WordPress is by far the most popular content management system available on the Internet to date. As a website designer, I chose WordPress as my preferred design tool back in 2014 and have been using and teaching it ever since. With WordPress being so popular, it is important to understand best practices for implementing WordPress security measures on your website.
I have previously discussed the importance of installing WordPress updates, so let’s now look at what WordPress security your website should have.
When conducting any WordPress course I regularly seem to come across participants who admit to having NO WordPress security measures in place to protect their websites from being hacked. Some regular responses I hear are:
- “My web hosting company provides security.”
- “I have an SSL certificate.”
- “Our website is only small.”
- “I haven’t had a chance to look into that yet.”
I’ve had several new clients over the years come to me with a problematic website. Within 10 seconds of me looking at those websites, I could see they’d been hacked.
A website hack can appear in many different ways such as popups randomly appearing, links redirecting to other websites, being unable to access the website at all and many other hidious actions.
I talk about WordPress security in-depth in my WordPress training courses and so I’m going to address the four main responses that I have mentioned above.
"My web hosting company provides security."
It’s great that you have chosen a website hosting company which provides secure web servers. All of them should, BUT… They are securing their web server technology, not your individual WordPress website. There are security measures which are SPECIFIC to WordPress which your hosting company will not secure for you.
Your website may cruise along for awhile with no issues. Unfortunately though the hackers are out there scanning the Internet for websites with known vulnerabilities. Once they discover your website, the chances are that they will eventually manage to find a way in and cause chaos.
Question: Did you know that by default a WordPress website will publish the WordPress version information? Hackers have access to a complete list of vulnerabilities which are fixed in each WordPress update so the hackers essentially have the recipe card for which WordPress versions have specific security issues and how they can be hacked.
"I have an SSL certificate"
An SSL certificate is a great feature to be using on your website – every website these days should have one. However an SSL certificate will not stop your website from being hacked. An SSL certificate is used to provide your visitors with a secure session. This means they can submit their personal information or credit card details through your website and the information is encrypted. But again, this doesn’t secure WordPress itself so an SSL certificate won’t stop your website from being hacked.
"Our website is only small"
Incorporating WordPress security on your website should not be dependant on whether your website is small or big, new or old. This plays no part in whether or not you’re website will be a target.
When I first started using WordPress, I still had my “HTML web designer” hat on and was applying the techniques I’d used for more than a decade. I didn’t take any WordPress security precautions because I never had to when desiging in HTML.
Guess what? My website was hacked in the first 3 months. Hackers are usually not sitting at their computer searching Google for websites to attack. They execute a script online which searches for websites with a vulnerability, so the target is not usually specific but moreso a situation of “whoever they can find to hack”. So it really doesn’t matter if you have a small or large website, if the hackers script finds your website and can see a security issue, bingo they will attempt the hack until they find a way in.
"I haven't had a chance to look at it yet"
Make time! Hopefully you’ve already taken this step because hey, you’ve found my article. But if you stumbled across this page by accident and you do not have any WordPress security in place then there is no better time than the present.
There are many popular WordPress plugins available to provide additional security for your WordPress installation (both free and paid options). Be sure to check out some of the popular options below to see which one will suit your needs and your skill levels in terms of being able to configure it accordingly.
If you don’t feel confident to install and configure a security plugin, contact a website designer who can do it for you or attend our WordPress course to learn more about security and how you can secure your website.
What else do you need to do?
As I mentioned before, the other important part of keeping your WordPress website in tip-top shape, is to ensure you have a regular update schedule. This doesn’t mean updating your content, it means keeping the actual WordPress platform up to date with any new releases.
You will also need to update your plugins and potentially your WordPress theme. Read more about that here.
Apart from keeping WordPress up to date, here are a few more security tips to help secure your website.
Use secure user accounts
A really common practices I see is staff sharing WordPress login details. This is considered bad practice as it usually coincides with the shared account having full administrator access. Because the login details are being shared around it can lead to the login information being compromised and putting the security of the entire website at risk.
Each user should have their own user account and only be granted the permission they require. WordPress includes five (5) different permission levels to choose from. Not everyone should have full administrator access to your WordPress website.
Avoid using obvious usernames
The username you use for your WordPress site provides you with 50% of the information you need to log in. One simple option is to ensure that the username you use is not something that is easily guessed.
A simple example is this website. This blog post states that it is written by me, Belinda Anderson. But am I using “Belinda” as my username? No I am not. Whilst there are other ways people can delve into a website and find a username, changing simple bits of information like this can make it just a little bit more difficult for someone to find out key pieces of information about any of your user accounts.
Do not use the default "admin" username
Many web hosting companies offers a “one-click” installation of WordPress using programs such as Installatron or Softaculous. If you accept the default options for these installations then you end up with a WordPress username of “admin“.
Hackers know about this so they then attempt to use the default “admin” username as part of their attempts to hack your website.
For this reason it is best practice to ensure you DO NOT use this default username for any accounts in your system. If by chance you do have this as an active user account, there are several plugins which will help you to rename this user account to something different or alternatively you can change the username directly within your database. Only attempt this if you are experienced in editing your WordPress database and you have a full backup beforehand should something go wrong.
Hide your WordPress login page
There is a default WordPress login page for every WordPress website. I could probably navigate to your website right now and find your login page, if of course you haven’t hidden it. The login page is kind of like advertising your front door to the world. If a hacker can then find your username online, then the only part they need to crack is your password.
Hiding the default login page (wp-login.php) is a good way to stop hackers trying a brute force attack on your website. There are many plugins available to block access to this page or you can source the direct code online to do this yourself without needing a plugin.
Use up to date PHP version
WordPress runs using the PHP programming language. New versions of PHP are released regularly to address any performance or security issues within the scripting language and as such you should ensure you website is running on an up to date version.
To check which PHP version your website is using:
- Log in to the WordPress Dashboard
- Go to Tools > Site Health in the side navigation bar
- At the top of the screen click the Info tab
- Scroll down to the Server section and expand the content
- Check which PHP version is listed
The PHP version you are using is not directly editable via WordPress Dashboard however most web hosting companies provide you with the ability to change your PHP version.
Check with your web hosting provider to see how you can edit the PHP version using their management console. Ensure you perform a full website backup before making any changes.
Hopefully now you understand the important of incorporating WordPress security into your website. I have outlined some basic steps you can take to secure your website against hackers and hopefully ensure that your website stays safe.
Remember that if you do not feel confident in addressing your WordPress security then feel free to contact us for a obligation free chat.