WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000 websites every day for malware and around 50,000 for phishing every week.
If you’re serious about your website, especially if your website is your main source of business then you need to pay attention to security best practices.
In this guide, I will share my top 7 security tips to help protect your website against hackers and malware.
1. Create an Unbreakable Password
Having a strong and obscure password is encouraged by every website you register your details with – but if you’re worried it wont be easy to remember, don’t worry it needn’t be something totally random.
I encourage my clients to create a password using an acronym of a favourite quote or song lyrics. For example:
If my favourite Beatles song lyrics were: Yesterday, All My Troubles Seemed So Far Away
I would create my password like this: YAMTSSFA (and then I’d add a number and a symbol) maybe my age and a % sign
Something you can remember easily, but is obscure enough to flummox a brute force attack. Check out my latest client’s password security stats – it’ll take 609 years to crack the password… pretty sweet, huh!
2. Create a not-so-obvious user name
In previous years, WordPress would automatically assign your user name as ‘admin’. Since usernames make up 50% of your login credentials, this made it easier for hackers to access your website.
Thankfully, wordpress has updated this practice and you can choose a username of your own at the time of installing wordpress.
If you are already past this stage, then it is possible to change your username – only by creating a new one, and deleting the old one.
Note: I’m talking about the username called ‘Admin’, not the administrator role
3. Update your site regularly
Seeing all your plugins, theme and wordpress updated ensures the stability and security of your site. It keeps everything ticking over nicely and prevents your website from being vulnerable to malware.
For step-by-step instructions on how to update your plugins, theme and wordpress keep an eye out for an upcoming post!
4. Back up your site
If your website is hacked, then you’ll want to reset it to the last point prior. Unless you have a fresh backup to hand, this wont be possible!
Always back up your site, and store it separately from your site, and your hosting. Somewhere like Dropbox, G-Drive to keep it safe.
A back up at least once a month… at the very least – both before and after your updates, is sufficient.
If you have content added regularly, then you’ll want to do it more frequently. Keep an eye out for an upcoming blog on the ‘how to’ of backups.
5. Limit login attempts
If you haven’t already, install a security plugin to help prevent Brute Force attacks. I have set a limit on the maximum number of attempts to login with the incorrect password. Once they’ve exceeded this number, they’re locked out for 30 minutes before they can try again.
There is also a maximum number of lockouts before an extended lockout is enforced and I will be emailed to notify me of this.
The security plugin I choose to use is Loginizer Security. It’s free and it keeps my site and my clients sites safe from Brute Force attacks.
6. Add security questions to WordPress Login Screen
Adding security questions to your WordPress login screen adds an extra layer of protection by making it *that* much harder to give someone unauthorised access.
You can add this to your site by installing ‘WP Security Questions’ plugin. Once you’ve activated it, you need to go to your settings page to configure the settings.
7. Add a SSL certificate
SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information.
Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.
SSL certificates were typically issued by certificate authorities, and their prices start from £80 to hundreds of pounds each year. Due to added cost, most website owners opted to keep using the insecure protocol.
To fix this, a non-profit organisation called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.
Now, it is easier than ever to start using SSL for all your WordPress websites. Many hosting companies are now offering a free SSL certificate for your wordpress website.