Businesses in 2021 are more dependent on their websites as a source of income than ever before. The more you invest in implementing website security best practices, the less likely you’ll find yourself scrambling to put your website back together. We at Great Big Digital Agency have compiled the latest WordPress security tips to help ensure your website doesn’t get hacked.
WordPress is an incredibly powerful open source platform. It’s commonly thought that open source scripts are more vulnerable to attack, but WordPress core software is actually very secure and gets audited regularly by hundreds of developers. However, when a WordPress site has many 3rd party plugins installed and is not properly maintained, it can become vulnerable.
Why do hackers hack?
E-commerce sites are most often targeted because they store personal identifying information and process credit card transactions. Stealing data and user information tops the list of reasons for hacking; however, any highly trafficked website could also be a target. Hackers will often inject ads and use your website’s domain authority to link out and promote third party businesses on Google. This practice is called SEO spam or Malvertising. Another common reason for hacking is to uncover usernames and passwords to gain access your server. But sometimes hackers even hack just to hack and will take down your website for no apparent reason.
Here are a few tips and best practices that you can implement immediately to prevent your WordPress website from getting hacked.
1. Don’t make your password “password”
A simple WordPress security tip is to familiarize yourself with the obvious strategies a hacker might use. One key approach is “figuring out” widely used passwords that many people put together off the top of their heads, so avoid easily guessable ones. Also, don’t use the username “admin”. I know these may seem obvious but you’d be surprised how many businesses do it. The reason to stay away from common usernames and passwords is because hackers use simple scripts or bots to hack your site through brute-force. The bots will run thousands of passwords very quickly until it gets the right one.
If you’re like me, then you have way too many passwords to keep track of. So to manage all of them I use a service called 1password (This is not an affiliate link, I’m just a big fan). LastPass is another great option. You can safely store all of your passwords with these services across multiple devices, and best of all, it will recommend passwords for you and save them immediately. There’s no reason not to use it! Another great free option is this password generator: https://passwordsgenerator.net/ It will also help you create secure passwords every time.
Within WordPress you can prevent brute-force by limiting login attempts. The Limit Login Attempts plugin will block someone if they attempt too many passwords – we include this plugin in all our website launches. It’s free and it’s just another layer of protection that can go a long way.
2. Use a quality host
It’s hard to recommend shared hosting in 2021 when it comes to security. Shared hosts typically load dozens of websites on an old server, making your site susceptible to vulnerabilities that may exist in other websites. Increased attacks, downtime, and slow performance might be a sign of poor security measures on your host, and unless you are managing your own server, you won’t be able to fix it. The best way to improve security on your server is to switch providers. If you are looking to make an investment into website security, we recommend starting with a good host, (we are huge fans of cloud hosting and managed WordPress hosting,) and there are many quality options that range in price from $10 to $100+ per month. Managed WordPress hosting options will often handle some of the WordPress security settings for you.
Option 1: Cloudways – Cloud hosting
Option 2: Flywheel – Managed WordPress
Option 3: Kinsta – Managed WordPress
3. Use an SSL Certificate
Adding an SSL (Secure Socket Layer) Certificate is an easy way to secure your admin panel. Implementing SSL will ensure that data requests from browsers to your server are encrypted, making it more difficult for hackers to intercept the connection and gain access to your account. Purchasing and installing an SSL Certificate is easy through a third party provider, but all the hosts that we recommend will include the SSL Certificate for free with your purchase. As an added bonus, SSL Certificates also play a significant role in improving your SEO, as Google now considers having one installed to be a top ranking factor.
4. Have a backup plan
This is so important! If your website does get hacked it’s important to have a backup. With a backup system in place you can easily revert back to an older version of the website from just days or even hours before the attack happened. Some hosting companies will provide backup options and they will store it externally for you, and we also recommend having your own second backup in cloud storage like Google Drive or Dropbox – you can easily set up automatic backups with a plugin like Updraft, Blogvault, or Backwpup. There are many WordPress options for backups, but you will want to make sure your website is performing incremental backups. This means it will sync only the latest changes since the last backup for minimal server load, ensuring better performance for your site.
5. Keep your software updated
If you don’t update WordPress or your plugins, something could break. Updates not only provide new features for your website, they also make corrections and patches, and having old software, or software that is no longer supported could create a vulnerability. So please, make sure that your WordPress core, plugins, and themes are all up to date. For sites we build, we set aside time once a month to go through software and make sure all licenses are included and that everything is kept updated. On a similar note, it’s important to only use WordPress software from a reputable source. The WordPress repository does heavy vetting of their plugins, so we recommend downloading plugins directly from WordPress whenever possible. When looking at the WordPress repository, it’s easy to determine which plugins you can trust. For example, the image below shows UpdraftPlus on the WordPress repository. It has been downloaded over 3 million times, has a 5 star review, and notes that the latest update was 2 days ago. This is a good way to determine that a plugin is legitimate, trusted, and safe to use on your website.
6. Use a security plugin with a firewall
Some of the most popular and trusted WordPress security plugins are Sucuri, Wordfence, webarx and ithemes security, and one of the most important features these plugins share is a firewall. A firewall will block all malicious traffic before it even reaches your website. Firewalls have a constantly updated list of signatures of known malicious attacks – when the HTTP request matches one of these signatures, it will block the user. Most of these plugins will also protect against brute-force and limit login attempts as well.
7. Disable file editing
This last step requires some coding so do not attempt unless you are confident in using sftp and editing php files.
By default, WordPress allows you to edit files directly within WordPress. Although this is sometimes convenient, it means that anyone who gains access to your WordPress admin dashboard can make changes to the files.
Disabling file editing is an easy way to protect your site. To do this, access your .htaccess file and add in:
<Files wp-config.php> order allow,deny deny from all </Files>
You can remove the file editing within wordpress by editing your wp-config.php file and add in:
define( ‘DISALLOW_FILE_EDIT’, true );
At Great Big Digital we provide maintenance plans that will cover all of these 7 practices, and more. If you’re feeling completely overwhelmed by the options and the technical details and are nervous about managing this yourself, we’ll gladly speak with you about how to handle WordPress security for your specific website. Get in touch with us and we can discuss your website needs!