WordPress Security Rundown: Take the extra steps to secure your website

There are some obvious reasons to keep a tight, secure lock on your WordPress website. It prevents a hack, keeps out unwanted users, and secures your data. But security is such a deep and important issue that runs through all aspects of your website.

Google penalizes sites with malware and other hacking-related issues. The WordPress team keeps it well maintained and is always updating it with security patches and improvements. But it’s also open-source and utilizes plugins, which means it’s a little more vulnerable. So you need to take a few extra steps in order to keep the site and your information safe.

Your website is an investment in your business. It’s part of the message you send out into the world. Protect your investment, either by yourself or by calling in the help of someone who works with WordPress regularly.

I had three people in one week contact me about hacked websites and trouble updating their site. So I wanted to put together some information to help explain why things like that happen. I want to explain where some of the difficulties come from, and what you can do to help prevent or address them.

Vet Your Themes, Plugins, and Host

One of the most important things you can do is make sure the plugins you are installing are maintained. But it’s equally important that they’re also secure and well developed to being with.

Your site is only as secure as your least secure part. Whether that means it’s part of your theme that’s insecure or it’s a plugin with a vulnerability. You can do everything right and end up with an easily-hackable plugin and it won’t matter.

Even the most reputable themes, plugins, and hosts can end up being vulnerable. For instance, Elementor, one of the most popular WordPress page builders, and GoDaddy, one of the most popular web hosts, both reported hacks and compromised accounts in one week.

You’ll want to regularly check in on your plugins to make sure they’re being actively maintained and releasing regular updates. You have time before an outdated plugin or theme becomes an issue. But you’ll want to start the process of replacing it with something else as soon as possible.

Be Aware While Keeping WordPress Updated

WordPress runs on a language called PHP, and just like with everything else, PHP has updates too. And when there’s a major version update, there’s more potential for conflict.

When it comes to versions, you have minor updates like moving from version 1.4 to 1.5. And then there are major updates like moving from version 2.7 to version 3.0. There’s something called a changelog that comes with the update to outline what the changes are. So if it’s a major update or you’re unsure, check on the types of updates that are included.

An essential part of keeping your website secure is keeping everything updated. But it’s important to know how the parts of your site interact so you can anticipate when conflicts might arise.

And of course, the longer you wait, the more complicated the updates can be. Fixing a few warnings is easier than fixing a bunch of critical errors that break the site.

Automatic updates for WordPress defaults to automatically installing the minor updates for you. You can also change that to not have any automatic updates or to install all updates, including the major ones. Enabling automatic plugin and theme updates (without an extra plugin) is also on the horizon.

You’ll just want to make sure you visit your site on a regular basis. Keep tabs on any issues that affect the site and you check on any warnings that might pop up.

Lock Down Your Site

There are so many tools. You need to know which ones to use and which ones play nice together. What is the best way to configure them for your specific needs? Keep informed about when updates happen, what the vulnerabilities are, and how to keep those tools running properly and efficiently together.

No matter what tools or plugins you use, it should be protecting your site on multiple fronts. For example, it should be able to actively scan your site and keep out whoever isn’t supposed to get in.

Can’t I just use a strong password?

A strong password is securing one part of your website. But there are many different pathways into your site. A hacker or bot doesn’t always need direct login access to be able to wreak some havoc.

Website passwords and remembering information.
Image from XKCD

You could also look into taking even more steps to make it harder for your site to get hacked. No one thing will 100% protect your site, but the more plugins you add, the more potential security holes. Doing just a few of these things can improve your chances of staying un-hacked.

Things you should absolutely do no matter what:

  • Enable domain lock with your registrar
  • Change any username that is “admin”
  • Install an SSL certificate and use HTTPS

Things you should also look into:

  • Use a password manager so you can create strong and unique passwords for everything. This includes WordPress, hosting account, email addresses, FTP, and databases.
  • Use two-factor authentication for as many logins as possible
  • Limit incorrect WordPress login attempts
  • Move your WordPress login page
  • Change your database prefix to something other than “wp_”
  • Use a tool like Cloudflare to make it easy to set up advanced security features
  • Disable file editing, file execution, directory indexing, and XML-RPC

There are plugins like WordFence that take care of multiple items on the list. Additional plugins can take care of other items. And there are ways to handle some of the items manually with code.

Keep Your Site Backed Up

This is a sort of aside to security. Creating regular backups is going to make it easier to recover from a hack. But it’s important to remember that there was a reason your site was hacked. You’ll want to do more than just restore the backup and move on.

Backups also help when you’re updating something on the site. There could end up being compatibility issues, or an update could end up failing for some other reason. Revert the site using the backups or a plugin. Then either try to figure out what happened or replace the plugin that caused the problem.

You should be scheduling backups regularly, and make sure to run a backup before doing anything risky like updating WordPress. Most sites only ever need a few backups at a time. Make sure you’re cleaning out any excess backups so you’re not clogging up your server with dozens of huge backups.

Fix Security Issues and Keep Them Fixed

Can’t I just hire you to fix my site if something happens?

If you don’t fix your hacked site properly, the hacker can most likely just get right back in with little effort. And unfortunately, if you get hacked once, you’re more likely to get targeted again because they identified your site as vulnerable.

Taking steps to prevent the issue is going to set you up for the highest likelihood of staying hack free. There are ongoing tasks that you’ll want to do in order to stay on top of your website’s security.

Isn’t that what my host is for and why I spent that time to find a good one?

Even if you have a managed host, it’s important to check on them. They might not do everything you think they do. And you might have to pay extra for them to do certain things, especially if it’s custom or from something that’s not found in the WordPress plugin or theme directory.

You have to decide how much time and energy you want to put into setting up and managing your website’s security. Assess your confidence level, read up on everything, get advice, even give it a try. But there’s no replacing a subject matter expert with experience.

Someone who does this on a regular basis is going to do these things better and more efficiently. And save you time, money, headaches, and your reputation in the process.

Why do I need someone like you for security? Can’t I just install a plugin or two?

You absolutely can. And there’s a chance that will be enough. But you have to be confident enough that you can do it right. If you don’t set everything up properly, it can end up being just as effective as doing nothing — or can even end up being more harmful depending on the plugins you choose.

You buy locks to protect your house or car from things happening. And you buy insurance in case something does happen, to have someone that will just take care of things, someone to lean on to get through it.

The way you go about protecting your website is up to you. The only thing for certain is that you should be doing something.

Still have questions? Ready to start securing your website?

Set up a free 30-minute call so we can get started!

This is the first post in the WordPress Care & Maintenance series. If you want to know more, check out the full maintenance guide.