If you’ve ever dabbled in web design, you’ve probably used or heard of WordPress. If you haven’t, you’ve at least visited a website built on WordPress: As of 2018, 30 percent of all websites are powered this open source platform.
WordPress is incredibly popular due to its ease of use and versatility. With a vast community designing new plugins, fixing bugs, and patching security flaws, it also has one of the best support bases of any website builder. These are just a few of the reasons WordPress is our platform of choice for MediaCutlet’s web development projects.
There’s a catch, though: Because WordPress is so widely used, it has become an easy target for cyber-attacks. Hackers constantly search for ways to exploit vulnerabilities and install malware on your website, so they can direct your visitors to fraudulent links, or steal sensitive information like credit card numbers or login credentials.
If your site is successfully hacked, it won’t be long until Google flags your site and inhibits search traffic and access via Google Chrome browser. That kind of downtime can seriously hurt your reputation and your profits. It happened to a MediaCutlet client during their peak sales season, and although we were able to get them back up and running that same day, some businesses may go days without an active, functioning website.
To keep your website safe, follow these seven simple, yet essential strategies to increase your WordPress security.
1. Keep Everything Up to Date
You may tend to ignore prompts to update your WordPress engine, plugins and themes, but these updates are critical to avoid threats to you and your business. Enable automatic core updates to your WordPress site. This ensures your website always has the latest security patches to keep your site safe from the newest malware and exploits.
2. Regularly Create Backups of Your Website
Whenever you make a change or update to your site, there is always a chance something will go wrong. You might run into a bug or incompatibility issue, leaving you with broken functionalities on your website.
To keep things running smoothly, create regular backups of your WordPress site (we recommend a plugin called UpdraftPlus). If any component breaks after an update, you can quickly restore your website to a working state from the latest backup. You should create a backup before every major update of WordPress, themes, or plugins.
3. Install a Security Plugin/Firewall
Security plugins like WordFence Firewall come with a lockdown feature that limit failed login attempts when hackers try to break into your site. Whenever there is a hacking attempt with repetitive wrong passwords, the user gets banned from the server, and you get notified of this unauthorized activity.
4. Get Rid of Unused Plugins
Disabled plugins that are a few months out of date are like backdoors to your website – they allow unauthorized access and open your site up to vulnerabilities. If you’re not using a plugin, remove it. This action has the added benefit of improving your site’s performance and page speed, which is better for your users and your site ranking.
5. Create Strong Usernames and Passwords
Like all your online accounts, your WordPress login credentials should be unique and difficult for bots to guess. Usernames such as “admin,” “super_admin” and “guest” are commonly targeted in brute-force attacks, in which a hacker creates a malicious script that endlessly guesses usernames and passwords to gain entry to your site. This can also slow down your site as the server attempts to handle all these failed logins. As mentioned above, WordFence can limit the amount of allowed password attempts before the user IP gets blocked.
It’s just as important to create strong, unique passwords for your WordPress account. Don’t use “password” or easy-to-guess personal information. Instead, use a passphrase (ideally five words long) or a random string of letters, numbers, and special characters.
An extra step to preventing brute-force attacks is to protect the wp-admin directory behind your password by installing the AskApache plugin. This plugin creates a virtual wall around your site to prevent attacks from reaching any of your pages.
6. Enable SSL Support
Would you click through to a website that your browser flagged as unsafe? Neither would your customers. To make sure browsers – and your web visitors – view your site as trusted and secure, enable SSL (Secure Sockets Layer) support on your website.
An SSL certificate creates an encrypted connection between your server and the user when transferring sensitive data, such as payment or login information. Without SSL, data is transmitted in plain text and is easy for attackers to intercept.
7. Ask for Help
If you don’t want to dedicate your time or energy to preventing security threats, you can always consult a professional and enter a security and maintenance agreement with a reputable web solutions firm.
MediaCutlet specializes in WordPress web development, and we’ve helped countless clients address security flaws and vulnerabilities. If you think your website needs a complete overhaul or even just a security checkup, contact us to learn how we can help.