How Safe is Your WordPress Website?
If you’re a business owner, and you run a WordPress website, you probably have some sensitive content to protect. You want to keep your website safe because it represents your business online. It’s what customers see and it’s how they interpret your business’ professionalism. Once you’ve been hacked, it’s very obvious, and it can truly hurt your digital presence, even your SEO efforts.
In recent years, hacking has become an increasing problem, not only for WordPress, but for the Internet as a whole. Hackers, or hacking robots simply known as “bots”, are constantly trying to break into any platform they can. It’s not always personal either. You don’t have to have enemies or competition in order for your website to get hacked. It could be dumb (bad) luck.
Hollywood often portrays hackers as black-hoodie wearing teenagers in their parent’s basements, but the reality is that almost all hacking attempts come from bots, and very few hacking attempts are actually targeted.
Bots are constantly trying to break into everything, all the time. They are trying their best to break into your site, so it’s up to you to do your best to make it safe for your customers. Here are 9 easy ways to keep your WordPress website safe:
- Update WordPress, Themes and Plugins Frequently
- Use a Security Plugin
- Use Better Passwords for all Administrator Users
- Buy an SSL Certificate
- Update PHP to the Latest Version
- Don’t Use The “Admin” Username
- Change the /wp-login/ Page to Something Else
- Deny Access to Sensitive Files
- Get A Web Application Firewall (WAF)
Why Keeping Your WordPress Website Safe is Important
Hackers are successfully breaking into thousands of sites everyday, and this affects businesses of all shapes and sizes.
WordPress is often an easy target for hackers for several reasons. While it’s core components are very safe, most website rely on third-party themes and plugins that are not always kept up-to-date. Hackers typically find backdoors from these poorly coded, or outdated plugins and themes.
It might seem overwhelming, and you might thing locking down your website completely is futile, but there are several steps business owners can take to greatly increase their cyber-security with WordPress:
Update WordPress, Themes and Plugins Frequently
It’s easy to forget to check your theme and plugin updates on a regular basis, but it’s super important to find a schedule that works for you, and keeps your website safe.
Although WordPress core updates are not very frequent (every month or so for minor updates), popular plugins such as Contact Forms 7, Yoast SEO, Wordfence, Jetpack, etc., all update at least once a week.
Our stance on the frequency of plugin updates is that doing it once a week is good enough for most businesses. If you want, you can even set your plugin updates to run automatically in most environments.
Remember, outdated plugins and themes is the #1 most common hacking method in WordPress. Don’t overlook this crucial step in keeping your website secure from hackers.
Use a Security Plugin
Having too many WordPress plugins can be a security issue, in the sense that they are harder to update because you might have too many of them to keep track of. The more outdated plugins you have, the more likely an intruder will find his way in.
But keep in mind that one of the most essential plugins for WordPress is a security one.
Our favourite plugin, which is installed on all our sites, is Wordfence.
- Login security (they actively block all suspicious attempts to login – and trust us, there are lots!)
- 24/7 Incident Response Team
- Two-Factor Authentication
- Malware scanning
- A premium Firewall – although this is not included in the free version, it’s worth it if you’re concerned about securing sensitive data.
Use Better Passwords for all Administrator Users
If you run a WordPress website with multiple “Admin” user roles, make sure that they all have secure passwords.
Most people will re-use the same password for everything they access online to make it easier to remember, but this is bad practice.
In theory, you should never use a dictionary word, or even a variation of one (like [email protected] for example), since brute force hacking software can guess this is seconds by using special code that guesses anywhere from 10,000 to 1 billion passwords per second.
You should always use a completely arbitrary password that’s at least 9-12 characters long, with special characters peppered in randomly. The longer the better. Adding a few extra characters to your password can take it from a “few seconds to hack”, to a “few centuries to hack”.
Every added character makes it exponentially harder to guess!
That’s why my password is… just kidding (but seriously, never share your password!).
Buy an SSL Certificate
SSL certificates (Secure Sockets Layer) are a standard in today’s web landscape. If you own a e-commerce website or even collect your customer’s email addresses through contact forms, your website should absolutely be protected by an SSL certificate.
These certificates encrypt the data between the server and the web browser so that hackers can’t hijack it. Once you have one installed, you will get a little lock next to your URL in the address bar:
You can get an SSL certificate by purchasing one from any hosting company (typically the one your website is hosted on), and some hosts give them away for free!
Inquire with your hosting company today if you still don’t have one.
Update PHP to the Latest Version
It can already by difficult to keep track of outdated plugins and themes, but you also have to update your PHP version as well.
I know this seems like a lot, but luckily WordPress makes it easy to know when your current PHP version becomes outdated.
If your hosting package is using an outdated PHP version, you’ll see a message like this on your dashboard:
Don’t Use The “Admin” Username
By default, when setting up WordPress, it suggests using “admin”, which is why most website’s administrator accounts will have “admin” as a username.
This is not a foolproof hacking-prevention method, but it makes it that much harder for hackers to gain access to your account, since they don’t have an obvious username to match with the password guessing software.
We recommend changing the “admin” username to something else, if that’s what you are using on your website.
Change the /wp-login/ Page to Something Else
By default WordPress uses the URL yourwebsite.com/wp-admin/ to grant users access to its login page.
Most WordPress hackers know this, so they will always look for that extension of your URL to gain access to your login page.
Thankfully, changing your WordPress login page URL is fairly easy and can be done by using a plugin.
Try using the WPS Hide Login plugin to hide your login page.
Deny Access to Sensitive Files
The wp-config.php file is the core installation file in WordPress and it contains super sensitive info about your WordPress installation, like your database connection details, which is what hackers need to completely take over your website.
Adding the code below to your .htaccess file can help protect those files:
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$"> Order deny,allow Deny from all </FilesMatch>
Get A Web Application Firewall (WAF)
A web application firewall (WAF) helps to block hackers by filtering out malicious types of traffic, like distributed denial-of-service (DDoS) attacks or spammers.
You can get a firewall by signing up to a CDN service like Cloudflare, or by purchasing the premium version of the aforementioned plugin, Wordfence.
While some developers feel WordPress is not as safe as other platforms, the reality is that it can be very well ‘hardened’ to fight off any would-be attacker. WordPress is a wonderful platform with lots to offer, but make sure you secure it well enough to protect your business by following our simple tips, and give your customers the full potential WordPress has to offer.