5 Simple Steps to Secure Your WordPress Website
By Ari Strauch
WordPress is perhaps the most popular website platform in the world. More than 42% of the world’s websites are built on WordPress, way more than any other single platform. WordPress’s appeal has a lot to do with how easy it is to use, even for non-techies.
But even while people flock to build sites on WordPress, they also worry about website security. There is a perception that WordPress sites are less secure than those built on other platforms. Yes, many hacked sites are built on WordPress, but that’s mainly because of WordPress’s popularity. When close to half the world’s websites are on WordPress, the chances that any given hacked site is a WordPress site is pretty high.
WordPress sites actually have a good level of security, but your individual site security depends on the measures you take to protect it. Your home has locks on the doors, security cameras, and burglar alarms to reduce the risk that someone might break in and steal your belongings. In the same way, you need to take precautions to secure your website.
Unfortunately, there are plenty of hackers and cyber-thieves out there wanting to hack into websites, steal data, and damage businesses. You need to take steps to secure your site so that it won’t be an easy target for internet crooks or bad actors.
Here are five simple steps to secure your WordPress business site that don’t require high levels of coding, advanced technical knowledge, or even much experience in WordPress.
5 ways to secure your WordPress website
1. Keep your site regularly updated
Nothing in life remains static, and that includes the internet. WordPress regularly releases updates for the core WordPress version, and it’s important to install them whenever they're released to secure your WordPress website. Updates are there to fix bugs and close up security vulnerabilities, so they play a big role in keeping your site safe.
Also, it’s not just your WordPress version that should be kept current. You also need to keep all your plugins and themes updated to make sure that hackers can’t use them as a backdoor into your site. It’s best to set your site to automatically run WordPress updates, so that you won’t risk missing any updates or forgetting to run them.
2. Double-check your plugins and themes
Part of WordPress’s strength is that there are tens of thousands of plugins and themes available to customize your site. But with so many out there, it’s not surprising that some are developed by people who are untrustworthy, inexperienced, or inclined to take lazy shortcuts.
Make sure to only use themes and plugins that are actively managed with reliable support and regular updates. Everyone wants to cut costs, but a free plugin or theme that isn’t listed on the official WordPress plugin repository is not worth the risk of using.
Another risk is you might end up with is a nulled or cracked theme, which is a hacked version of a premium theme. Premium themes are expensive, but that’s because they are tested carefully, include full support, and are built by skilled developers. When you buy a nulled theme or plugin, you’re not just buying a fake knockoff—these fakes often hide malicious code that may harm your website and database and/or steal your data.
3. Strengthen your passwords
The easiest way for hackers to break into your site is to use the front door, aka your admin username and password. They do this with what’s called a brute-force attack, which means they hit your site with thousands of possible username and password combinations in the hopes of guessing the right one.
To secure your WordPress website, it’s crucial to change your usernames and passwords from the default to something unique and difficult to guess. Avoid simple passwords like 1234, your birthday, or anything that’s easy to guess.
Ideally, pick a password that includes at least one number, one symbol, and one capital letter. If you’re worried about forgetting your passwords, you could use a password manager to keep track of them all. Another way is to use the name of a song or an easy-to-remember sentence, and just replace a letter or two with a symbol and a number.
Remember that we’re not just talking about your password for the WordPress site itself. Your WordPress dashboard, your site databases, your WordPress-managed hosting account, the email you entered in case you need to recover your site, and your FTP account are all side doors that can lead hackers into your site, and so they all need strong passwords.
More articles from AllBusiness.com:
- Top 5 Blogging Platforms for Business Bloggers
- Build a 5-Star Customer Experience With Artificial Intelligence
- Consider These Factors Before Investing in Cyber Insurance for Your Business
- How to Protect Your Business Against Ransomware and Other Cyberattacks
- 6 Things Startups Need to Know About Cybersecurity
4. Review user permissions
As your business grows, it’s unlikely that you’ll be able to manage everything to do with your website yourself while also running your business. You’ll probably need to grant access to your site to at least a few employees, so that they can update your content, add blog posts, or fix small mistakes.
But the more people with access to your site, the greater the risk that someone might make a mistake that affects your security. So it’s important to regularly review the list of people who have access to your site and check what they are allowed to do.
WordPress allows you to set user permissions and roles—from Subscriber (who can only see their own profile) to Administrator (who can change anything and everything about the site). You should limit each person’s access to no more than is necessary, and close off registration so that spam profiles can’t subscribe.
Anyone who no longer needs access to the site should be removed immediately. Leaving unused profiles on the site increases your risk of getting hacked.
5. Block bad bots
Bots are automated visitors that check out your website’s content and performance. Google uses bots to scope websites for ranking, for example, but not all bots are harmless. Hackers also like to use bots as spies to look for vulnerabilities you may have overlooked.
When hackers hit a site that blocks their bots, they’ll take that as a warning to stay away. This is why it’s a good idea to lock your site off to bad bots that are listed on botreports.com. Fortunately, most security plugins already block bad bots on the list, so if you don’t already have a security plugin, you should install a good one now. Either way, you can block bad bots separately by using the StopBadBots plugin.
The right tactics can help secure your WordPress website
WordPress business sites can be highly secure and very effective, but a lot depends on you. When you keep your site updated, use only approved plugins and themes, check passwords and permissions, and keep bad bots out, you can sleep easily at night without worrying that your website is vulnerable to hackers.
RELATED: 5 Common Technology Mistakes Most New Businesses Make
About the Author
Post by: Ari Strauch
Ari Strauch is VP of Technical Marketing for uPress, the Managed WordPress Hosting company. Ari is not sure whether to define himself as a tech-loving people person or a people-loving techie. Either way, he’s typical of the uPress team in that he is equally fluent in Geek AND plain English, and routinely uses both to enable non-geeks and geeks alike to enjoy speedy, hack-proof, intuitive-managed WordPress hosting for their websites.
Company: uPress
Website: www.upress.io
Connect with me on LinkedIn.
