Try our 7 super easy security hacks that will beef up the security of your WordPress website in minutes.
Keep the hackers away from your site!
I often get asked how secure WordPress is at meetup groups that I host and attend.
WordPress (the core files) is very secure.
When there are security issues found, not limited just to WordPress, there are a huge number of engineers working their pants off to get a fix out as soon as possible.
WordPress now powers over a third of all websites, so being the largest CMS (content management system) on the planet, it is the biggest target for hackers.
That’s the real reason you hear about WordPress site being hacked “all the time”.
And it’s mostly never from the core WordPress files themselves but from older versions of plugins and themes that the site owner hasn’t been bothered to keep updated.
Keeping everything up-to-date regularly (weekly) is a must for modern websites.
If you don’t have the time to do it yourself, make sure that you pay somebody to keep the hackers away.
We offer a range of WordPress site care plans that will help secure and monitor your site 24/7.
So, here are our 7 super easy security hacks to help secure your WordPress site in a matter of minutes, in no particular order:
1. Install a Software Firewall Plugin
This is an absolute must and we recommend Wordfence.
The free version of Wordfence works very well and you can have a look on the website to see if you need to upgrade to premium for more security and features.
After you have installed Wordfence and left it running for 24 hours, you will be amazed, perhaps horrified, at the hundreds and possibly thousands of attempts to brute force guess your site admin logins.
The free version of Wordfence runs a daily scan on your WordPress installation and site files to check for known issues.
2. Install a Firewall and Anti Virus App for Your Computer
As you are the main admin for your WordPress site it would be good practice for you to also install a firewall and antivirus software app on the computers you use to access the site.
Best to make sure that nobody has compromised your home machine before you access your business website.
We use Norton Internet Security on our PCs but McAfee and Kaspersky are all good strong products.
3. Don’t Use “Admin” for Any of Your Username Logins
If you have a hosting package that uses cPanel or Plesk, you will have likely seen a window for quick software installs, with the WordPress logo, along with other CMS’s such as Drupal, Joomla, etc.
These are scripts provided by the hosting company to do a quick installation of WordPress, so that you don’t have to run through all the database and other setups.
Not so much now, but in the past, these installation scripts created the default WordPress administrator user as “Admin”.
You will see from the Wordfence log, there are likely thousands of attempts to guess the password of a user called “Admin” by script bots, as the username was so widely used.
It’s easier to guess just the password rather than the username and password together.
Choose a username that isn’t easy to guess and means something relevant to yourself.
4. Always Use A Different Strong Password for Each Login
You probably have a lots of logins for hundreds of website services that you use daily or weekly.
Remembering all these logins in your head is difficult, so some people tend to use the same password for them all.
Sounds pretty straight forward enough, until one of your logins gets compromised, or a service you use gets hacked and they hackers steal the email, user and password details.
Suddenly, the hacker has access to all your services if you are using the same password.
That’s why it is good practice to have a different complex password for each service you log into.
Using a password manager such as LastPass or 1Pass will help securely generate, store and log in to sites.
5. Use SSL Site-Wide
Using SSL for WordPress dashboard logins means that the traffic your browser sends to and from the server is encrypted and secure from hackers.
Most hosting providers will off you a free SSL certificate either from their own systems of from Let’s Encrypt.
Some people on the internet have voices concerns that the free Let’s Encrypt SSL certificates are somehow inferior to the paid ones.
That is a load of codswallop.
SSL certificates, free or otherwise, do exactly the same thing, encrypting communications between browser and server.
Moving your entire site over to SSL (using HTTPS) also gets you bonus brownie points from Google.
Secure sites rank higher than similar sites that don’t have an SSL certificate.
We use Let’s Encrypt SSL certificate on all of our servers and client sites.
This site is running an SSL certificate generated from Let’s Encrypt. Check the padlock out.
6. Backup Your Files Regularly
This is your insurance policy against anything bad happening to your site.
It may not be hackers that take down your site.
Corrupted files, wrongly pressed buttons, badly written scripts etc.
There’s a multitude of things that could go wrong and affect your business website.
It’s best practice to have backups running regularly for your website so you can recover from any issues.
Make sure your backup plugin and service backs up the database and files, as well as files that are outside your WordPress installation directory.
Having a restore functionality will also save you time getting back on-line without you having to pay somebody else to unzip backed up archive files.
Read this great article on the 9 Best WordPress Backup Plugins 2019 from our sister site, Zero Point Development.
7. Update WordPress Core, Plugins and Themes Regularly
Regularly is a relative word but we mean at least weekly.
Keeping the WordPress core, plugins and themes regularly updates is an absolute must to maintaining good security for your site.
The WordPress core team,plugin and theme authors are always releasing point releases to fix bugs and security issues so don’t get left behind.
Now would also be a good time to do a plugin review to week out the ones that are a couple of years old and no longer being updated.
Find an alternative plugin that is being currently maintained.
If you have a complicated site, e-commerce or membership, for example, you may want to copy the production (live) site to a staging server to perform the updates, making sure there are no issues or correcting those that you identify.
Always update your theme first, the plugins and thereafter the WordPress core.
Get started securing your WordPress website today.
If you implement all of the above, your site will be securer that 90% of other similar sites where business owners don’t see this as a good use of their time.
Until everything goes pear shaped!
Is there something critical that you think we should add to this quick security hacks list?
Let us know in the comments below.