How to Keep Your WordPress Website Safe and Secure
Updated for 2020
WordPress is the most popular content management system on the web. At least 25% of all websites run on WordPress. Because of this, it also attracts hackers looking to break into unsecured or poorly secured WordPress websites. These attacks can be malicious in nature, or just plain annoying. Utilizing proper WordPress security plugins and website-hygiene can go a long way in keep your website secure and hack-free.
As a small business owner, your WordPress website is a marketing asset and an investment. Your website should earn its keep and grow your business’s reach. That’s why it is important to keep your website secure. A vulnerable site can expose your customer’s data, negatively impact search rankings, or completely wipe out your site. There are many WordPress security plugins and methods of keeping your website secure.
WordPress security plugins won’t keep everyone out, but they prevent some of the most common types of attacks from occurring. A good WordPress security plugin will harden your WordPress website from automated attacks and offer a way to lockout IP addresses using brute-force attacks.
WordPress security plugins alone aren’t enough to keep your website secure. There are additional steps to maintaining a secure WordPress website.
By following the advice in this blog post, you can have a very secure WordPress website, in less than 20 minutes.
Will it prevent all attacks?
No. A determined hacker will always succeed if they really want to get in. Remember, even corporations with experienced IT teams get hacked.
Will it prevent the most common, and most likely to be automated types of attacks?
Yes, absolutely. The goal here is to stop as many attacks as you can. A lot of WordPress websites get hacked through automated means which can be easily avoided with a little knowledge and TLC.
#1 Use a Secure WordPress Username and Password
How secure is your username and password?
Use hard to guess passwords. Don’t use obvious usernames for your Admin logins. “admin” should never be used.
How to Pick and Set a Secure Password in WordPress
WordPress has a password generator to instantly create a secure password for you. Updating a password takes less than a minute to do. There’s no reason not to do this. Find a safe place to save it (we love LastPass)
#2 Automatically Backup Your WordPress Website
Backup your website weekly and store a copy in the cloud.
Backing up your website isn’t going to secure your WordPress website, but it will help in case of a disaster. The reason we like UpdraftPlus is due to the fact that you can automate the process and store them in the cloud, so even if your entire server gets hit, you know you’ve got backups safe and ready to deploy. Learning how to backup WordPress is easier than you think!
How to Automatically Backup WordPress
Manual WordPress Backup
Automated WordPress Backup
#3 Update Your WordPress, Theme, and Plugins
Maintain your WordPress website, plugins, themes, core.
WordPress, your theme, and plugins all require a certain level of maintenance. Some more than others.
It’s important to keep your website’s tools up to date, or at least be aware of what the updates include.
WordPress Developers update their plugins and themes add features, fix bugs, and patch security threats. Because of this, you should never ignore WordPress updates.
Our recommendation is to take a backup and apply your updates. Verify the website is still working correctly after performing the updates.
This process only takes a few minutes to do and should be done on a recurring basis. We recommend at least once per week. If it sounds like too much work, there are companies that offer WordPress website management services.
#4 Use a WordPress Security Plugin
Secure WordPress with a WordPress security plugin
These two plugins can help mask your website code, protect against bruteforce attacks, force secure connections, block offending IPs, and scan for file changes.
You don’t need both plugins to secure your website. If you do use both of these plugins, your website will be more secure, but you’ll need to spend more time configuring them to work well together.
WordFence has a great tool to monitor and remove malware from WordPress websites.
If you have more than a few minutes to spend on securing your WordPress website, there’s more you can do with these plugins.
The videos below outline a quick setup to getting a large amount of protection in just a few minutes.
iTheme Security "Quick Config"
WordFence "5 Minute Setup"
#5 Don't Install Random Plugins
If you’re looking to add a new feature to your website, only use trusted plugins.
An advantage to working with a WordPress developer is that they’ll have a better idea as to which plugins are safe to use.
If you’re on your own, do your research. Installing a poorly coded, or out of date plugin could crash your website.
Don’t install the plugin if it…
- …has few installs. (there are exceptions to this one)
- …hasn’t been updated on months.
- …has been flagged by WordPress’s team as a potential problem.
Your WordPress Website is Now Secure!
If you followed the advice above, your WordPress website is more secure than most existing websites we’re hired to work on.
If you have any questions about the steps above, or would prefer the advice of a professional, leave a comment below, or send us an email.