Top Tips For Keeping Your WordPress Website Secure
Top tips on how to make your website more secure and less hackable. Much like having an alarm system and sign on your home, it does not stop an attack but will dissuade or put off potential hackers. They will generally move on to an easier target. It is your responsibility to ensure the security of your website. If you do get hacked or have malware installed, you may be blacklisted at server hosting level and or by Google. This will affect your business reputation and therefore your rankings in any Google search. And your email could get blacklisted as a result too. If you are in any doubt, use a competent web partner.
1. Original username – do not use the default Admin or Administrator when accessing your website control panel.
2. Original password – use a mix of letters and numbers, caps and special characters. Change this every so often.
3. Limit login attempts to three – after which a person must ‘Request a new Password’.
4. Keep WordPress platform up to date – always keep the version of WordPress core up to date, as updates are released.
5. Keep any plugins up to date. ONLY use plugins that have been well tried and tested, with great reviews. Again apply any updates as they get released. Note: FREE plugins are often not being updated and pose a security problem at some stage – avoid FREE.
6. Ensure that hosting software at your server level is kept up to date and can support your updates. Regularly update the Php here.
7. Hide wp-config and .htaccess. *Do this only after taking a backup. remember to do regular backups, ideally daily or weekly, maybe monthly for small brochure websites that do not change much.
8. Employ a security agent like Sucuri or Wordfence to keep your website clean. Using their firewall is a good idea.
9. Use two factor authentication or the Google Authenticator. It is more cumbersome because it asks for a username and password and a pin number that is sent to your phone. Your biometric identification may do for this. The banks are doing this and for good reason, it works.
10. Limit back end permissions to staff members to the very minimum they need. Keep the administration privileges or permissions to the Webmaster and company owner or relevant person with responsibility for website security. Other staff members can have a reduced access, that pertains to their area of responsibility, such as posting a blog item.
Note: Unless totally necessary, disable ‘Comments’.
Is your website security your responsibility?
Who is responsible?
If you have a website, then someone needs to take responsibility for its security, just as you would your building or your transport fleet. In the event that you do get hacked, you may lose the website totally or have to have it cleaned and rebuilt. But worse it could damage your reputation if it is used nefariously. You will lose your Google ranking and may even get blacklisted. Plus the waste of your time required to attend to fixing it, could have been avoided by putting some simple protection in place. The potential for loss is significant.
Note: Most websites when hacked do not show any visible signs of having been hacked. The hackers will not email you to tell you that they are using your website to send out spam, use your hosting or even to sell adult content.
Any questions, drop us a line. And if you do want someone to take some responsibility we offer a WordPress website support service for peace of mind, security and better website performance.
Does website security cost money?
Yes, it does need some investment. Simple as that. If you make an investment in to your website, then just like buying a truck, you need to maintain it, service it and insure it, as well as adding fuel to keep it going. In the long run it saves headaches and money. And it generates sales.
Protect your investment from day one for a small monthly fee, or investment of your own personal time, rather than waiting for the website to collapse and cause you a lot of grief. And end up costing you a lot more than would have been necessary. Your website as it ages has a value way in excess of whatever you paid to get it set up initially.
If you are a practice or company manager, make sure that you get a written report each month that confirms that your website is in good order. If you want to really dig in, read some more useful tips at WP Beginner. Or this WordPress specific article at 20i. And there is a plugin called Wordfence which offers another good checklist.
The WordPress Community is happy to share tips and advice for beginners or anyone who has the time to learn all this stuff.
For the most part we recommend you engage a competent person or outsource to a dependable web agency or an IT company to manage this for you. That way you can focus on your own business, doing what you do best.
FAQS on Wordpress Website Security Checklist
Why is website security so important for my business?
Website security is crucial for any business. Just like you would not leave your shop on Grafton Street or Port Road unlocked, you should not neglect your website’s security. A hacked website can lead to data loss, damage to your reputation – word gets around quickly, especially in small towns like Letterkenny or cities like Dublin – blacklisting by search engines (affecting your rankings), and even legal issues. Imagine the impact if your site was compromised and used for spam. It is an investment in protecting your online presence and your business, whether you are based in Dublin or Donegal.
Can I just use free security plugins?
While free plugins might seem appealing, they often lack the comprehensive features and regular updates of premium solutions. They are free for a reason. Free plugins can sometimes be abandoned by developers, creating security vulnerabilities. And ultimately you are the one who is responsible. Investing in a reputable security plugin or service offers better protection.
DIY - free do it yourself monthly audit or checklist
Audit Task list – This is a list of what we do to audit your website and send you a full report to tell you what state your website is in and what needs to be done, if anything. Can you do it yourself?
Check for a site backup of your website before doing anything!! Warning Will Robinson, warning!
Check the version of WordPress for any core updates
Check the version of the design theme if you have one
Check for any plugins that need updating
Check that all plugins work well together with no conflicts, as you do each update
Check to see if Google Analytics code has been applied and is working
Check the Hosting situation, credit card is up to date and contact email status. And check the Uptime Monitoring to see if your website is online at all times
Check the Domain situation, credit card is up to date and contact email status
Check the all important website speed using the FREE Google page load speed test here
Check here that your Sitemap is listed and uploaded to Google
Check cross browser view – check tablet, smartphone and desktop after making any changes to see if the website looks ok
Check for 404 errors, these are broken links. Fix them or do 301 redirects to the relevant pages. Free Tool here.
Check for a site security and that the SSL cert is installed. Your website should not has ‘Not Secure’ in the url bar
Check any Contact or Submission forms to ensure they work – think about doing this once a week
Check GSC – Monitor GSC Google Search Console for any error notifications and that you are getting any email notifications
If you cannot do these maintenance tasks, sign up to our Monthly Website Support Plan and we can do it all for you – we have all the paid tools we need for this work.
How often should I back up my website?
Regular backups are essential. Daily or weekly backups are recommended for websites with frequent updates. For smaller, less frequently updated sites, monthly backups might suffice. The key is to have a recent backup available so you can restore your website quickly if it is compromised or hacked.
I am not very technical. Do I really need to understand all this?
While understanding the basics is helpful, you do not need to be a technical expert. The article recommends engaging a competent web agency or an IT company to manage your website security. This allows you to focus on your business while the professionals handle the technical aspects.
What are the most critical steps I should take to improve my website security?
The article here highlights several key steps, using a strong unique username and password, limiting login attempts, keeping WordPress core and plugins all updated, and implementing a security solution. These are foundational practices that significantly improve your website against common attacks.
Having security in place does not protect you 100%, but hackers will likely go off to some other website that has no protection in place.
