Everyone knows that keeping your WordPress website secure should be a top priority. But 9 times out of 10 it isn’t. There are numerous ways to improve your WordPress website’s security, and many of them are quick and easy to set up. Maybe it’s time to give your website security some attention.
In this article, we will look at the importance of website security and what can go wrong if you ignore it. We will then discuss actionable tasks that you can implement, security plugins you can use, and the importance of backing up your WordPress website.
The Importance of WordPress Security
Security is an extremely important issue for all website owners. Malicious software, often installed on a website by hackers who have found weaknesses and vulnerabilities, can spread viruses and bugs. These can in turn cause untold damage to your website, computer, brand image and greatly affect your business.
Security breaches will slow down your site and create a negative user experience. This can damage the reputation of your brand, and ultimately lose you visitors, sales, and customers. And it can get much worse than that. Malware can steal customer information, personal and financial data, and destroy your site. This can result in a long-term revenue loss, as well as costing you in time, effort, and emotional well-being.
Implementing security measures should be a top priority for all website administrators. So what can you do to improve your WordPress website’s security and keep it safe and secure?
Has Your Site Already been Compromised?
Many people’s sites have already been compromised and they don’t even know it has happened. A great way to make sure your site is safe is to use a security checker. Sucuri offers a free Site Check tool that will scan for Malware, errors and software updates. This will give you a clear insight into your site’s security and make you aware of any breaches.
In addition, you can use the Google Transparency Report to be sure that your site isn’t being blocked from search results or by their Chrome browser. The report will include Google’s assessment of your site status and list the potential threats they’ve found. This gives you a clear place to start if you’re trying to repair or improve your site security.
Always Update Your Site
It sounds simple but one of the easiest ways to improve your site’s security is to make sure you keep it updated. Updated versions of WordPress, themes, and plugins, help fix and avoid potential security breach points. And with WordPress, updates are often made easy.
In most cases, you should see an update notice in your admin dashboard – there will be a refresh type icon with a number next to it in the toolbar that denotes the quantity of core, theme and plugin updates you have available. From here you can simply click to update (though we do recommend taking a site backup before updating just to be extra safe).
Use the Newest Version of WordPress
Each time a new version of WordPress is released, the security is improved and vulnerabilities are patched. The newest version of WordPress is the safest, so we recommend updating as new versions become available.
Best Practice for Themes and Plugins
Similarly, by keeping your theme and plugins updated, your site is less likely to experience malicious activity. Theme and plugin update notifications frequently appear on your dashboard. If you’re someone who ignores these then it is time to change your ways. Here are a few tips for maintaining the themes and plugins you’ve installed:
- Only install themes and plugins from reputable sources. While there are many nulled or “free” downloads from unauthorized sources, we highly recommend staying away as these are typically outdated, compromised and of course illegal.
- In general it’s best to keep the number of plugins you use on your site to a minimum. The fewer plugins, the less potential problems.
- Remove unused themes and plugins to help improve the security of your site as well.
Secure Your Login
Your login page can be extremely vulnerable to malicious attacks if not properly secured. To improve your WordPress website’s security, there are a handful of fairly simple ways to make your login page and process more secure.
Use a Better Username & Password
Always use an obscure username. Admin or your own name is not a safe choice. Your password should also contain a random assortment of letters, numbers, and special characters. And regulalarly changing your password every 90 days is highly recommended.
Start Using a Password Manager
LastPass, 1Password, NordPass and other managers (as well as some VPN services) remember your usernames and passwords plus keep them secure, so you don’t have to. Most can generate strong passwords, saving you time, and some also offerer two-factor authorization support, giving your account details that extra layer of defense.
Limit Login Attempts
Many good hosting companies will offer login limiting as a part of their brute force protection. For example, WP Engine automatically blocks brute force login attempts and spambots to help secure your login form.
But if your hosting doesn’t offer this service (or if you’re not already using a general security plugin, which we’ll cover below), you can easily add it with a plugin. Login Lockdown is a free WordPress plugin that limits the number of attempts that can be made to log in. If more than a certain number of login attempts, from the same IP range, are made within a specific amount of time then the plugin blocks all further tries from that range. This helps prevent brute force password discovery and gives your site another layer of safety.
