Wordpress Security

Hackers are out there! They’ll lock you out, take your website for ransom, and put ads in the corners. You may have heard some crazy horror stories, but I want to clarify a few things. First, WordPress core software is very secure, and gets audited regularly by hundreds of developers. Second, there are a few really easy things you can start doing immediately to prevent your website from being hacked. Here’s a list of 5 of them that are pretty straight forward and don’t involve any coding.

1. Don’t make your password “password”

I know this is obvious but you’d be surprised how many people do it. Also, don’t use the username “admin”. Why?
Well, the reason to stay away from common usernames and passwords is because hackers use simple scripts, called bots. These bots hack your site through brute-force. The bots will run thousands of passwords until it gets the right one.

If you’re like me, then you have way too many passwords to keep track of. So to manage all of them I use a service called 1password. Another great service is lastpass. You can safely store all of your passwords with theses services across multiple devices and best of all, it will recommend passwords for you and save them immediately. There’s no reason not to use it!

2. Limit Login Attempts

To prevent brute-force, the Limit Login Attempts plugin will block someone if they attempt too many passwords. I include this plugin in all my website launches. It’s free and it’s just another layer of protection that can go a long way.

3. Have a backup plan

This is so important! With Backups in place you can easily revert back to an older version of the website from just days or hours before the attack happened. It’s like a time machine! Some hosting companies will provide backup options and they will store it externally for you. You can also set up automatic backups with the plugin BackWPUp. Or just hit me up and I’ll help you get started.

4. Keep WordPress Updated

If you don’t update WordPress or your plugins, something could break. Updates not only provide new features for your website, they also make corrections. You need to make sure that your WordPress core, plugins, and theme are all up to date. For my personal site, I usual set aside a few minutes once a month to make sure everything is updated.

5. Use a security plugin with a firewall

Some of the most popular wordpress security plugins are Sucuri, cloudflare, Wordfence, and Ithemes security. Most recently I started playing around with a new plugin called Webarx. Each of these plugins protect against brute-force. Another good feature is the ability to change you login page from “/wp-admin” to something unique. I recommend purchasing a plugin with a firewall which blocks all malicious traffic before it even reaches your website.

Well, If you’ve done everything I’ve mentioned thus far, then your website is in pretty good shape!
But as always, there’s more that you can do to harden your WordPress security. You may want to look into additional security measures if you have a membership site with lots of users logging in and out, if you have an e-commerce website, and if you storing sensitive or important information on the backend.

If you skimmed this whole blog post and don’t want to worry about all this stuff, I’ll gladly handle it all for you. Just check out one of my care plans here.