If you’ve got a WordPress website you’re in good company because around 75% of the world’s websites run on WordPress. This does also mean there are a lot of people out there who are looking at how to get into WordPress websites. It also means you’re going to want to work out how best to deal with cyber threats from your WordPress website, whether they be hacking, malware or simple data breaches.
The damage caused by cyber threats can result in your website going down. If you’re an eCommerce business this can have a direct impact on your revenue and even if you’re not an eCommerce business, the longer your website is down the more likely it is you will receive fewer enquiries. And even worse than your website being down for a while, you might find that you’ve had a data breach, which could bring your business due to reputational damage, due to heavy fines, data loss, or even imprisonment.
Put simply, if you’ve not done anything to ensure your website is safe and secure, it’s a bit like pulling your door shut when you go on holiday and hoping no one checks to see if it’s locked or not.
Spending a small amount of time ensuring your WordPress website is secure is all you need to do, by doing this you’ll safeguard your customers, your business and even yourself personally.
Here are some steps you can take to secure your WordPress website:
- Use a robust and unique password for your WordPress login and keep it confidential. At GrowTraffic I have a strict rule that the GrowFos must generate every password and they mustn’t change a password to one that’s easy for them to remember. There are loads of strong password generators out there to choose from.
- Use two-factor authentification to add an extra layer of security to your login. OK most of us hate using two-factor authentification but you’re going to need to put something like this in place if you’re going to make sure your site is super safe. It’s a small price to pay.
- Keep your WordPress software and all installed plugins up to date. If you’ve ever turned off the auto-enable update functions on WordPress for fear that your site might go wonky I really do feel you, I wince at it, but I’d rather think that within 24/48 after an update has gone out I’m getting the most up to date version of the software running on my sites. I just make sure I’ve backed them up and have them let me know if there’s a problem, which rarely happens these days.
- Only install plugins from reputable sources. When I first got into WordPress around 15 years ago I used to install as many different random plugins as I could. I think it was only recently that I uninstalled some of the very oldest plugins. But after a while plugins stop being supported – often because the dev has gone out of business or moved on – so it’s important to make sure the plugin supplier is one of the credible ones. To be a credible dev you’ll want them to have a big track record of delivering software for years – and not just some kid in a back bedroom who has a great idea.
- Use a security plugin to scan your website for malware and vulnerabilities. Most of the websites I put out these days are on Siteground and we use the SG Security plugin. I used to use Wordfence on all websites. These will scan your website and alert you to any issues and isolate any malware they might find until you’ve had a chance to look at it.
- Regularly back up your website to prevent data loss in case of a security breach. This is probably one of the best pieces of advice. Backup your websites regularly. We backup our websites every day and save a copy for 30 days. That means if something happens on the weekend you can go back a few days and correct the issue. It also means that if you only just notice something and it’s been there for a week or two you’ve got plenty of backup points to refer back to. And it’s best to backup at a hosting level and not from a WordPress plugin if possible.
- Use a firewall to protect your website from malicious traffic. Firewalls can be both plugin and server side. It’s likely your web host will provide some level of security and it tends to be fairly effective, however, adding a plugin can’t hurt when it comes to ensuring there is a good level of protection.
- Use a secure (HTTPS) connection to encrypt data transmitted between your website and users’ browsers. There are various levels of SSL certificate you can get, but for most applications, they don’t have to cost the earth plus they give you a small SEO benefit too.
- Limit login attempts to prevent brute-force attacks. One of the key ways people and bots try to get into your website is via a login brute force attack and this just means that they will try a load of passwords until they find one that works for them. As I mentioned above you’ve got to use a pretty secure password to make sure your site isn’t vulnerable to this, two-step authentication is better and limiting login attempts is better still because the person or bot will only have so many chances to get it right.
- Consider using a content delivery network (CDN) to serve static files, as it can help mitigate the effects of a distributed denial of service (DDoS) attack. I’ve had a DDoS attack on GrowTraffic before and this was when everything was just located in one place. It was rubbish and there wasn’t a lot I could do at the time to stop it from happening. A CDN such as Cloudflare is a great way to help get around this as it separates out your website from the hosting provider.
If you’re struggling with getting the security of your WordPress website sorted we can help. Get in touch today and we’ll try to help you get it sorted.