Install a WordPress Security Plugin
One of the most effective ways to improve your WordPress website’s security is to install a general security plugin. There are many to choose from so let’s have a quick look at a few of the best options to help you secure your site fast (though we do have a larger list of WordPress security plugins if you want to see more options).
Our first recommendation is WordFence – the most popular free WordPress security plugin, and with good reason. Trusted by more than 4 million websites (at the time of writing), WordFence can easily be installed from your WordPress dashboard to provide your website with instant protection.
This plugin includes tons of features to secure your site such as a firewall to block malicious traffic, limit login attempts, malware scanner, file repair, login page 2 factor authentication and CAPTCHA, Live Traffic monitor and tools to block attacks by IP. Best of all – all of those features are free. While there is a premium version of the plugin, for most WordPress sites the free version is a great choice.
All in One Security
Another option is All in One Security (AIOS) – a free and easy to use WordPress plugin that will keep your site safe and secure. It reduces the risk of attacks by implementing the latest WordPress security practices and techniques.
The plugin enforces user account, log in and registration security. It has firewall functionality, a security scanner and protects against brute force attacks, amongst many other features. It also uses a grading system, displaying how well your site is protected based on the security features you have activated. A popular and capable plugin, All in One Security and Firewall is a solid option if you are looking for a free plugin to help protect your site.
Sucuri Security (Premium)
Finally, we also want to include Sucuri Security. This is a powerful premium solution that can clean up a hacked site as well as offer ongoing protection. Advanced features are provided, including continuous scans for malware and hacks, malware removal and cleanup, website application firewall and lots more. Sucuri Security also provides 24/7 online support, so whatever the security incident, a professional response team is on hand to help.
This solution isn’t cheap, with the basic package starting at $199.99 a year. However, this proactive and reactive approach to website security will keep your site safe, as well as give you peace of mind. So arguably worth the money. However, there’s also a popular free Sucuri plugin available from the WordPress.org Plugin Directory.
Setup Antivirus Protection for Your Computer
If your computer is compromised, then hackers could be able access your WordPress site, or find your login details from saved browser passwords. Therefore antivirus protection for your computer is a must.
There are many big names – BitDefender, Malwarebytes, McAfee, Norton, etc. We’re not experts in this field, so we can’t definitively say which we think are the best. But we do recommend that you choose the one that’s right for your operating system and that you feel confident in.
Most antivirus software will protect your computer from malware, spyware, viruses and more. Once installed you can typically setup automatic scans, so you can go online with confidence. But most importantly, it means that your WordPress website can’t be corrupted via your computer.
However many security strategies you may have implemented, nothing is 100% reliable. If security is breached and you lose your site and its data and content, then a backup will save you time, money, and even possibly your business and reputation.
VaultPress is a powerful tool that offers advanced backup and security for WordPress sites. This feature rich service provides daily backups and malware scanning, amongst many other things. Most importantly, it offers automatic restores, so if your site is hacked, then it can quickly and easily be recovered.
If you need any help be sure to read our complete guide covering how to backup your WordPress website.
Use Better Hosting
As well as all of the advice above, using a reputable hosting service is always important. That’s because good hosting is often more reliable and secure, with many security features built-in. WP Engine is a secure WordPress focused hosting company that provides proactive security to keep your website safe, specifically:
- Free SSL via Let’s Encrypt integration plus auto-renewal
- Managed web application firewall (with WordPress-specific ruleset)
- WordPress core auto-updates for security patches and plugin risk notifications
- Scheduled and 1-click site backups
Using not so great hosting at the moment? No problem – migrating your WordPress website to a new web host is probably easier than you think. And some WordPress hosts will even migrate your site for you!
With a top rated web hosting service, and the plugins, tips and tricks from this article implemented, your site will stand a better chance than most at staying safe. While we didn’t cover every security tip possible, this guide should serve as a good jumping off point for you to get started on your own WordPress security. And if you’re looking for more, this security checklist we put together is sure to help.
What safety advice do you have to secure a WordPress website? Please share in the comments below.