WordPress is an awesome, easy-to-use content management system used the world over by bloggers, small start-ups and large corporations alike. With millions of individuals and businesses around the globe using the software to power their websites, it is inevitable that those who enjoy creating havoc on the internet target any vulnerable websites they can find (and it’s really not that hard for them to find).
It is therefore important that you take as many precautions as possible to safeguard your WordPress installation from attack.
Below are 10 simple things you, as the website owner, can do to help make your WordPress website more secure. Most can be done directly through your WordPress dashboard and without too much technical know-how.
- Install the latest version of WordPress and update every time there is an upgrade
WordPress developers work vigilantly against hacking vulnerabilities when they add new features and functions to their software and fix any known insecurities that may arise as soon as possible. There are usually 3 to 4 major updates a year with new or improved features and functions. In addition, there may be several bug fixes and security updates. By keeping your WordPress installation as current as possible, it will help keep the hackers out! If you are running 4.0 or later, WordPress now updates automatically for minor updates, but you’ll need to manually update after a major upgrade.
- Install only tested and compatible plug-ins and update them regularly
Out-of-date and untested plugins have insecurities that hackers can invade. Most plugin developers work just as vigilantly as the software developers and update and test there plugins soon after a WordPress upgrade. However, some do not, for whatever reason (too busy, out of business, no longer developing). So, when adding a new plugin ensure it has been tested and is compatible with your version of WordPress and when you update your software check to see if your plugins are updated, compatible and tested. Also, check reviews to see if there are any known insecurities.
- Use only a tested and compatible theme from a reputable theme supplier and update regularly
Similarly outdated WordPress themes can have vulnerable and insecure files. Theme developers usually update their themes after a WordPress upgrade. If you’re having your theme customized, where possible have your website designer create a child theme so that the parent theme can be updated as necessary.
- Use a strong admin password and don’t use admin as yow username
Hackers look for websites with admin as the username and have a list of common passwords that their bots use to enter vulnerable WordPress installations which they can then easily hack. By using a different username and a strong password (a mix of upper and lowercase letters, numbers, and symbols that do not make a recognizable word or common phrase), you make it difficult for hackers to enter your administrative dashboard where they can then alter your theme, plugin or media files.
- Add a secure log-in plug-in with captcha and limited log-in attempts
Make it even more difficult for hackers to enter your dashboard by using a captcha they have to fill in before they can login. Most hackers use robots that cannot detect the message users must type before logging in. Also, by limiting login attempts to 3 attempts, access from their IP will be blocked after the third attempt at guessing your password. Be careful with this one though. If you forget your password, you could end up blocking your own IP and locking yourself out of your dashboard. If this happens, you’ll need to get your web-host to unblock your IP.
- Change the discussion settings so commenters need to register/log-in to comment
Hackers often use the discussion area of websites to inject them with viruses using links in comments. Theme viruses can do damage to your visitors’ computers. By making users register before commenting, you are adding one more step before hackers can do damage which may deter them.
- Change the discussion settings so all new comments need to be approved before appearing
In additional to making hackers register, by setting your discussion so the first (or even every) comment must be approved, you can check the commenter is legitimate before their comment appears. If their comment does not make sense, relate to your article or mention you by name, or if it contains several links, send it to the spam folder or, even better, just delete it.
- Activate and set-up Akismet spam
Let Akismet remove all your spam for you. You’ll need to obtain an Akismet key and pay a small donation, but as your website grows, it will be worth it so you do not have to check every spam comment on your website.
- Host with a reputable web host with demonstrable security features/measures
If you’re just starting up, or have recently been hacked, and are looking for a new web-host, do some research before investing in a web host. Read reviews, ask your web designer or other businesses who they recommend, read the webhost’s FAQ to see what measures they take to ensure your website is secure.
- Host your website on a dedicated IP address
With a dedicated IP, no one else’s website is hosted on the same server as yours, so if a hacker is attempting to infect or shutdown an entire serve with hundreds of websites yours will not be affected. If you already have a website and want to host it on a dedicated IP, you may need to ask your web host to set it up and move it for you.
Bonus 1: Install a test installation of WordPress on a sub-domain where you can test new themes or plugins before installing them on your main website.
Bonus 2: Install a backup plugin, schedule regular backups and store the back-ups offline and/or in the cloud so that you can move and/or restore your website in the event that it is hacked.
This list is by no means all you can do to secure your WordPress website. These are just some of the things I usually do when installing and setting up WordPress for my clients. If you have any other WordPress security tips you want to share feel free to comment on this post.