Keeping
Your WordPress Website Secure - 10 Tips

Why Website Security is
Important

No matter how much work is put forth into launching your website, all sites are vulnerable. However, there are steps you can take to protect your WordPress website from hackers. In this article, we'll go over some tips on securing your WordPress website.

1. Keep Everything Up to Date

Some of the most prevalent WordPress security issues stem from outdated versions of WordPress themes, core, and plugins, which is why it's essential to keep everything updated.

To find out if you need to make any updates, log in to your WordPress website. You can find the notifications for updates in several places: the sidebar menu, the top admin bar, and as a notice if you're running an outdated version of WordPress.

While it might be bothersome to see constant update notifications, and it's easy to put them aside, these updates are important in protecting your site. By running outdated versions of themes, plugins, and WordPress, you're increasing the risk for vulnerabilities on your website.

Updates are a great thing since they typically provide bug fixes, new features, and patches for security issues. WordPress will automatically download minor updates by default, but you will need to do any major updates directly through your WordPress admin dashboard.

Updating WordPress

When it's time to update WordPress, go to your dashboard. At the top of the page, you'll see an announcement notifying you that there is a new version of WordPress available. Click on the "Please update now" button.

Updating Plugins

1. Go to Plugins > Installed Plugins.
2. If a plugin is not up to date, WordPress will let you know.
3. Click on "Update Now."
4. Updates can also be run from the Updates page. The Updates link is located at the top of the sidebar menu.

Updating Themes

1. Go to Appearance > Themes.
2. If a theme is not up to date, WordPress will let you know, just as it did with the plugins.
3. Click on "Update Now."
4. Updates can also be run from the Updates page. The Updates link is located at the top of the sidebar menu.

Checklist for WordPress Updates

• Before running any updates, create a current backup of your site.
• Review changelogs before updating. Changelogs are used by developers to show what changes are being included in a version update.
  To find the changelogs, you can click on the Updates page in the dashboard and click on the "View version x.x.x details" link.
• Run the Updates.
• Confirm everything is still working as expected. It's always good to do a run-through of your site to make sure nothing is broken
  after an update.

2. Back up Your Site on a Regular Basis

When you back up your website, you are creating a copy of all of the site's data. If anything goes wrong, you can restore your website to that backup copy.

For WordPress backups you'll want to:

• Schedule backups that happen automatically.
• Scan backups for any malware.
• Store the backup files in a remote destination that is completely secure.

3. Use a Strong WordPress Password

Passwords are a crucial part of website security, but they can often be overlooked. If you are using a plain password, you should update it immediately! While a password such as "abc123" is easy to remember, it's also extremely easy to guess, and an advanced hacker could easily crack your password in no time.

Since the most common WordPress hacking attempts are from stolen passwords, you should make it a priority to use stronger passwords that are unique to your site. Typically, people don't like using complex passwords because they are hard to remember, but there are several password managers, such as LastPass, out there that allow you to easily store your passwords.

Here are some tips on creating a strong, unique password:

• Don't use a password you've used for other websites and accounts.
• Avoid using "admin" as your WordPress username.
• Avoid using dictionary words for your WordPress password.
• Only share your password with essential, trusted people.
• Use a password with more than 12 characters.
• Use numbers, special characters / symbols, and upper & lowercase letters in your password.
• Use two-factor authentication for your WordPress login.
• Change your password every 4 months.

4. Limit Login Attempts

There isn't anything built into WordPress by default to limit the number of failed login attempts that someone can make. Without a limit placed on login attempts, a hacker can make an endless number of guesses on your usernames and passwords until they are successful.

Boost your WordPress login security by getting a plugin that allows you to limit the number of failed login attempts on your website. Once that limit has been reached, the plugin will ban the attacker's IP address.

5. Add Two-Factor Authentication to Your WP Login

Two-factor authentication requires two items to login to your account. The first item is your username and password. The second item is a unique code delivered to you via another format. This code can be delivered through email, text, mobile apps, and more.

By using two-factor authentication, you are giving a huge boost to your WordPress security. While this does add an extra step to the login process, the layer of security it provides is worth it.

6. Only Install Themes and Plugins from Trusted Sources

Don't download premium plugins for free. Make sure you are always purchasing your themes and plugins from an official site.

Highly skilled developers code their premium themes to pass multiple WordPress checks. When purchasing a premium theme, you will be able to customize it, get full support if something goes wrong on your website, and regular updates.

Many beginners will download premium plugins and themes for free from unreliable sources. This is a trick in which the user will be taken to an illegal website that can corrupt your WordPress website with malware.

So, while it may be tempting to save some money, always avoid nulled themes and plugins.

7. Install a WP Security Plugin

It can be a time-consuming job to regularly check your website security for malware. That's where a security plugin comes in. The security plugin will take care of your website security, scan your site for malware, and make regular checks to see if anything is happening on your site.

8. Use a Reputable and Reliable Web Host

One of the best (and simplest) ways to keep your website secure is to go with a reliable hosting company that provides several layers of security. While it can be tempting to save money and go with a cheap hosting provider, don't do it! Often times, going with the cheapest provider can lead to many bumps down the road. For one, you could completely lose your data, and your URL could begin redirecting users somewhere else.

Allowing a little more of your budget to cover a quality hosting provider means that your website will be faster and automatically have additional layers of security.

According to a study done in 2012, 41% of successful hacking attempts stemmed from a vulnerability in the hosting platform.

When looking for a hosting provider, here are a few things to consider:

• Offer hosting optimized for WordPress.
• Has a firewall in place that is geared for WordPress.
• Supports the latest versions of basic web technology (like PHP and MySQL).
• Have tools to prevent large-scale DDOS attacks.
• Continually monitor their network for malware and suspicious activity.
• Have accident and recovery plans that allow them to protect your data.
• Keep their software and hardware up to date.

9. Add an SSL Certificate

When a person visits your WordPress site, a line of communication begins. The information is being passed between the visitor's device and your server, making several stops along the way before reaching the final destination.

SSL  (Single Sockets Layer) is mandatory for websites that process sensitive information such as credit card credentials and passwords. Without an SSL certificate, the data that is being delivered between the user and your server will be unencrypted and can be read by hackers. When using an SSL, the information is encrypted before being transferred, making it more difficult for hackers to read and making your website more secure.

To get an SSL certificate, you can purchase one from a third-party company, or you can check with your web hosting company to see if they provide one for free.

As a bonus, not only will using SSL encryption secure your website, but you'll also rank higher on Google since it prefers websites that use SSL.

10. Uninstall Unused Themes and Plugins

If you have any unused plugins and themes sitting on your WordPress website, you'll want to delete them. These themes and plugins will be marked as "Inactive." Unused themes and plugins can be a security risk if any vulnerabilities exist within them.

You can delete inactive plugins and themes individually or through bulk selecting them and choosing the "Delete" action from the admin dashboard.

Conclusion

Website security is crucial. If you don't make an effort to maintain your WordPress security, you're opening yourself up to hackers that can easily harm your website. Protecting your site isn't hard, and many things can be done without spending a single penny. Hopefully, this article has given you a few helpful tips and practices for securing your WordPress website. If you have any questions or need help securing your WordPress website, feel free to give us a shout!