October is Cyber Security Awareness Month and what better way to acknowledge it than by brushing up on your WordPress security best practices?! After all, you’ve put a lot of time, energy, and money into your website over the years. Don’t you think it’s worth protecting?
WordPress is the most popular content management system (43% of all websites run on the WordPress platform) and therefore attracts cybercriminals trying to exploit the platform’s vulnerabilities. But there is no reason to panic. By keeping up with a few consistent practices, you can protect your site from a cyber attack.
Here are some best practices for keeping your website safe from hackers.
5 WordPress Security Practices
1. Keep it current.
One of the biggest security vulnerabilities in WordPress is old software. WordPress is updated fairly often and whenever there’s a new security issue, they roll out an update immediately that contains patches and fixes that address those vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.
To check whether you have the latest WordPress version, log in to your WordPress admin area and navigate to Dashboard > Updates on the left side of your screen. If it shows that your version is not up to date, we recommend updating it as soon as possible.
You also need to keep all of the themes and plugins used on your site up to date – they can have security issues as well. Some plugins can conflict with updated WordPress core software, causing critical errors and making your site an easier target for hackers. Sometimes people put off updates for fear of breaking their site, but having a breach in security or break-in is a far greater (and more potent) risk.
Also, just because a plugin is deactivated doesn’t mean it’s not a threat. Make it a practice to delete plugins that are not currently being used on your site.
2. Secure your login procedures.
- Use strong passwords. Your security is only as good as your password. If you’ve got a simple password, you’ve got a simple site to hack. Your WordPress administrator password shouldn’t be anything like ‘yourname’, ‘abc123’, or ‘password’ (all are way more common than you might think!). You need to use strong passwords. Use numbers, capital and lowercase letters, special characters (@, #, *, etc.), and be unique. You may even want to look into a password manager such as LastPass to help you generate strong passwords — and keep track of them all in one central location — since memorizing complex passwords can be tough.
- Avoid using “Admin” as the username for your WordPress site. “Admin” is typically the first username that attackers try when making an attempt at a brute-force login. If you are currently using this username, create a new admin account with a different username ASAP.
- Limit login attempts. By putting a limit on the number of times a user can enter an incorrect password on your website, you are making it harder for hackers to guess the correct one. You can use a plugin such as Limit Login Attempts to help stop brute-force login attacks from gaining access. Another option is to utilize a firewall which can be configured to take care of this for you.
3. Enable SSL.
Your WordPress site needs an SSL certificate installed and enabled to help make it safe. SSL is a data transfer protocol that makes sure that the traffic between your site and your visitors’ computers is encrypted and safe from unwelcome interceptions. Not only does it keep your site safer from hackers, but it will help boost your SEO, which is an added bonus. The easiest way to tell if your site has an SSL certificate is by looking at your url when visiting your website. Website urls with an SSL certificate installed will use HTTPS instead of HTTP. You may even encounter a warning page in your browser if you visit a site that doesn’t have an SSL certificate. This is definitely something you don’t want your potential clients to see because, in most cases, the visitor will quickly navigate away from your site.
4. Back it up.
We can’t emphasize enough the importance of making regular backups of your website. This is something that many people put off until it’s too late. Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack. If anything ever goes wrong with your site, you want to be able to get it back up quickly. That means you need a backup plan. In order for a backup to work, the file needs to be complete. Backing up your database isn’t enough because that will only save your content. If your site was hacked, you would still be left with the task of reinstalling the theme and all the plugins used to create your site, including all the customizations you may have made to make your site unique. You may also want to set up periodic automatic backups on your site, so that you don’t forget about it. We recommend getting a backup tool, such as Solid Backups (formerly BackupBuddy), to keep your site safely backed up and ready to be restored.
5. Check for malware.
It is crucial to regularly scan your WordPress site for malware since attackers are always developing new techniques and tactics. Currently, there are 560,000 new pieces of malware detected a day! The good thing is that there are lots of malware scanners available to protect your website from malicious software. These scanners help detect suspicious files so that you can eliminate them quickly. Through up-to-date emails they can also let you know when certain plugins and themes have been identified as a risk, so you can quickly update or delete them from your site and decrease your risk of being hacked. One malware program we recommend and utilize is Sucuri. They scan, protect, and help clean up your site when an issue is detected.
Executing these five best practices will make your WordPress site more secure. If this seems like a lot, take it one at a time. You don’t have to follow these tips all at once, but you should do your best to be proactive. Hackers have gotten increasingly more sophisticated over the years. Even if you just start using stronger passwords, your site will be that much safer. And if you are a maintenance client of insight180 then you are in luck! We are utilizing these practices on a regular basis to help keep your website secure and safe for you.
