Anyone’s who’s had a website designed and built by us knows WordPress is our platform of choice. We love it because it’s fast, is constantly being developed and improved, and is infinitely extensible (you can start with a very simple website – and it can grow with your business).
WordPress is so popular these days, more than 75 million sites are built using it.
Unfortunately, the platform’s popularity makes it an easy target for hackers who know if they find a security hole in one WordPress site, it likely exists in others.
Is there anything you can do to protect your WordPress site and keep it secure? Yes, there are five things you can do, in fact.
1. Create a strong username and password
Your login information is always the first line of defence against hackers.
Please, please PLEASE do not go with WordPress’s default suggestion of ‘admin’ for your username.
And please, please PLEASE create a super-strong password for your site – one that uses at least eight character, mixes capital and lowercase letters with numbers and symbols.
If you already have a WordPress account and you’ve discovered you can’t simply change the ‘admin’ username to something else, follow the steps below. (If you’d like the steps below with screenshots, head here):
- Backup your WordPress site by doing a cPanel backup, (click here for the steps).
- Login to your WordPress admin area and create a new user (you will find this option under the “Users” tab in your WordPress admin). Choose a username that would be hard to guess (don’t just use your name) and a strong password.
- Make sure that new user is an Administrator.
- Logout of your WordPress admin and log back in as the new user you just created.
- Go to Users in your WordPress admin menu and delete the user called ‘admin’ (NOTE the next step below – it’s very important).
- THIS NEXT BIT IS IMPORTANT: Select the new username you just created from the ‘Attribute all posts’ drop-down, before clicking on Confirm Deletion.
- The ‘admin’ user should now be deleted, and all their posts should be attributed to you.
2. Limit login attempts
Unfortunately, a strong username and password alone cannot prevent against attempts to log-in. Hackers can also use a brute-force attack which is a trial-and-error method used to access your site.
To make it much harder for hackers you could limit the number of login attempts.
Install a plugin like WP Limit Login Attempts that limits the number of times a user can attempt to login to your account.
3. Update WordPress and plugins regularly
This is the easiest way to keep your site secure, yet the vast majority of people don’t do it. If you login to your WordPress admin area and it’s telling you your WordPress installation or your plugins need updating … then please update them! All it takes is a couple of clicks in most cases.
Not sure if anything needs updating? Go to the ‘Updates’ tab under the Dashboard menu item in your WordPress admin.
Do you hardly ever log in to your WordPress admin? Speak to your web host about enabling automatic backups for both WordPress and plugins.
4. Manage cPanel and FTP access
If you give someone the cPanel or FTP logins for your site, you are giving them access to ALL your site files. That’s why it’s vital to keep those logins to yourself. If you need to give those details to someone else to do work on your site for you, ask your web host to create a login just for them. When they’ve finished working on your site, you can then revoke access to those login details.
You can also give people secure access to logins and passwords by using a password manager like Lastpass.
5. Take weekly backups of your site
The gold standard way to backup your WordPress site is to take a full cPanel backup. You can view the steps for doing that here. You should try to keep at least 8 weeks’ worth of backups on hand at all times.
Why is this a brilliant way to protect your site? It means that if your site ever does get hacked, you can restore it back to a ‘clean’ version.
Once a site’s been hacked, it can be cleaned up (at a cost), but chances are the hackers will have left behind some way they can access the site (that can’t be identified). A site that’s been hacked once is likely to be hacked again unfortunately.
Why should you always keep two months’ worth of backups on hand? Because sometimes a hack can take a week or three to be noticed. If you only have one week worth of backups, there’s a good chance that week-old backup contains the hacked files too.
WordPress security starts with you
While the above list does not cover all the available security measures you could take to defend your site, they are effective and simple prevention methods that do not need any specialised coding knowledge.
While your web host does everything they can to keep their servers secure (after all, it’s a massive pain in the butt for them as much as it is for you if your website gets hacked), no host in the world can protect themselves 100% against hackers who are determined to get in.
It’s also really important to note the terms and conditions of every hosting service state the buck ultimately stops with you when it comes to keeping your site backed up and protected.