5 Simple Steps for a More Secure WordPress Website
/Your website is your hub and home base. You dedicate hours worth of work for blog posts, respond genuinely to each comment you receive, and carefully crafted your About page to reflect your personality. So what's the absolute worst thing you can imagine happening?
Losing all of that work, right? What if one day your site was just ...gone?
Unfortunately we live in a world where people (and bots) hack into websites, gather personal information, and leave our lives a total mess.
Thankfully, there are ways to protect yourself from cyber attacks. Today’s post is from Mia VanValkenburg, a fellow digital marketing strategist, and she's breaking down 5 simple steps for a more secure Wordpress website.
P.S. Haven't started your blog yet, but are doing your research to prepare? Don't miss my post on how to start your Wordpress blog in just 5 minutes!
If you're running a blog or business online, there's a good chance you're using WordPress to power your site.
WordPress is the most popular content management system, powering 27% of all websites on the internet. And although WordPress employs a team specifically devoted to finding, identifying, and fixing security issues, it is not immune to vulnerabilities.
Take basic security precautions by following these 5 simple steps for a secure WordPress website.
5 Steps for a More Secure WordPress Site & Blog
Step 1 - Choose a reliable host
When it comes to hosting, you have a myriad of choices. First and foremost, when researching a potential host, check to see if they meet WordPress’ hosting requirements. Fortunately, thousands of hosts meet those minimum requirements so you shouldn’t have any trouble in that area.
Let’s talk about the different types of hosting options available:
Shared -
this is a very popular option for smaller businesses or bloggers who are just starting out. With shared hosting, you share a server with other sites which helps keep monthly costs low. However, if you are running a larger website, this option might not meet your needs.
Dedicated -
Once your site starts seeing a substantial amount of traffic, you might want to consider a dedicated server, which is a server that is leased from your hosting provider. Dedicated servers give you the most control and are the best choice for really high traffic websites.
Managed -
For a more hands off approach, managed WordPress hosting might be your best bet. Managed hosts will optimize your site for performance, check on site security, and maintain regular backups. However, these features come at a higher price point.
Additional things to consider
Avoid the mistake of choosing a host solely on affordability. You’ll want to make sure that the hosting plan you choose will meet your website’s specific needs. Things like: speed, monthly traffic, SSL certificates, allotted web space, staging capability, backup frequency, and advanced security features.
Lastly, before you commit to a host, it would be wise to consult with your fellow bloggers and business owners to see which service they use for hosting and what their experience has been. Many will be quick to offer their opinion on things that really impact their websites, such as server outages, pricing, and the quality of their customer service.
You can also refer to this list of recommended hosting services from WordPress.
Note from Danielle: I relied on Bluehost* for over five years when my site was on WordPress. I never had an issue and their customer service is great! That is an affiliate link, but I only share resources I use and trust.
Step 2 - Block brute-force login attempts
Brute-force attacks usually carried out by bots, calculate every possible combination that could make up a password with the hope of eventually guessing correctly.
Don’t make it easy for these guys to break into your site!
Use clever usernames and strong passwords -
As you increase the length and difficulty of your password, the amount of time and effort to guess the correct password increases exponentially.
Password managers such as LastPass or 1Password will randomly generate nonsensical passwords for you. And of course, avoid using a generic login like ‘admin’ which is super easy to guess.
Limit login attempts -
The default WordPress login behavior allows for unlimited password attempts, which is why brute-force attacks can be successful. Eliminate the threat by limiting login attempts.
You can specify the number of unsuccessful login attempts per user before temporarily blocking their IP address. Try using a plugin like Login LockDown.
Use 2-factor authentication -
2-factor authentication will add an extra layer of security to your site by sending a code to an external device (such as a cell phone). You can also achieve this with 2FA plugins.
Speaking of plugins…
Step 3 - Choose reliable plugins and themes
By now you’ve noticed that there are tens of thousands of WordPress plugins, but there are some things you should look out for before installing.
Look for the stars -
It’s important to not only look at the quality of the ranking but the quantity as well. A few 5-star ratings might not hold up as well as 1,000 4-star ratings.
Check for updates -
WordPress is constantly updating. As such, your plugins need to keep pace to ensure there are no compatibility or security issues. Frequently updated plugins are a good sign of continuous improvement.
Active installs -
A plugin with a high number of active installs means that people are actually using this plugin. It could also signal reliability.
Support -
When technical issues arise, will your plugin offer support or leave you hanging? Take a look at how many issues have been resolved. It’s also important to take a look at the issues users are having to see if those are things that might affect your site before installing.
What to look for when browsing themes
Responsiveness -
Make sure your theme is responsive, which means the theme offers optimal user experience across various devices. Mobile usage now surpasses desktop usage, so responsiveness is really not an option.
The theme check plugin is a quick and easy way to test your theme to make sure it’s on par with the latest WordPress standards.
SEO friendliness -
aThemes has a list of SEO friendly WordPress themes. But if you’ve fallen in love with another theme, be sure to use Google’s Structured Data Testing Tool to see if the theme follows Schema standards.
Step 4 - Protect your wp-config.php and .htaccess files
Both your wp-config.php and .htaccess files are located in the root directory, with your configuration file being the most important, as it contains information about your database and how to connect to it.
To protect these files from unauthorized access, simply add the following code to the top of your .htaccess file.
<files wp-config.php> order allow,deny deny from all </files>
<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
If you are unfamiliar or uncomfortable with accessing and editing these files, have a web developer make these changes for you.
Step 5 - Stay updated on the latest version of WordPress
The primary reason WordPress sites get hacked is due to lax security or outdated software, themes and plugins. If you have a WordPress website, you now have the unavoidable responsibility to keep your site up to date.
Each update addresses known security issues in addition to features and bugfixes. And because WordPress is open source, security vulnerabilities and their patches are all publicly disclosed.
Keeping your website up to date is the low-hanging fruit of WordPress security.
In conclusion
Although it’s impossible to guarantee complete site security (even if you follow all of the above precautions), it’s important to remember that security is about risk reduction, not risk elimination.
Start with these 5 simple steps and you’re well on your way to a more secure website.
For a more thorough list of things, you can do to protect your site, check out the Hardening WordPress guide.
Feeling more empowered to increase your website's security?
Are you planning to implement all 5 steps? Leave a comment below!