đź”’ WordPress Security Basics: 5 Easy Ways to Keep your Website Safe
WordPress security is a confusing topic to learn about. There is an endless amount of information available and even experts can’t always agree on things.
This article gives you 5 actionable steps to protect your website from the most common kinds of security attacks.
Keep everything updated
Take care of your login page and use strong passwords
Be picky about your plugins
Use HTTPS
Have a backup system
1. Keep everything updated
Keeping your WordPress core, plugins, and themes updated is a critical part of keeping your website safe.
A large portion of updates are made to fix security holes that could already exist on your website. Rather than thinking of new updates as an annoyance, you should think of them as work that WordPress’ engineers have done for you free of charge!
It’s important to remember that WordPress updates are public information. Changes between releases are documented on WordPress’ blog and are available to everyone.
Most releases are categorized and include a brief description of the changes that were made. When a release fixes a security vulnerability it is tagged as a “Security Release” and credit is given to the person that found it.
This is a gold mine to hackers. Instead of finding security holes themselves, they can simply watch for them in changelogs. If version 5.2.4 fixed a security flaw then all sites running 5.2.3 are potential targets for that flaw.
This is why it’s so important to make updates as soon as possible. Basically, to stay one step ahead of hackers.
It’s always possible that a new update will break a part of your site, but this should be a rare occurrence. The WordPress team and the developers of most reputable themes and plugins know that bad updates reflect poorly on them and try to be careful. Frequent updates keep your website safe and are less likely to cause problems than infrequent updates that span multiple versions.
2. Take care of your login page and use strong passwords
Your login page is the entry point to your admin dashboard and anyone can visit it and start trying usernames and passwords willy nilly. Hackers know this and use bots to find WordPress sites and repeatably attempt to login with common passwords. This is called a brute force attack and a surprisingly large number of websites are hacked this way.
Most brute force attack bots will use a wordlist to try common passwords. A wordlist can contain millions of passwords and is usually sorted to have the most frequently used passwords appear first.
One infamous wordlist is called rockyou. It was derived from the database of a large website that was hacked in 2009 and includes more than 14 million passwords. The first password on the list is 123456.
The simplest way to thwart brute force attacks is by using strong passwords. The strongest passwords are long combinations of random letters, numbers, and symbols (eg 3Ew6aBLwD9huFNTKME
), and WordPress automatically suggests passwords like these when a new user is created. Randomly generated passwords are hard to memorize, so services like 1Password and LastPass can make keeping track of them much easier.
If you’d prefer not to use password managers, you can also create strong passwords by combining four or more common words together. Something like giant-mongoose-taco-hawaii
won’t be found in any wordlist and can be committed to memory with a little repetition.
If you want to go a step further, there are also other ways to prevent unauthorized logins from brute force attacks. All 3 of these strategies can be implemented from freely available plugins.
Limit the number of login attempts that a user is given. After failing the login process too many times the user will need to wait a while before trying again.
Move your login page from the default location so that hackers can’t find it.
Require two-factor authorization (2FA). Now even if a hacker guesses the correct password, they can’t log in without the phone number that accompanies it.
3. Be picky about your plugins
One of the best parts of WordPress is the community. Developers have created thousands of plugins that do useful and interesting things, and many of these plugins can be downloaded and used for free.
This is incredibly valuable for WordPress users but comes with a downside as well. The most common way that a website gets hacked is through vulnerable plugins. We already touched on the importance of keeping plugins updated, but you should also be careful about what plugins you use in the first place.
Generally speaking, websites that use fewer plugins are less likely to be hacked because there is less code available to potentially exploit. Plugins that no longer serve a purpose should be deactivated and uninstalled.
Do your research before installing a plugin. Plugins with a large number of active installations and good reviews are more likely to be well refined and bug-free. It’s also a good sign if the plugin is frequently updated and compatible with the most recent version of WordPress.
4. Use HTTPS
Make sure that your website uses HTTPS and not HTTP. This ensures that data being sent to and from your website is encrypted and can not be read by digital eavesdroppers. This is critical in keeping things like login information and e-commerce information protected.
Most hosting services now include a free SSL certificate that will allow your website to use HTTPS with a padlock icon next to the domain name in the browser address bar. If your WordPress website doesn’t already use HTTPS you should correct that as soon as possible.
5. Have a backup system
God forbid, but even with the precautions above, your website still could get hacked. Having a good backup system in place will allow you to restore your website to the way it should be and get things back to normal.
The most important things to back up are:
Your database. It contains all the content of your website including its posts, pages, menu items, and more.
Your themes and plugins. This is especially crucial if your theme contains custom code changes that make it different from its original version.
The best backups are stored outside of your WordPress site. Good hosting platforms often create a backup of your database automatically on a preset interval. Daily database backups are usually sufficient for small sites, but you might want to increase the frequency if your site regularly publishes new content.
Custom themes and plugins can be backed up automatically as well, but you may not have to. If you are performing custom code changes yourself then take care to copy the changes to somewhere other than your live site. Professional web developers usually track code changes with a version control system like Git, so their work will be backed up in a number of locations.
Summary
If there is one thing that you take away from this post, it should be that WordPress needs to be updated regularly to stay secure! Updates are not a chore - they are an easy way to make your website better and to stay ahead of opportunistic attackers.
The next priority on your list should be password strength. Bots are constantly crawling the internet for WordPress sites to try common passwords on - don’t make your site an easy target.
Pay attention to the plugins that you use on your website. Do your due diligence before downloading a plugin, and uninstall plugins that are no longer needed.
Ensure that your website uses HTTPS to protect the data of yourself and your users from potential eavesdroppers.
Finally, have a backup system in place just in case. Good backup systems are stored separately from your website and include your database and any themes or plugins that contain custom code changes.
WordPress security is a complicated business, but by taking these 5 simple precautions you will be well ahead of the average website owner in making your website less susceptible to hackers.