Are you leaving your doors unlocked?
WordPress powers more than 25% of the websites on the Internet, and a lot of those sites are built by beginners or not maintained after the the site is launched. The combination of these things makes a lot of sites out there child’s play to hackers. It’s like leaving your new car unlocked and the keys on the front seat. Your car might not get stolen, but you’re making it awfully easy if someone does come along. The car itself is not the problem, it’s that the owner didn’t know any better.
Let’s make sure you know better for your website. A WordPress site is most vulnerable when:
- Login credentials are too easy to guess
- The site is not up to date
- There is no backup to restore if something goes wrong
If you built your own site, someone new to WordPress built it for you, or even if you had an expert do it and you’re not on a Website Care Plan, your site is at risk.
But I don’t have anything worth hacking!
It doesn’t matter if you have a 5 page website and only 3 visitors per month (thanks, Mom!). It’s not personal. Hackers cast a huge net and see what catches. If your site isn’t secure, it can get caught. Sometimes sites are hacked for fun, sometimes they’re used as a gateway, sometimes they’re stuffed with keywords and links.
Three essential steps to take so you’re not an easy target
WordPress security is a very big topic, that could literally fill a book. Even if you’re not a web geek, if you have administrative access to your website, there are some basic, but very important, steps you should take to make sure your site isn’t holding up a huge “Welcome!” sign for hackers.
1. Make login credentials difficult to guess
- Delete the ‘admin’ user – This is the default username for WordPress, and the one most frequently used for invalid login attempts. Don’t use ‘admin’ or any variation of it.
- Have an unpredictable username – Don’t use your company name or website name for your login. After ‘admin’, these are the next most frequently used for invalid login attempts.
- Have a strong password – Make sure your password is long and difficult to guess. Don’t use your name, pet’s name, company name, website name, dictionary words, or short passwords. Do use a combination of upper and lowercase letters, numbers and punctuation.
- Don’t give anyone admin privileges unless they really need it. Usually ‘editor’ is sufficient for anyone making content updates.
- Make sure your web hosting account and FTP usernames and passwords are also strong. They should NOT be the same as your WP login.
Check out this short video on how to pick a good (proper) password:
2. Keep WordPress and plugins up-to-date monthly (or more)
WordPress, plugin, and theme developers are continuously making updates to their software. This is not only to add features, but more importantly, to fill any security holes. If you keep your site updated, you are blocking any hacker that is trying to take advantage of a known vulnerability.
- Keep WordPress updated
- Only use plugins and themes from reliable sources
- Update plugins regularly and delete any deactivated plugins that you are not using
- Delete any deactivated themes that you are not using.
- WAIT! Depending on how your site was set up, updating core files, plugins and themes may cause problems with your website. Make sure you have a fully restorable backup before you make updates.
3. Check your site regularly, and make sure you have a restorable backup
- Check your site regularly – Even if you’re not making regular content updates (you should be, by the way), at least visit your website regularly to make sure everything looks normal. If your site is broken or hacked, you should be the first to know. Hacked websites sometimes have tiny text in the header or footer — links to viagra, or whatnot. Some hacked sites even have a “Haha, you’ve been hacked” message.
- Check your listing on Google regularly – Sometimes a compromised site will have a warning message on Google results that says “This site may be hacked.” Again, you should be the first to know that this is the case, before you lose customers.
- Make sure you have a reliable, restorable backup of your site, just in case something does go wrong. Don’t assume your web host is providing this service. Unless you are specifically paying for backups, they may not be keeping any.
Cool, I can do all that. Is that all?
No, not even close. These steps are only the tip of the iceberg. I could write a long blog post on each of these bullet points mentioned above. There are many, many (MANY) more things you can do to secure your site, from software to services to coding. But like a car, a good start is not leaving the doors unlocked with the keys in it.
Here are a few more articles on WordPress security basics that you can explore:
- Why you should always use the latest version of WordPress
- How To Secure WordPress Blog – Beginners To Pro
- Learn How to Improve the Security of Your WordPress Site
- WordPress Security VS Functionality – Striking the Right Balance
- Beginners Guide to Securing WordPress
If you would rather not do it yourself, or need help getting started, please drop me a line. I offer clients an annual WordPress security package that takes care of all these tasks and more for them.
Would you like to receive more website and design tips from Surelutions? Sign up below:
By clicking subscribe, you are signing up to receive emails from Surelutions. You will receive an email to confirm your subscription. We only send emails we think will be of interest to you, and do not share your You may unsubscribe at any time.