7 Ways to Keep Your WordPress Website Secure

My husband Jim runs a computer repair business on the Big Island of Hawaii, and though I personally don’t have to take care of my own computer (yes, I do know how insanely lucky I am to live with my own private computer doctor), I know the drill.

I know the biggest problems he deals with on the average day, and I know most of the answers to these problems. When a computer user doesn’t keep their machine well protected they are vulnerable to security issues, and that can be a headache to deal with, especially if they don’t have their machine properly backed up.

Believe it or not, your WordPress website may also be vulnerable to these same kind of security issues.

But I thought only big websites got hacked into?

If you’ve followed the headlines, you’ve probably heard about some major websites getting hacked into in the past year (Chase, Wells Fargo, Bank of America). Maybe you’ve even stumbled upon a website where your browser warns you that the site you are going to could contain something that might harm your computer.

This only concerns big sites, right? Your low-traffic WordPress site is completely safe, right?

Unfortunately not.

Here’s the plain and simple truth: there are hackers out there who break into WordPress sites everyday. Sometimes it’s obvious and the site will become completely inaccessible, but sometimes it’s less obvious and they may install some kind of malware on the site that will harm your site visitors and their computers.

Regardless, this can cause a huge headache for you because not only is it costly to correct the problem, but it’s important to protect your reputation (and that of your business or organization).

“Let this motivate you: we see between 50,000-180,000 unauthorized login attempts every single day at the sites we host.” Jerod Morris of Synthesis Hosting http://www.copyblogger.com/wordpress-website-security/

So far this has never happened to any of the sites I have created and managed for my clients, but I had a personal WordPress site hacked many years ago even though it was a site that had very little traffic. The hacker installed a script on the site that automatically redirected every visitor to someone else’s site (for medical equipment if I remember correctly).

Unfortunately, this was before I began using Backup Buddy, so I had no backup of my site. The time it would have taken to restore it wasn’t worth it, so I had to rebuild the site from scratch.

I never want this to happen to any of my clients, so I am recommending much stronger measures for protection than I have in the past. The good news is that there are a number of easy things that you can do to make sure your WordPress website is as secure as possible. In this article, we’re going to cover seven things to keeping your site safe.

Is there something I can do that’s easier than reading this article?

Just like how a lot of Jim’s computer clients don’t want to bother with all the steps needed to keep their computers safe, you might not have the time or interest in keeping your site secure yourself. Maybe you just want someone else to take care of it for you.

Keeping your site secure does require that you are a little more proactive when it comes to your site maintenance, and that can take some time. It can also be a little overwhelming if you are worried you might “mess something up” on your site.

If you don’t have the time or you are hesitant to make the changes yourself, I’ve created a WordPress Security package where I will take care of everything for you, and keep an eye on your site to make sure it’s not vulnerable. Click here for more information.

What can you do to make your site more secure?

If you are ready to be your own WordPress warrior, let’s dive into the seven things you can do to keep your site secure.

1. Keep your site updated

Have you noticed those little notifications at the top of your WordPress website telling you to upgrade to the latest WordPress update? More importantly, have you been ignoring them since your site was first launched?

WordPress is web software, and like most software, it is being constantly improved. One of the reasons it needs to be constantly improved is because as internet-based software, it is vulnerable to security issues. The fine folks at WordPress keep on top of changing security issues by releasing updates. And this is the #1 thing you should be doing to keep your site as secure as possible.

I repeat: you need to update your WordPress site.

Most of the time, this a nearly effortless process, which is one of the reasons that I now exclusively design my sites using the Genesis framework. However, some themes and some hosting companies may not allow for these automatic updates, and then a manual update would be necessary. This is definitely something most of my clients will not want to attempt on their own, and I am happy to help.

Your theme and your plugins will need to be updated as well. Usually you can tell if there are updates by the little numbered circles that appear in the dashboard next to “Plugins.” Your theme will usually tell you at the top of the page if it requires an update.

Before you update your site or your theme, you need to back it up first.

Sometimes a major error occurs, and having the site backed up will not only provide you peace of mind, it will make getting your site operational again a much faster and easier process. See #3 below.

If you don’t visit your site frequently, you can sign up for email updates from WordPress.org and they will notify you when the next update is released. http://wordpress.org/download/

2. Keep your site clean

Sometimes what makes your site vulnerable to hackers is a plugin or a theme that is not even activated. This is something that even I didn’t know until recently when I really dove into the issue of WordPress security.

The security experts are saying that it’s important to delete any plugins or themes from your WordPress site that are not being used. (Please note, if you are using a Genesis Child theme you need to be sure not to delete the “Genesis” theme from your files.)

This clean-up also applies to old versions of your site that may still be sitting on your server as well. You may not even know they are there, as sometimes when a site gets redesigned it just gets assigned to a new folder and the old site files remain on the server. Unless you make changes to your site via an FTP program, you may never see all these extra folders or files.

I’m happy to provide a thorough WordPress Clean-up, Backup & Update for you if you are unclear about what themes, plugins or extra files can be deleted. After the clean up you can determine whether you are feeling confident enough to proceed in keeping your site secure yourself, or if you need some additional help.

3. Backup. Backup. Backup.

Since I started using Backup Buddy I have been able to sleep a lot better at night knowing that even if something unexpected happens, my client’s sites are securely backed up. If you are not using a backup program, please save yourself and your web developer from a minor heart attack by purchasing a good quality backup plugin.

Yes, your hosting company will tell you that they create backups of your site, but this can still create quite a costly and timely endeavor to restore a site. With something as easy as Backup Buddy it’s a breeze.

