WordPress is the most popular content management systems on the Internet. If you’re looking at any website, there’s a 35% chance that it’s built on WordPress.
And because it’s so popular, it’s also an easy target for hackers. If there’s a way to get in, you can be sure that it’s already been exploited.
So you need to make sure that your WordPress setup is as airtight as possible. Here are seven tips to help you keep your WordPress secure.
Whenever there’s an update, update. Get into the habit, no matter how small the updates are. Update your plugins. Update your themes. Update the software. Keep everything updated.
These aren’t just vanity updates to make a developer feel better about themselves — most of the time they’re fixing security issues. Or they’re fixing bugs. You want a smooth-running WordPress installation? You update.
Check your passwords and change them if necessary
Are you using the same password across multiple sites? Or do you think you’re being clever and are changing the number at the end? You don’t even need to check HaveIBeenPwned — you know that password’s been cracked somewhere.
You need to make sure you have a unique password for your WordPress administrative account on your site. Luckily, WordPress makes it easy to generate one, but then it’s a matter of remembering it. Look into password safes like KeePass, 1Password or LastPass and make sure you keep that safe and secure as well.
Review who has administrative privileges
Did you give a developer admin rights on your WordPress install to fix something? What about people who have left the company? Do you even have an account with an “Admin” login?
All of these are easy ways for people to get into your site. Go through your list of users and if there’s anyone on there who shouldn’t have rights to your site, set them to “No role for this site”. That means that even if they log in, they can’t do anything on the site, and, if you’re running a blog with individual authors, it’ll still keep them listed as the author of articles.
And if you’ve actually made an administrative account with the login of “admin”, please change it. You’ve pretty much just left your front door open there.
Make sure you’re using legitimate plugins and themes
Cracked versions of plugins and themes just lead to more problems, not just because you’re pirating software from an already fragile industry, but you’re also opening up your site to anything and everything. If you can’t afford that particular plugin or theme, look at the free alternatives — often, you’ll find something that works even better than the paid version.
Set up two-factor authentication for your site
Two-factor authentication is where after you enter in your password, you then enter in another code provided by another system, whether it’s an authenticator app on your phone, a key fob, an email sent to your main account, or a fingerprint ID scanner.
Two-factor authentication makes it more difficult for people to get in using your account. If you want to make sure your WordPress site is secure, it’s a great way to add in an extra bit of security. There are several plugins you can use, as seen in WordPress.org’s Two Step Authentication article.
Take regular backups
No matter what you do, you still run the risk of being hacked. That’s where regular backups come in — an easy way to restore your site back to its original glory. Our Managed WordPress packages come with daily snapshot backups, or you can purchase snapshot backups for our Web Hosting packages separately.
You can also manually back up and restore your site and database — Scott explains how in his Five Minute Fix.
Keep aware of what’s happening
Keeping everything updated is a good start, but keeping informed of what’s happening in the WordPress world is also immensely helpful. Wordfence, a WordPress security plugin, has a detailed blog where they write up vulnerabilities and patches that they have found. WordPress.org’s article on Hardening WordPress is also a great read, getting into much more detail than I can in this blog post.
Update your site — no, really
Honestly, I can’t repeat this enough. So many of the hacked websites we see are because someone hasn’t updated their version of WordPress. Keep it updated, keep it safe.
And if you’ve updated to a recent version, there’s now a fantastic feature on the dashboard — Site Health Status. With that, you can check the status of your site, see what needs to be fixed, and help make your WordPress site even better.
I hope this helps you keep your site safe and running smoothly. Don’t forget — if you have questions, please talk to our Support team! They’re happy to help.