Choosing WordPress to power your website is more popular now than its ever been. WordPress now powers 27.7% of all websites and its never been more important to make sure that you make every effort to secure your WordPress website as much as possible.
You pour your life and soul into your personal blog, or make your living through your business website – don’t make yourselves an easy target.
Here are 3 easy steps to secure your WordPress website today.
1. Secure your WordPress Website – Keep Everything Up To Date
This is a no-brainer and is by far the easiest thing you can do to secure your WordPress website – keep it up to date! By keeping your core install of WordPress up to date along side your themes and plugins you are making things that little bit harder for anyone with malicious intent.
Why Keep WordPress up to date?
It makes sense to keep your installation of WP up to date, as with any software, new features are added constantly, bugs squashed and security holes filled.
As security holes are found and documented, your site becomes potentially vulnerable to these exploits – the older the version of WordPress that you are running, the more vulnerabilities exist.
For example, in versions 4.7.0 and 4.7.1 a vulnerability existed where the contents of a blog post or page could be edited by a visitor to your site, should they know exactly what to do. This bug was fixed in 4.7.2. Its easy to scan a WordPress website to find the version of the software its running and in turn the exploits that work.
Its remarkably easy to secure your WordPress website by keeping everything up to date..
How do I Keep WordPress up to date?
Its easy to keep things up to date with WordPress – simply log in to your dashboard and check the top of the web page. If you have any outstanding updates you’ll see a number appear next to the site name.
Click this and you’ll be taken to the update page where you can install updates to WordPress core, your themes and plugins.
In this example of one of my test websites you can see that 9 updates are currently outstanding (a slapped wrist for me!). When logged in the dashboard, you can either click on the number in the title bar or on the updates tab under the dashboard in the top left.
Once one the updates page you can then update the core installation of WordPress, your plugins or your installed themes to the latest versions.
2. Secure your WordPress Website – Get A Basic Firewall
I use the free basic version of WordFence for my WordPress firewall needs (although others are available).
Wordfence acts like a traditional firewall and intrusion detection system – monitoring traffic to your website, checking that your files and databases haven’t been infected with malicious code and blocking brute force attempts at hacking your password.
Wordfence also shows live traffic to your website so you can see how users are interacting with your site, which search engine bots are currently crawling your site (Google, i’m looking at you) and blocks any intrusion attempts in real time – its fascinating to watch.
The best bit is that it’ll do 95% of everything you’ll ever need for free.
3. Secure your WordPress Website – Don’t Stick With The Defaults
I’ve always been a big proponent of a security methodology called “security through obscurity” – to understand it, lets borrow a quote from wikipedia:
There are a few things you can do to apply this to your website:
Don’t Use “Admin” as your user account
In older versions of WordPress, an administrator account called “admin” was created by default. Naturally, this is very easy to guess and makes the process of scouting out your website for nefarious purposes that much easier.
I’d recommend that if you use the “admin” account to log into your site that you stop what you are doing and rename it (using a plugin like iThemes Security – more info below).
Change Your WordPress Login URL
By default every WordPress install uses a URL like www.domain.com/wp-login.php for the backend login page. This is easy to guess (as everyone uses it) and is a surefire way of confirming that you are in fact using WordPress to power your installation.
I’d recommend changing it to something more obscure.
The easiest way of changing this is to use a WordPress plugin like iThemes Security (previously known as Better WP Security) – Plugin’s like these allow you so change the address of the login page, enable two-factor authentication (for the paid version of the plugin) on your site and much more.
If you keep your WordPress sites using the default settings and simply choose an easy to guess username then you are making yourself a very easy target. By choosing a unique username for your login and having a custom login URL you are making your site that much harder to hack.
Bonus Point – Keep backups
This is a extra bonus point to keep everything secure – make sure you keep a backup of your site.
As WordPress is database driven and unfortunately its not a simple case of just downloading the files and storing them locally. You need to backup the database at the same time.
You should be able to backup the WordPress database via your web host (there are many ways to do it so please contact your host directly) but it’s simpler to use an online service, such as ManageWP to do it for you.
ManageWP and other similar services require a plugin to be installed on your site that takes the leg work out of backups. Typically you choose the frequency of backups and the service takes care of everything else for you including storing them. ManageWP’s backups start at a couple of pounds a month for the daily backups, but a free monthly backup tier also exists.
By having a backup, you can always recover your site should the worst happen.
There are 3 things you can do today to take action and potentially secure your WordPress website that are free and easy to implement:
- Ensure everything is up to date
- Install a basic WordPress firewall
- Move away from the defaults
Not only are these easy to implement, they could also deter a potential attacker from targeting your site – don’t make things easy for them..
This isn’t an exhaustive post and i’m not a security expert so these are just a few simple things to improve the security of your website. If you’d like some more information on IT security in general, then please check out my old colleague Kyle Marsh’s Cyber Security Blog or visit his YouTube channel.