10 Tips On How To Secure Your WordPress Website
A notion in web design and SEO that gets overlooked more times than I care to contemplate, is the security of your WordPress website. I ask people all the time around our office here in Durham, NC how they secure their WordPress websites and the answer I get more than anything is…what security? As a developer this hurts my heart, here are 10 tips to improving the security of your WordPress website.
#1 Use A Website Lockdown Function
A common tactic for breaching WordPress websites is simply trying to brute force their way in via a login function. By adding functionality that will ban users from attempting a failed login multiple times you can easily cut off a well used method of hacking attempts. We recommend Login Lockdown for ease of use.
#2 Rename Your Login URL
If you have ever used WordPress, odds are you have logged into the website using the default login URL of yourwebsite.com/wp-login.php. This is universally known as the starting point for breaching a WordPress website. By changing this you can decrease the risk of your website being compromised due to brute force attacks by 99%. This enables ONLY the people who have the direct link to login. You can change the login URL with plugins like WPS Hide Login
#3 Use STRONG Passwords
If I had a dollar for every time a client used a password like 12345a or password1234 I would be a very very very rich man. Don’t be that business who has their website compromised due to laziness. Make no mistake, using an easy password comes from being lazy and it puts you and other people at risk. If you’re a website which collects customer information and you use a password like password12345 you may be held responsible for any beach of data. Use detailed passwords and change them every 3 months.
#4 Delete The Admin Username
This may seem like a trivial change that most people instinctively do when creating the admin user but it comes up more than it should. If your username is still “Admin”…..please delete it. This is an easy target for brute force attacks. This coupled with bad password management are the two biggest security exploits targeted to WordPress websites. You have to create a new user account with Admin access and then delete the default admin user.
#5 Use Two Factor Authentication
I will start by saying, I love 2FA. It is one of the bright spots of modern security and it can be used in thousands of different products and services, your website included. 2FA can be introduced on your login page and requires a unique code to be entered along with the username and password. The code is generated and sent to your personal mobile device. In order for an unauthorized login to happen the attacker would need both an appropriate login AND access to your personal mobile device. This exponentially increases the security on your login portal and is more than enough to deter 99 percent of brute force attacks. You can learn more about Two Factor Authentication here.
#6 Update WordPress Regularly
WordPress is known for its constant update pushes which makes it one of the most secure platforms in the world. As an open source platform, WordPress has thousands of people daily trying to find exploits in the code. Once these exploits are identified the hard working WordPress development team issues patches as updates. WordPress updates almost always address some sort of security flaw. By not updating your website in a timely manner you are knowingly allowing active exploits on your website.
#7 Remove Your WordPress Version Number
It’s really easy to find out what version of WordPress websites are running. It’s right there for the world to see in your site’s source view. If you’re like many businesses out there and do not updated your website regularly, you are at increased risk if your version number is public. Updates are pushed to fix security holes, if you don’t update and show what version you’re using, you are basically telling an attacker what method of attack to use. You can hide your version number with a large number of plugins, I highly recommend doing this.
#8 Use Care When Connecting To Your Server
When setting up your website take care to only connect to your server through SSH or SFTP. I would recommend using SFTP connections over traditional avenues like FTP because of the extra layers of security with SFTP. Using these connections allows a much safer uploading of files to your website and nearly all hosting providers offer this as part of a security package. If you read this and don’t know what any of these words mean….contact us…we can help!
#9 Use SSL Certificate
Installing a SSL Certificate (Secure Socket Layer) on your websites server is an invaluable method for deterring malicious attackers. An SSL secures the data transfer between user browsers and the server, which makes it difficult for outsiders to breach the connection. If you are taking sensitive information on you website like Credit Card info or consumer personal information, we highly recommend that you use an SSL because collecting this information make your website a target. Oh and not to mention Google gives websites who secure their websites with an SSL a boost with SEO. Google rewards businesses who take care of their customers, it’s as simple as that. You can find a guide to installing an SSL on your server here
#10 BACKUP YOUR WEBSITE
This is in all caps for a reason. BACKUP YOUR WEBSITE PEOPLE. This is one of the most important aspects of web security…the insurance policy. No matter how hard you try to secure your website we are all human and there is always a chance mistakes were made. By backing up your website (preferably not on the same server) you are able to immediately reload a website that may be compromised to it’s last secure configuration. This is also a plus for companies who have employees that may not be extremely qualified to use a WordPress website or server and may “break” your website. Having a backup is a necessity on today’s internet. If you don’t backup your website and it is breached or broken. The website is gone forever and will need to be rebuilt from scratch. I have had this conversation with many prospective clients who come to us in dire times, it’s never easy to tell someone all the work you put in in gone forever. Hope for the best, plan for the worst.