Of course not only do you need to have the program, but you also have to use it.

I recommend creating a full backup of your site once a quarter (or at least twice a year) and scheduling a database backup every month depending on how frequently you are adding or changing content on your site. These backups can and should be sent off the server (in case there is a server crash). If you have a Dropbox account or another cloud storage solution, you can program Backup Buddy to send the backup there. Or alternately can store a copy on your machine. I personally like to keep the latest two backups in case one is corrupt.

4. Get a little more creative (and don’t get lazy) with your passwords

A lot of my clients use the same password for EVERYTHING. Is that you? You really need to break that habit. Not only when it comes to your banking websites, but also with your WordPress username and password (and please don’t ever repeat a password between a personal login and your WP login).

Even I have been lazy with this one in the past, until I put 1Password on my computer. The 1Password program not only creates iron-clad passwords, but it also remembers them for me, so I can never make the excuse that I can’t remember so many passwords.  (This is by the way how I keep all my clients passwords for the sites I’ve created and manage actively, so if you are a developer, it’s critical that you have a program like this. It can store credit card numbers, Paypal logins, database credentials, and software licenses securely.)

Get creative with your passwords, and don’t make them so obvious that it would be easy to guess. If you are an acupuncturist, you don’t want your password to be acupuncture123.

As a side note, guess what the number one password used is?

Password.

Seriously.

Not only do you want to come up with a better password, I’d recommend changing your password at least on an annual basis.

I run a paper-free office so am a big fan of my scanner, however I have also heard from various experts that it is advised to keep your list of passwords on a physical piece of paper off of your computer, to protect against a hacker accessing your computer and finding them in a file. This is where something like 1Password would also come in handy to prevent any attacks coming  through your computer.

5. Guard against attacks

There are some plugins that can be installed on your WordPress site that will make it more difficult for hackers to get into your site by shutting down the login screen for a period of time when too many failed login attempts occur. One that is recommended by a lot of the WordPress experts is Limit Login Attempts. It is free. http://wordpress.org/extend/plugins/limit-login-attempts/

Please note that if you have multiple users on your site, to be sure to notify them of any plugin like this (and recommend they change their passwords as well) to be sure they have their passwords well documented so they don’t get locked out of the site themselves.

6. Monitor for malware

When someone hacks into your site, it is common for them to install malware somewhere in your site files. Luckily, there are some great programs out there that can monitor for malware.

I always install Backup Buddy on the sites I create, and this contains a malware scanner by Sucuri. You should run a malware scan at least once a quarter, if not once a month. This company also has a free malware scan you can use from their website.

You can take your security a step further by setting up an account with Sucuri where they will constantly monitor on your site for malware, and not only will they notify you if there is a problem, but they will also fix it for you, even if your site is blacklisted by Google.

If you ever find malware on your site, you need to get it cleaned up as soon as possible using a company like Sucuri.

Keep an eye on your site. If you don’t make frequent changes to your site, check in on it at least once a month to make sure it is up and running and that there are no major errors.

7. Use products from people and companies you trust

This applies first and foremost to the theme you are using on your WordPress site. I now only use Genesis on my clients’ sites because I trust them implicitly, and I know they are keeping on top of security issues. I recommend paid (not free) themes developed by reputable companies that have a solid following, so I know they will be around for that next update.

Also, be sure to get your plugins only from reputable developers. I am much more vigilant about using plugins that are backed by a developer who has a good reputation and is updating them with each new WordPress upgrade.

Finally, go with a solid hosting company that uses the latest server software and takes security issues very seriously. I am in the process of doing more thorough research about your hosting options. In the past I have recommend inexpensive hosting packages from some of the big names (Hostgator, Bluehost, 1&1.com) however there are some other companies that have recently come to my attention that are worth a look, even though the hosting is more expensive. Their security measures and expertise with WordPress will make them worth every penny.

Don’t forget…

So there we have it. Seven things you can do to keep your site secure. If you have a question about anything in this article or need assistance, please drop me an email. If you want to keep your site secure, but don’t have the time or expertise to do so, please consider our WordPress Security package.

Don’t forget that all of this applies to your computer as well. If your computer is vulnerable then your site can be too. So be sure to keep your computer backed up, updated, and scanned for malware and viruses. Be sure to keep your private information safe by using secure passwords, and buy from companies that you trust. If you need any extra help with this, I can recommend my personal computer doctor and husband, Jim.  :)

I’d love to hear in the comments if you have a favorite plugin, program, or trick you recommend to keep your WordPress site secure.

Comments

  1. Kaylene says

    Hello there! Do you use Twitter? I’d like to follow you if that would be okay. I’m
    definitely enjoying your blog and look forward to new updates.

  2. Prevoty (@Prevoty) says

    Thank you for these seven valuable tips, Beth!

    We found that the best way to deal with the holes in WordPress and third-party themes is to proactively scan all content passing through.

    While many security plugins help cover the basics, they still do not effectively combat sophisticated hackers who love to inject malicious code masked as content into comment boxes and other user input form fields (also known as cross-site scripting (XSS)). Given the fact that 70% of all sites are at risk, we wouldn’t be surprised if your husband Jim frequently runs into problems traced back to these injections.

    SmartFilter is a free, cloud-based plugin that acts as a preview layer to automatically sanitize and validate all incoming content for you. Unlike traditional firewalls, it does NOT rely on blacklists or past definitions so it’s never a day late.

    We take the guesswork out of dealing with these more modern attack vectors and made the same technology we use to protect large enterprise sites available to the everyday WordPress user.

    Try it out at http://wordpress.org/plugins/smartfilter/ and let us know what you think!

Leave a Reply