updated and action any updates needed.
- Check to see if any plugins need to be updated and action any updates needed.
- Check to see if any themes need to be updated and action any updates needed.
- Look to see if you have any extraneous plugins that can be removed.
- Once WordPress and all plugins have been updated, test the website to make sure that everything is still functioning as expected.
- If you have any new users on the website, make sure that their password is secure. If in doubt set them a new one!
Employ one of our Website Care Plans to effectively manage your website security for you
We deliver website care and maintenance plans for our customers that safeguard them against hacks and security issues. Our care plans also provide dedicated resources for your website needs, effectively, acting as an extra expert team-member for your company. Take a look at our website care plans and see if they can become a good fit for you business.