Have you ever wondered what would happen if your site got hacked? Most businesses fail to understand the importance of making sure your website is secure. In this article, we will discuss 10 ways to secure your WordPress site without any crazy tricks.
1. Wordfence Security Plugin
I have had the pleasure of using many different security plugins and this one is one of the best. While installing it and leaving it be by itself won't protect you completely, it can give you a heads up on attacks and scan your site.
For my websites, I commonly review logs of who is trying to login in from where. If I notice a certain IP address is attacking me or using a certain admin name, I'll ban that IP Address.
Below is a standard process I use in order to lock down my sites:
- Login to Dashboard > Login Attempts > Failed
- Open Notepad or Word
- Copy IP addresses of people who are trying to login
- Go to Blocking
- Paste IP address (*make sure this isn't your own)
Keep in mind this isn't going to keep you completely safe but it helps to review your logs on a weekly basis and see who is trying to log in, using what usernames.
The best thing about this plugin is that the free version is just fine for most websites that are just getting started. A more established site might want to buy a license to the extended plugin features but for starting out, Wordfence is perfect in my book.
This is just one of the ways to secure your WordPress site, we will discuss more below.
Cloudflare is a CDN which stands for content delivery network. You don't have to spend time reading Wikipedia and trying to understand it to know it works.
Cloudflare does a few different things I think I need to mention that is of note:
- It speeds up your website (only marginally, don't expect miracles)
- It secures traffic from attacks such as DDOS
- It gives a basic SSL license
- It allows you to change your security level on the fly
- It Caches your website to make sure that it is never down
All of these things might seem minor but in the long run, they secure your site a lot more than you might believe. Having someone watching your website is a giant relief.
It also takes some stress of the security of your site because you know that while your site might be down on the back-end, it will keep it running on the front. This is very important for most businesses.
Did I mention all of the above are part of the free version? That's almost a no-brainer for me as a business owner.
The ability to change my security level to something like I am being attacked and lock down my traffic helps also.
3. White Label CMS
While most of my clients are not interested in understanding how themes work or plugins work. This little plugin can be a lifesaver for a few reasons.
Most hackers are looking for a few different things to get into your site and take control:
- Outdated themes
- Outdated plugins
- Exploits in WordPress aka Outdated WordPress files
Basically, most hackers will look for files that are out of date or not being kept up. This can come in the form of many different attacks but the path is clear.
What White Label CMS does is it allows you to hide things like your admin login which is a default location for WordPress. It also allows you to hide the theme and plugin information.
This means that bots that are likely looking at your site will be less likely to find that plugin and know how to exploit it. This is a very mild security but it is still one of the ways to secure your WordPress site.
4. Change your admin Username
This is one of the most basic things a website can do and yet, it can save you tons of time. If the jerks trying to get into your website know your username is admin, you are more likely to be hacked.
There are many articles explaining how to change your admin username.
I would even consider making a backup username just encase the main admin account gets hacked. It's not a surefire step but it can help secure your website.
This minor change can be the thing that drives hackers crazy. Make sure when you make a post or anything else on the site that it uses your real name rather than username.
This can be found in settings > General.
5. Website Backup
This may not seem like a security problem but in the end, it is one of the things that can save your bacon. Having an up to date website backup ensures that should you site befall any sort of hack or other problem you have all your files ready.
I've tried many different WordPress backups but my back-up of choice is still All-in-one-WP migration. It is by far one of my favorite backup tools.
The plugin works almost flawless in backing up your site and importing it to new sites. Someone can learn the whole plugin in a matter of minutes.
Best of all they have a lifetime update and fee for bigger sites over 512megs which I consider valuable saving for people who are constantly needed to back up their site.
The one caveat is this won't do it automatically which some will argue is a problem. I prefer an easier pain-free solution rather than something that does it automatically. Mileage may vary.
6. Don't download illegal plugins
When business owners start looking at cutting costs, they can find plugins to be one of their biggest expenses. The problem with this is unless you know the source, you can find problems later.
Illegal plugins or plugins which are free often come with a modified code in order to make sure that the plugin does not "phone home". This can be minor or they could also track activity and even login information.
When in doubt it's better for you to find a cheaper or free plugin than it is to use something that's been downloaded hundreds of thousands of times on the web and likely infecting websites.
7. Make sure to update your files
We mentioned earlier with White Label CMS that files that are old or out of date are the most likely targets for most hackers. Make sure you air on the side of caution.
Updating all the time can lead to its own set of problems as sometimes, updates break things. I recommend you make a test site in order to make sure that your site can handle the update.
This way, your main site is never down due to a bad update or plugin conflict.
Some will recommend automatic updates but once again, I disagree. Maybe being a web developer gives me caution but at the end of the day, I'd rather have a working website than a broken one.
8. Pick a really secure host
There are plenty of hosting companies to pick from and often times people will pick the cheapest. Sometimes a host can be the downfall of your whole website.
A bad host can lead to problems that often leave you drifting out at a sea with your website. Make sure your host is updated and secure.
You can do this by forcing a pretend mock-up. Go to chat and tell your host your having issues with your website and think it's hacked. See what steps they take to make sure your website is back up and running.
This maybe dishonest but in the day you will be happy you did it. You will be more informed about how they act and what procedures they do in order to protect your site.
9. Add two-factor Authentication
Two-factor authentication is the process of adding an extra step in order to log into your website. Often this involves setting up a device such as a phone or other device that has access to an app.
Every time you would log in, you would likely need to give a pass-code as well as your password in order to access the information. Is it a pain? Yes, without a doubt. Is it secure? It may be one of the most secure ways to lock down your site without doing anything else.
10. Don't allow users to auto-register to your site
Many sites that want users to allow them to auto-register to the site leaving your site open to all sorts of attacks. Depending on the purpose of allowing this, I would strongly consider it.
Better yet, use a third party tool such as Disqus this way the person is logging into a third party tool rather than your website.
Learning new ways to secure your WordPress site
This may seem like a long list but in truth, it's no were close to the list that they have out there. It's much more of a starter but these are all tactics I use an employ on my WordPress websites.
Security should always be on the back of your mind when you think about building a website. If your website going down can make or break your site, then consider making sure you try to do all of these.
If all of this seems tedious or even a little confusing, you can always hire a professional designer to help you maintain and secure your site. I would highly recommend it to anyone serious about their business.