Anyone’s who’s had a website designed and built by us knows WordPress is our platform of choice. We love it because it’s fast, is constantly being developed and improved, and is infinitely extensible (you can start with a very simple website – and it can grow with your business).
WordPress is so popular these days, more than 75 million sites are built using it.
Unfortunately, the platform’s popularity makes it an easy target for hackers who know if they find a security hole in one WordPress site, it likely exists in others.
Is there anything you can do to protect your WordPress site and keep it secure? Yes, there are five things you can do, in fact.
Your login information is always the first line of defence against hackers.
Please, please PLEASE do not go with WordPress’s default suggestion of ‘admin’ for your username.
And please, please PLEASE create a super-strong password for your site – one that uses at least eight character, mixes capital and lowercase letters with numbers and symbols.
If you already have a WordPress account and you’ve discovered you can’t simply change the ‘admin’ username to something else, follow the steps below. (If you’d like the steps below with screenshots, head here):
Unfortunately, a strong username and password alone cannot prevent against attempts to log-in. Hackers can also use a brute-force attack which is a trial-and-error method used to access your site.
To make it much harder for hackers you could limit the number of login attempts.
Install a plugin like WP Limit Login Attempts that limits the number of times a user can attempt to login to your account.
This is the easiest way to keep your site secure, yet the vast majority of people don’t do it. If you login to your WordPress admin area and it’s telling you your WordPress installation or your plugins need updating … then please update them! All it takes is a couple of clicks in most cases.
Not sure if anything needs updating? Go to the ‘Updates’ tab under the Dashboard menu item in your WordPress admin.
Do you hardly ever log in to your WordPress admin? Speak to your web host about enabling automatic backups for both WordPress and plugins.
If you give someone the cPanel or FTP logins for your site, you are giving them access to ALL your site files. That’s why it’s vital to keep those logins to yourself. If you need to give those details to someone else to do work on your site for you, ask your web host to create a login just for them. When they’ve finished working on your site, you can then revoke access to those login details.
You can also give people secure access to logins and passwords by using a password manager like Lastpass.
The gold standard way to backup your WordPress site is to take a full cPanel backup. You can view the steps for doing that here. You should try to keep at least 8 weeks’ worth of backups on hand at all times.
Why is this a brilliant way to protect your site? It means that if your site ever does get hacked, you can restore it back to a ‘clean’ version.
Once a site’s been hacked, it can be cleaned up (at a cost), but chances are the hackers will have left behind some way they can access the site (that can’t be identified). A site that’s been hacked once is likely to be hacked again unfortunately.
Why should you always keep two months’ worth of backups on hand? Because sometimes a hack can take a week or three to be noticed. If you only have one week worth of backups, there’s a good chance that week-old backup contains the hacked files too.
While the above list does not cover all the available security measures you could take to defend your site, they are effective and simple prevention methods that do not need any specialised coding knowledge.
While your web host does everything they can to keep their servers secure (after all, it’s a massive pain in the butt for them as much as it is for you if your website gets hacked), no host in the world can protect themselves 100% against hackers who are determined to get in.
It’s also really important to note the terms and conditions of every hosting service state the buck ultimately stops with you when it comes to keeping your site backed up and protected.