If you’re worried by the time you read these WordPress website security tips, then I’ve accomplished what I set out to do. I don’t make a practice of being a fear monger but, in this case, I’m willing to be one to get you to be proactive!
You’ve probably heard the term “hacker” before. You may even know someone who got hacked. But, do you know what this really means?
A hacker is a species of vermin that lives throughout the world and breaks in to your website with the intention of wreaking havoc. They typically do this by inserting malicious code into your site, effectively hijacking it.
Why do they do it? Here are some of the main reasons:
To send spam
To steal your data (especially email addresses so they can send more spam)
To redirect your visitors to a website of their choice
To broadcast obscene or illegal content to your visitors
To turn your site into a weapon that destroys other innocent websites
To completely destroy your site (just because they can)
Just like the vermin that infest actual houses, it’s crucial to stop hackers from ever getting in—because it’s VERY difficult to get them out once they’re in and they can permanently destroy the reputation of your domain name.
WordPress sites are the most popular target for hackers. Why? It’s estimated that 31% of websites are WordPress sites—and 83% of hack jobs are done to a WordPress site. When the hackers figure out how to get in to WordPress sites, they can get in to A LOT of them. Also, WordPress is “open source,” which means that the code used to run it is visible to everyone—even the hackers. Although WordPress has a diligent team dedicated to foiling hackers, you are in no way relieved from taking action to protect yourself. If a hacker finds a vulnerability before WordPress does, the hacker wins.
Back in 2015, the leading security provider for WordPress websites, Wordfence,stated that there was an “approximate doubling of brute force attacks on WordPress sites”—from 10,000 to about 20,000 per minute. And, this is not even the highest they’ve seen. Three entities are doing the attacking—individual humans, a single robot or a “botnet” (a group of robots). The human is the rarest.
Access points (or doors) into your website include, but are not limited to:
An insecure hosting account
Weak passwords on the WordPress admin login page
PHP code (in your WordPress theme, plugins, etc.; especially if it’s outdated)
I’ll never forget many years ago when I went to login into to one of my personal WordPress websites and saw a dreaded white screen with a blunt message:
“Error accessing database. Please contact your server.”
It turns out there was a rash of brute force attacks against my previous website host and they went into ninja mode. I was proud that not a single vermin was able to get into any of my sites and a simple server reset was all that was needed to fix what could have been a tragedy for many people and businesses.
I want you to be so fortunate, which is why I am sharing some important website security tips.
Website Security Tips
Here are several key WordPress website security tips that will help your site be a formidable fortress:
2. Secure your site at the hosting level. Having an SSL certificate is no longer an option for reputable websites. It’s also a good idea to have an actual conversation with someone at your hosting company to assess their attention to security and ensure that you are taking advantage of all the security options they offer.
3. Use secure user names and passwords. According to WPTemplate, about 8% of WordPress websites are hacked as a direct result of weak passwords.
Do not use the same username and password for all of your logins, especially if it is some variation of a pet, child or maiden name with your birth year thrown in for good measure. Do use passwords that make your head spin—recommendations are for a minimum of 12 characters (a mix of upper and lower case, special characters and numbers).
I highly recommend you use a password manager, which have a Password Generator that creates passwords that are virtually impossible to be cracked. Also, enabling two-factor authentication adds another layer of protection to the login entry portal.
4. Use a reCaptcha plugin. Using a reCaptcha plugin doesn’t even let the robot hackers have a chance at breaking in through your WordPress admin login or contact form(s). I recommend Invisible reCaptcha.
5. Purchase the Premium version of a reputable and effective security plugin. The better ones scan your site to make sure it’s clean, then protect it against brute force attacks, malware, and spam. Some even speed up your site. WordFence is my personal favorite (message me to learn more).
6. Make sure you have a full (and current) site backup that is not stored on your host server. In this virtual age, a backup of anything is a must. Don’t forget about backing up your new website or make the mistake of assuming that your host or designer has it backed up.
Not only do you want to make sure that your site is being regularly backed up, you want the backup files to be stored off the server. Why? I’ve seen hacking jobs that have completely destroyed everything in the hosting account, including the backup file. If you do get hacked and you have an uncorrupted backup file, getting back online is usually as simple as erasing everything that’s been corrupted and restoring your latest backup.
We recommend UpdraftPlusif you want to do it yourself — or you purchase our Security and/or Maintenance Packages, which include a one-time or regularly scheduled backups stored in the cloud (i.e., Dropbox, iCloud, OneDrive, etc.)
It’s said that 32% of websites are hacked due to a WordPress vulnerability and 40% through outdated plugins. By updating to current versions, you are ensuring that you have the most recent protection available and you effectively lock your website doors tighter. (Staying up to date also ensures that your website is running faster, so you aren’t being punished by Google’s algorithm for being too slow.)
But, BEWARE…if you don’t know what you’re doing, updating your WordPress theme can totally overwrite all the customizations you or your designer did!
If you don’t feel confident you can handle all of this by yourself, or feel short on time, get hold of us sooner rather than later so we can do it for you. Our Website Security Package includes all of the above, plus some additional technical tweaks that provide further protection. Once you purchase it, we’ll have you locked down and backed up within days!
We may receive commissions when you click the links on this page and make a purchase. However, this is not why we include them here. We truly believe these service providers will help you and your business!
We’re here to help bring balance to your life and success to your business through quality work, reliable assistance, and creative thinking.
Janet Doré is the CEO (Chief Everything Officer) of Scribaceous, Inc., and has been passionately supporting her clients since 2013. Learn more about her here and connect with her on Linkedin and Facebook!