In this post I'd like to share with you how you can increase the security of your WordPress site. WordPress security is a well-discussed topic amongst the techies online, but unfortunately only few WordPress users actually pay attention to it. They simply don't worry about the security of their site, because they don't know about the threats that are out there.
Please read this post carefully, as it might save your business from failing! Yes, you've read that right. Since you're reading this, I assume that you're selling online. So there's a high probability that you've built your site with WordPress, which makes WordPress the foundation of your business.
Caring about WordPress security is MANDATORY these days, because it's the most used content-management-system worldwide. This makes WordPress easy to extend, there are millions of plugins and themes you can install on your site. Countless developers are continuously creating new functionalities for WordPress.
But a system that is so widespread all over the world also makes it a perfect target for hackers and automated software, trying to find flaws in the security of WordPress plugins, themes, and even the core files. Just a few days ago my website got attacked by an automated robot, brute forcing the password for my user account. Since I have some security mechanisms in place to protect my site, it didn't succeed.
Let me show you how you can increase your WordPress security without having any special technical knowledge. I won't ask you to write any code, or to understand how the coding of WordPress is working (if you do, you know what you have to do to protect WordPress). There are ways and methods anyone can leverage to increase his or her WordPress security, so please follow along!
The biggest issue about WordPress security is that attacks take place without WordPress hosts knowing about them. It's very likely that your blog has been attacked already, but that you didn't notice it since you don't have any monitoring systems in place.
There are services like Sucuri who offer amazing monitoring and security services for your WordPress, but with free plugins you can get notified about your website being attacked as well. Often your webhost offers monitoring solutions that notify you about unsual traffic statistics, which may indicate an ongoing attack. Check in with their support team to find out whether you can set up monitoring with them or not.
Unfortunately, most attacks are only discovered when your website is already affected. The official FAQ for WordPress security have some tips for you when your website was hacked. To avoid that your website get's hacked, follow the best practices that I recommend in this post. They will help you implement a certain level of WordPress security for your website.
This definitely is one of the biggest problems that non-techy WordPress users face. Installing updates might ruin your site, because the update might change something in a plugin or theme that breaks other things and messes up your site. Yet, installing updates is mandatory to increase WordPress security, because updates most often close security issues that might be exploited by hackers.
Installing updates for WordPress, plugins, and themes is especially tricky, when your site is heavily customized. ALWAYS ask your web designer or developer if it is save to install an update. Otherwise you might just break the custom functionality and totally mess up your site.
In the best practices below I'll show you how to handle updates easily, so that you can leverage updates to increase your WordPress security.
The username "admin" is the username that's used most often for attacks. Therefore it's crucial to remove the admin user from your WordPress, to increase the security.
Since the login to a WordPress backend always ends on "wp-config.php", it's easy for robots and automated scripts to test that page with various username/password combinations. These attacks can either be brute-force or dictionary attacks. Both have the goal to find a username/password combination that gives access to the WordPress backend.
To increase your WordPress security, you need to avoid that those attacks are successful. Knowing that the "admin" user is the default target for most hacks, please remove it from your WordPress site.
Also make sure that your password is contains at least 12 characters, including upper-/lower-case characters, numbers, and special characters. I use a password manager called Lastpass for this purpose, all my passwords have at least 30 characters. Passwords this long are mathematically impossible to break in a reasonable amount of time (it usually takes more than several decades), so you're pretty secure with long passwords.
Creating backups for your site is mandatory! It doesn't increase your WordPress security directly, but having a valid backup helps if something goes wrong. Being able to recover the years of work you invested into your platform will be a game changer if things go really bad. What would happen if your site stops working today? Could you bring it back up and keep your business running?
A great paid plugin that some of my clients rely on is called BackupBuddy. It lets you schedule automated backups pretty easily and even lets you move your site to a new server within the twinkle of an eye.
A free alternative to BackupBuddy is BackWPUp. I use this personally on all my sites. It's a bit less intuitive to use for non-techies and has less features compared to BackupBuddy, but it's great at doing backups. It comes with a scheduling function, integrates with most storage providers like Dropbox, Amazon S3, your own FTP server, and others. The main difference to plugins like BackupBuddy is, that it doesn't have a recover functionality, but I'll create a tutorial on this very soon and publish it on JK TV.
Both plugins work like a charm, it really is your choice. If you need a fancy designed interface to feel comfortable, BackupBuddy might be your preferred choice.
Either way, make sure to save your backups somewhere else than on your server! If your server get's hacked or you can't access it anymore, your backups are useless! Get a free account at Dropbox, Google Drive, or somewhere else and save your backups to the cloud. This ensure that you can always access them and recover your site, even when your server is not accessible.
A web-application firewall is a system either inside your WordPress or outside (software-as-a-service) your WordPress that secures your website against the most common attacks. Firewalls are able to block traffic coming from countries known for hacker attacks, block automated requests from robots, protect your login form, scan your website for malware, and detect file changes that shouldn't occur.
This might sound geeky to you, and it is to a certain degree.
Sucuri offers an amazing service to protect websites and increase WordPress security. Their website monitoring service uncovers infections with malware and other nasty stuff, and thus prevents your site from being blacklisted by Google and helping you to get rid of infections fast.
The paid Sucuri service also integrates nicely with their free solution Wordfence. That's a free plugin that I rely on to protect my website and it is also part of increasing the WordPress security for my clients. Wordfence comes preconfigured with basic settings and allows skilled users (geeks) to define more granular security options.
Another very nice feature of Wordfence is the notification functionality. You get emails every time an administrator logs in to your site and when Wordfence blocks an attack on your WordPress. Definitely useful stuff!
Leaving unused plugins or themes active and installed is a huge risk for your WordPress security. They're often neglected in updates, which may leave security issues unsolved and leaves open doors for malware. For example, the Mailpoet vulnerability infected hundreds of thousands of WordPress sites (see that the article is by Sucuri?). If you have plugins like this active in your site and you're not paying attention to them because you're not using them, you're inviting hackers and automated scripts!
My rule of thumb is to limit the use of plugins and themes to the minimum that's absolutely necessary. You can only use one theme (except child/parent themes), so why have others installed? Why leave plugins installed that you're not using anymore? Clear up your plugins and themes!
This is probably the most important advice I can give you to increase your WordPress security. As mentioned above, installing updates can be tricky on sites with lots of plugins and on heavily customized WordPress installations.
My tip is to create a weekly (or daily) backup schedule, using the process I outlined above. Do a backup every time before you install updates to your blog, this gives you the ability to restore a working copy of your WordPress site in case an update goes wrong.
I'll create a tutorial on how to restore websites with BackWPUp manually for JK TV very soon, so stay tuned 🙂 If you're using BackupBuddy or another backup plugin, you may have a restore functionality that you can use in case something goes wrong.
Ok, this is just a short overview on what you can do to increase your WordPress security! I'm offering a 4-layer approach in my WP Security Package, securing your web server configuration, database, files, and your WordPress installation. If you want to get more information about this offer, drop me a quick line or buy it directly from my services page.
I'd love to hear your thoughts on WordPress security. Have you had issues with your site yet? Leave a quick comment below to share your experiences with the other readers, we're here to learn from each other.