Top Tips For Keeping Your WordPress Website Secure
Top tips on how to make your website more secure and less hackable. Much like having an alarm system and sign on your home, it does not stop an attack but will dissuade or put off potential hackers. They will generally move on to an easier target. It is your responsibility to ensure the security of your website. If you do get hacked or have malware installed, you may be blacklisted at server hosting level and or by Google. This will affect your business reputation and therefore your rankings in any Google search. And your email could get blacklisted as a result too. If you are in any doubt, use a competent web partner.
1. Original username – do not use the default Admin or Administrator when accessing your website control panel.
2. Original password – use a mix of letters and numbers, caps and special characters. Change this every so often.
3. Limit login attempts to three – after which a person must ‘Request a new Password’.
4. Keep WordPress platform up to date – always keep the version of WordPress core up to date, as updates are released.
5. Keep any plugins up to date. ONLY use plugins that have been well tried and tested, with great reviews. Again apply any updates as they get released. Note: FREE plugins are often not being updated and pose a security problem at some stage – avoid FREE.
6. Ensure that hosting software at your server level is kept up to date and can support your updates. Regularly update the Php here.
7. Hide wp-config and .htaccess. *Do this only after taking a backup. remember to do regular backups, ideally daily or weekly, maybe monthly for small brochure websites that do not change much.
8. Employ a security agent like Sucuri to keep your website clean. Using their firewall is a good idea.
9. Use two factor authentication or the Google Authenticator. It is more cumbersome because it asks for a username and password and a pin number that is sent to your phone. Your biometric identification may do for this. The banks are doing this and for good reason.
10. Limit back end permissions to staff members to the very minimum they need. Keep the administration privileges or permissions to the Webmaster and company owner or relevant person with responsibility for website security. Other staff members can have a reduced access, that pertains to their area of responsibility, such as posting a blog item.
Note: Unless totally necessary, disable ‘Comments’.
Is your website security your responsibility?
Who is responsible?
If you have a website, then someone needs to take responsibility for its security, just as you would your building or your fleet. In the event that you do get hacked, you may lose the website totally or have to have it cleaned and rebuilt. But worse it could damage your reputation if it is used nefariously. You will lose your Google ranking and may even get black listed. Plus the waste of your time required to attend to fixing it, could have been avoided by putting some simple protection in place.
Note: Most websites when hacked do not show any visible signs of having been hacked. The hackers will not email you to tell you that they are using your website to send out spam, use your hosting or even to sell adult content.
Any questions, drop us a line. And if you do want someone to take some responsibility we offer a website support service HERE for peace of mind, security and better website performance.
Does website security cost money?
Yes, it does need some investment. Simple as that. If you make an investment in to your website, then just like buying a truck, you need to maintain it, service it and insure it, as well as adding fuel to keep it going. In the long run it saves headaches and money.
Protect your investment from day one for a small monthly fee, or investment of your own personal time, rather than waiting for the website to collapse and cause you a lot of grief. And end up costing you a lot more than would have been necessary. Your website as it ages has a value way in excess of whatever you paid to get it set up initially.
If you are a practice or company manager, make sure that you get a written report each month that confirms that your website is in good order. If you want to really dig in, read some more useful tips at WP Beginner. Or this WordPress specific article at 20i. And there is a plugin called Wordfence which offers another good checklist.
The WordPress Community is happy to share tips and advice for beginners or anyone who has the time to learn all this stuff.
For the most part we recommend you engage a competent person or outsource to a dependable web agency or an IT company to manage this for you. That way you can focus on your own business, doing what you do best.