Let’s face it, sometimes all you really want to do is focus on publishing your content and promoting your business. The thought of taking on another task or responsibility that distracts from that primary goal can be one you feel tempted to push aside until it’s absolutely necessary to deal with. To that point though, I must ask:
When was the last time you thought about your WordPress website’s security?
With over a billion websites now online and more than enough hackers willing to sift through them in search of vulnerabilities, security isn’t something we can afford to put on the backburner. According to analysis done by Sucuri, 78% of all infected websites they dealt with in Q1 of 2016 were on WordPress. Scary, right?
From the individual blogger to the Fortune 500, no company’s or individual’s website is safe. That’s why security should be a top concern for everyone going forward.
Tips for Better WordPress Website Security
It’s not enough anymore to rely on your hosting provider’s add-on security to protect your website. As the technology we use to build and enhance our websites grows, so too do hackers’ capabilities to break through that technology and get in. We need a more robust system to not only protect our websites, but to also protect our customers (and other visitors who drop by).
If you haven’t taken steps yet to properly secure your website or if you’re just interested in seeing if there are any angles you’ve missed, consider the following suggestions for how to amp up your site’s security:
- Enforce stronger passwords, not just for you but also for anyone else who logs into your site.
- Get rid of the default “admin” username. Hackers know this is the default and they’ll try to crack that one first.
- Everyone knows that WordPress login pages are automatically assigned to the website domain plus /wp-admin/, so you’ll want to change the default login URL to something else.
- Protect your website’s wp-config file by moving it out of the root directory and away from hackers’ reach.
- Purchase an SSL certificate (check with your host provider on this) and move your site to the more secure HTTPS.
- If your hosting provider offers backup and security add-ons, get them.
- Back up your website regularly in case a hacker takes your site down and you need to restore it.
- Always keep your “core” updated to the most recent version of WordPress. They typically release updates after they’ve uncovered a known security threat, so it’s important that you stay on top of this too.
- When using themes to design or build your site, always make sure they’re from a reputable provider. Check the reviews, ratings, and comments to ensure you’ve got one with high quality coding, good support, and no history of security breaches.
- When using plugins, again, always make sure they’re from a reputable provider. Check all the reviews, ratings, and comments to verify that there are no known issues associated with them.
- Theme and plugin developers also release updates regularly; sometimes to improve functionality or work out a bug, and sometimes to patch a security issue. Always make sure to keep these up to date.
- Use security plugins to create extra layers of protection for your site and automate what would otherwise be a difficult and time-consuming task for you. There’s more on this below.
Plugins for Better WordPress Website Security
WordPress is a great platform on which to build a website. But no matter how diligent WordPress is in vetting theme and plugin developers, or in keeping their own platform free of security breaches, that doesn’t mean your site is safe. You’ve got to do some of the work, too.
To be honest, even if you followed all of the tips above, your site might still not be 100% secure. That doesn’t mean you shouldn’t do everything you can to improve your chances in fending off an attack though.
The following plugins have been created by highly trusted developers and have a history and record of satisfied WordPress users. If you’re looking for a good place to start, check these out:
While the Akismet plugin isn’t necessarily one that people think of in terms of securing a website, think about your visitors for a second. Even if they’re not sharing personal information with you, they’re still reading the content—and comments—on your website. If an unsafe link should happen to make its way into the comments of your posts and a visitor clicks on it, you’ll be putting your visitors in danger and risking your own reputation by allowing that sort of security breach to make it onto your site unchecked.
For WordPress users looking for a simple security check tool that’s built right into WordPress, take a look at the AntiVirus plugin. You can run daily scans on your website and receive automatic notifications straight to your inbox or your WordPress dashboard if an issue is identified.
3. All in One WP
This “all in one” WordPress plugin is no joke. If you’re looking for help cleaning up usernames and passwords, this will do it. If you want to change the default login URL, this will do that as well. You’ve also got a built-in firewall, brute force login prevention, spam security, a scanner with a built-in grading system, and more.
4. Clef Two-Factor Authentication
Passwords are often one of the more delicate parts of your website and yet you and your users probably might not give too much thought to them. With the Clef plugin, you shouldn’t have to. With a highly secure system of encrypting your login information, Clef protects the front door to your site.
5. iThemes Security Pro
Free WordPress plugins are great at monitoring your site and sending real-time notifications when something happens. Sometimes you might want something a little extra. This premium plugin from iThemes will cover pretty much all your security needs, including backups, changing your default URL, error detection, brute force protection, Google reCaptcha integration, and more.
6. Really Simple SSL
The role an SSL certificate and HTTPS play in your website’s security cannot be ignored. Once you’ve got your SSL certificate (you should be able to get this from your host provider), use this plugin to set everything up on your site and ensure all of your pages, links, and images have made the full switch to secure HTTP.
7. Shield WordPress Security
If you’d prefer to pursue the free plugin route before investing in premium security support, give this Shield plugin a look. It’s easy to use, monitors your site for insecurities, provides extra protection at login, blocks comment spam, and takes care of automating your core system updates.
While Sucuri does offer a free monitoring plugin as well as the free site scanner, I think the premium plugin is an investment worth making (it’s only $16.66/month). This plugin will not only help defend your site against hackers, malware, and infections, it’ll also work with Google to ensure your site is never blacklisted as a result of a hack. That’s quite a steal to get WordPress security and brand reputation monitoring all rolled into one.
9. UpdraftPlus WordPress Backup Plugin
Securing your website from an attack is only one piece of the puzzle here. What do you do if your website does go down after an attack? You don’t want to waste time having to rebuild your website or re-implement the last few rounds of updates because you didn’t have the latest and greatest version of the site saved. The UpdraftPlus plugin will back up your website as frequently as you want and save it in a location of your choosing.
10. Wordfence Security
Just one look at the stats on this plugin and you can see that they’re not only serious about WordPress security (the last update was a week ago, as of writing this), but it’s also been installed on over a million sites with a 4.8-star rating. If you want a free security plugin that you can trust to scan, monitor, and protect your site, give this one a try.
11. WP Security Audit Log
If what you need is extra visibility into WordPress, this is a good plugin to have on your side. You’ll be able to see who exactly is on your WordPress site, what they are doing in the backend of WordPress, and you can get regular reports on all activity within your platform and site to ensure there isn’t any sneaky or harmful behavior going on behind your back.
At the end of the day, it’s important to remember that every website needs security. The plugin you use and the methods by which you choose to monitor and secure your site are up to you though. As you can see from the list above, there are more than enough options to cover your site at different entry points as well as at different levels of security.
The main point I’m trying to make? You shouldn’t start worrying about securing your WordPress site after it’s too late. There are tools available to manage and automate all this for you. Make the investment now, so you can keep your website, your brand, and your customers safe.
Nathan Oulman owns and operates dailyhosting.net which features web hosting based reviews and technical support reviews.