In this blog post, I want to talk about the most basic and rudimentary things you can do to keep your wordPress website secure. Let me first state for the record though: there is no way you or anyone else can guarantee that your site can be 100% safe and secure and “hack-proof.” Even some of the biggest websites in the world with $millions of dollars to spend on security can get hacked. It’s just the nature of doing business online in the 21st century.
But having said that, there are some things you can do to make your business website MORE secure. Let’s start with the basic three-prong measure: take measures to secure it, monitor it, and back it up on a regular basis.
What Measures Can You Take to Secure Your Site?
Do not use “admin” or “test” as your administrative usernames. Also, do not use your website or business name as your administrative username, and do not use your first name / last name or any combination thereof as your administrative username.
These are the primary things hacker-bots attempt to use to hack into your site. DON’T use them. Make your administrative username something completely different from your name or the name of your site. Make it almost impossible to guess.
Do not have more than one person administering your site. If you need a temporary admin, then make it TEMPORARY. Do not give too many people keys to the safe. If you have more than one person updating content, they can easily do that within the roles of “Editor” or “Author.” ONLY ONE ADMIN per site.
Use strong passwords and require for everyone who is a registered user. A strong password coupled with a hard-to-guess administrative username will go a long way to keeping your site secure.
Keep your plugins, themes and the WordPress core updated. When a security hole is found with WordPress, they update the application. Websites that are not updated on a regular basis are vulnerable because these security holes still exist on your site. And you can bet that hacker-bots scour the Internet looking for WordPress website still running those older versions. The process of updating is the same for your website’s themes and plugins. So simple enough: keep everything updated!
Don’t use free themes! You’re a business. Accept the fact that you’re going to need to put a little skin in the game and INVEST in your business. Part of this includes premium themes and theme frameworks that are in constant development and plug any security holes they find just like WordPress. In addition, you have no way of knowing if the actual code used to run the free theme you’re thinking about using is even solid and secure. Invest in a premium theme and keep it updated whenever new updates are published. I personally love the Genesis Framework (*affiliate link).
Watch the plugins and know where they are coming from. A huge security hole you can unknowingly introduce into your WordPress environment is a shoddy, crappily coded and/or abandoned WordPress plugin. Do your research. When was the last time the plugin was updated? How many reviews has it gotten? WHEN was the last review? How often / fast are support requests answered? All of this can be found if you only use plugins downloaded from the WordPress.org site or use highly recommended premium plugins. One note: just because a plugin hasn’t been updated in many months doesn’t automatically make it suspect. The plugin could be quite basic and doesn’t require updating when the WordPress core is updated. So look at not only if the plugin has been updated, but the reviews and review dates, how often its downloaded and if the developer is answering support requests.
Monitor Your Site
There are a few ways you can monitor your site yourself. You can install a security plugin like Wordfence or iThemes security (*affiliate link). I have used both (both free and premium versions of each). You can also install Sucuri to help monitor your site. A good host like Siteground or one of the managed WordPress hosting sites will also monitor your site for malicious code and viruses. This is extremely important and the absolute most basic thing you should do to monitor your business website. Just a sidenote: managed WordPress hosting is more expensive, but comes with more peace of mind.
Back Up Your Site Regularly
The last thing you can do to secure your site is actually not used unless the unthinkable happens. It’s not something you can do “after the fact.” Measures must be put in place BEFORE you’re hacked in order to seamlessly and in a relatively painless manner restore your site if hackers should get in.
Backups are also a great thing to have in case YOU accidentally do something to break or compromise your site. Ever heard of the WordPress “white screen of death?” It happens when a novice tries to do something to one of the WordPress core files and breaks the site. Sometimes the only way back from this is to restore it to a “pre-broken” state.
Plugin conflicts is also a common reason to need to restore a site. But without consistent updates to your database, WordPress files, plugins, themes and media files (images, documents, etc.) then you’re helpless here. Ask yourself: what would you do if your business website is down for a few days? A few weeks? Permanently??
You can use a plugin like Backup Buddy (*affiliate link) to schedule regular backups of both the database and all of your website’s files. It’s important to save at least one version of a full backup outside of your WordPress / website installation. Good places to keep these are on your own computer (via an email), Dropbox, Google Drive, or Amazon Secure Server.
A good plan is to regularly save at least one full backup each month in one of these secure locations, away from your website’s installation with your host provider. That way, if the absolute worse thing happens and your entire web hosting account is compromised (not just your WordPress installation), you’ll have a backup that you’ve saved within the past 30 days that can be used to restore your website. Obviously, you can save these secure backups more regularly if you update the content on your website more very frequently.