WordPress website security checklist
Ten+ Top Tips For Keeping Your WordPress Website Secure
Top tips on how to make your website more secure and less hackable. Much like having an alarm system and sign on your home, it does not stop an attack but will dissuade or put off potential hackers. They will generally move on to an easier target. It is your responsibility to ensure the security of your website. If you do get hacked or have malware installed, you may be blacklisted at server hosting level and or by Google. This will affect your reputation and therefore your rankings in any Google search. And your email could get blacklisted as a result too. If you are in any doubt, use a competent web partner.
1. Original username – do not use the default Admin or Administrator when accessing your website control panel.
2. Original password – use a mix of letters and numbers, caps and special characters. Change this every so often.
3. Limit login attempts to three – after which a person must ‘Request a new Password’.
4. Keep WordPress platform up to date – always keep the version of WordPress up to date, as updates are released.
5. Keep any plugins up to date. ONLY use plugins that have been well tried and tested, with great reviews. Again apply any updates as they get released.
6. Ensure that hosting software at your server level is kept up to date and can support your updates.
7. Hide wp-config and .htaccess. *Do this only after taking a backup. remember to do regular backups.
8. Employ a security agent like Sucuri to keep your website clean. Using their firewall is a good idea.
9. Use two factor authentication or the Google Authenticator. It is more cumbersome because it asks for a username and password and a pin number that is sent to your phone. Your biometric identification may do for this.
10. Limit back end permissions to staff members to the very minimum they need. Keep the admin privileges to the Webmaster and company owner or relevant person with responsibility for website security. Other staff members can have a reduced access, that pertains to their area of responsibility.
Note: Unless totally necessary, disable comments.
Is website security your responsibility? Who is responsible?
If you have a website, then someone needs to take responsibility for its security, just as you would your building or your fleet. In the event that you do get hacked, you may lose the website totally or have to have it cleaned and rebuilt. But worse it could damage your reputation if it is used nefariously. You will lose your Google ranking and may even get black listed. Plus the waste of time required to attend to fixing it, could have been avoided by putting some simple protection in place.
Note: Most websites when hacked do not show any signs of having been hacked. They will not email you to tell you that they are using your website to send out spam or sell adult content.
Any questions, drop us a line. And if you do want someone to take some responsibility we offer a website support service HERE for peace of mind, security and better website performance.
Does website security cost money?
Yes, it does. Simple as that. If you make an investment in to your website, then just like buying a truck, you need to maintain it, service it and insure it, as well as adding fuel to keep it going. Protect your investment from day one for a small monthly fee, rather than waiting for the website to collapse and cause you a lot of grief. And end up costing you a lot more than would have been necessary. If you are a practice or company manager, make sure that you get a written report each month that confirms that your website is in good order. If you want to dog in, read some more useful tips at WP Beginner. And there is a plugin called Wordfence who offer another good checklist. The WordPress Community is happy to share tips and advice for beginners or anyone who has the time to learn this stuff.