WordPress Website Security
Website security is about balancing the need to make your website secure with the ease of using your website.
It is no good if the website is so secure that you can't even access the dashboard of your own website!
Therefore security isn't just something you tick off, and it is done. It is about adding and accessing a series of layers of protection and considering security as a regular part of what you do on your website. For example, considering which contractors you give access to, where and on what device you access your website, what plugins you use etc.
The idea balance makes it so hackers don't bother continuing to attempt to access your website, and you are not inconvenienced too much by your security measures. Be aware that hackers will attempt to access your website - they have fleets of computers using software that runs day and night looking for vulnerabilities combing through the worldwide web.
Are you keeping your WordPress website protected?
Download our guide to understand how to evaluate the success of your website, plus tips that will help you make improvements today!
Here are my thoughts gleamed from the recommendations given in a recent Siteground webinar on website security.
- SSL - Please see my article SSL certificate- why and how you should have SSL. Almost all good Hosts offer free SSL certificates. Not only is SSL essential for security, but it is also a factor for SEO.
- Have a strong password for all users with privileges on your website. WordPress offers a password generator tool on the user page, so there is no excuse. It only takes one user with a weak password to compromise your website. Also, encourage your users not to use the same password across a range of websites.
- Brute Force Preventative - Brute Force is when people try, again and again, to login into your website. This is not usually done manually - hackers have a series of computers that try to log in using series of common passwords.
- Make sure your computer is free of viruses and malware - use a good antivirus program on devices that will access your website. If you are going to take your laptop to cafes or other public places with shared internet, consider getting a VPN. This is especially so if you travel overseas - are you sure your hotel's wifi is secure? A VPN encrypts the data you send and receive, making it more difficult for hackers to access.
- Chose good quality Hosting Company that has great security. There are many ways that hackers try to access your website, and you want a Hosting Company that takes care of the server-side security and does all they can to protect your website. On that note, I recommend that you do not have your domain with the same company as your Host.
- WordPress Security Plugins. These are application-level firewalls. I strongly recommend that you add them onto your staging site first - you don't want to get locked out of your production website accidentally, and you do need some time to get the configuration correct for your needs. Take the time to understand how the plugin works and do some research regarding the trustworthiness of the plugin. Most of them are not free. It is good practice not to run 2 security plugins simultaneously - choose one, for example, Sucuri or the Siteground Security plugin and set up their options to meet your needs. Both of these cover disabling XML-RPC and file editing.
- Two-Factor Authentications (2FA). Two Factor Authentication means you need to use an authenticator as well as your login to access your website. These are painful to use but less painful to clean up a hacked website! So consider if this is an option you need. This option also has additional costs. But if someone should get your username and password (this is especially an issue if you use the same password across a range of sites and one of them has a security breach), they can't log in because they will need your phone to get the authentication code which is generated then and there.
- Never use a user called Admin. On this note, it is better not to publish your username on the blog as the author of the post. You can select how a username is displayed so opt of the option that isn't the username.
- Signup with a scanning service - for example, https://www.siteground.com/blog/sg-site-scanner-powered-sucuri/ or ManageWP
Are you keeping your WordPress website protected?
Download our guide to understand how to evaluate the success of your website, plus tips that will help you make improvements today!
Updating WordPress, Plugins, Themes and Theme Frameworks
How often do I need to update WordPress?
For my clients, I recommend taking a website care plan which includes all WordPress and plugin updates. If you are managing your site, then WordPress, the plugins and any Theme Framework should be updated monthly. A bit like getting your car serviced, you need to do it regularly.
Be careful when upgrading! It can break your site.
Be aware, upgrading may break your site, for example, if a plugin or a piece of code in your theme isn't compatible with the new code. You don't need to rush to upgrade as soon as there is a release (unless it is a security upgrade), wait for a few days: a website will continue functioning just fine. Just don't leave it too long though.
Would you like to manage upgrades yourself?
I recommend that you have a recent backup of your site (files and database) and record which plugins you upgrade. You will need to know how to access the Cpanel or similar of your website. Then if the worse comes to the worse, and you get a white screen with a long list of PHP errors, you know how to restore a backup.
Upgrade at your own risk!
If you run multi-site, a busy e-commerce site or have custom plugins or unique solutions, I strongly recommend doing all regular upgrades on a staging site first. A staging site is a copy of your live site. When you make changes, you test everything on the staging site, before any changes on the live site.
There are four reasons why you need to keep update WordPress
1. Increase security
All websites are vulnerable to being hacked. WordPress is the most popular Content Management System (CMS) today, which makes it a target for hackers. On the other side, it means WordPress has a large user base and an active development community that quickly issues new versions to deal with any areas of vulnerability.
The vast majority of hacked WordPress sites are websites that have not kept up with the latest installation of WordPress.
Dealing with a hacked site is costly, not only in terms of website services but also it is bad for customer service. No one wants a customer to navigate to their business website and find themselves somewhere else.
2. Fix any bugs
Developers make updates to WordPress, your plugins and theme framework, to fix bugs that they discovered in previous versions. To get the fixes, you need to update.
3. Add features and functionality
Updates often include adding features and functionality. That also includes just keeping up with outside factors that are changing, e.g. Google Analytics or Facebook etc.
4. Keep control of your site with regular maintenance
Not only is it well worth keeping the software on your website all up to date, but it also creates an opportunity for you to do a review of your site:
- Is all the content up to date?
- What new content would it be useful to add?
- Do some testing - is everything working correctly - broken links, contact forms, navigation, social media connections?
- How are my website statistics doing?
- Do I have a recent backup?
- Is the website achieving my business goals?
- Am I happy with my WordPress Hosting Company - are there any performance issues?
Need some help with your WordPress site? Check out our range of Website Care Plans.