Website security is an important factor that website owners must consider. Over time, with advances in technology to beef up security, an increasing rate of websites being hacked and infiltrated have also increased.
What steps can we take to prevent your WordPress website from being hacked? Even though there isn’t a 100% guarantee you should always be proactive and take steps to prevent your website from being hacked.
This stat from w3Techs survey says:
WordPress is used by 58.8% of all the websites whose content management system we know. This is 25.6% of all websites.”
It’s no wonder hackers, spammers and the likes are constantly presenting challenges to one of the most popular Open Source Content Management Systems, WordPress and their users.
Let’s take a look at how we can harden your WordPress website:
- More Secure Web Hosting
- Secure your Computer
- Secure your WordPress website
- More Plugins
More Secure Web Hosting
“Web hosts are often responsible for the infrastructure on which your website sits, they are not responsible for the application you choose to install.” – WordPress
It’s important not to blame our Web Hosting provider as there are limitations when keeping all of files secure. Choose a web host that has experience and the know-how to protect your WordPress installation.
Taken from the ‘Hardening WordPress‘ page:
Qualities of a trusted web host might include:
- Readily discusses your security concerns and which security features and processes they offer with their hosting.
- Provides the most recent stable versions of all server software.
- Provides reliable methods for backup and recovery.
Secure Your Computer
“Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.” – WordPress
Another factor is to keep your computer free from virus infections and malware. It will not make a difference if you harden up security on both your WordPress website and web hosting if your computer has a keylogger.
Secure Your WordPress Website
“You should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.” – WordPress
From experience, you should always update your WordPress with the latest version. WordPress updates minor versions automatically (since version 3.7) and it’s up to you to click ‘update’ on all core/major version updates.
There is however a script you can add if you are willing to let WordPress update all minor and major versions of your WordPress website. Insert the below lines of code into your ‘wp-config.php’ file:
# Enable all core updates, including minor and major: define( 'WP_AUTO_UPDATE_CORE', true );
“Be warned, however, that auto updates can break your site, especially if you’re running a plugin or a theme that isn’t compatible with the latest version.” – wpmudev
Plugins and Themes for Better WordPress Security
Another thing to do is to make sure your plugins and themes are all updated. If you no longer use certain plugins or themes, you should deactivate and remove them completely. Always use plugins that have a high number of ‘Active Installs’. This is relatively new (at the time of writing), as the ‘number of downloads’ was an indicator that I previously used to help determine which plugin to install and which plugin was most active in the WordPress community. I also apply this method to testing out Themes.
“Do not get plugins/themes from untrusted sources. Restrict yourself to the WordPress.org repository or well known companies.” – WordPress
The below plugins can conduct security scans on your website:
There are further important steps to take within WordPress that you should do to harden your website and they are:
Back Up WordPress
“A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location.” – WordPress
If your WordPress database gets corrupted, you could potentially lose everything you have written, every comment and every link you have on your website. You can quickly restore things back to normal with a proper backup of your WordPress database and files.
Check out the “Backing Up Your Databases” page for more info.
You can install plugins that automatically schedule backups of your WordPress database. These plugins include:
Other plugins worth mentioning are:
- Theme Authenticity Checker (TAC) – “Scan all of your theme files for potentially malicious or unwanted code”
- WP Security Audit Log – “Keep an audit log of all changes and under the hood WordPress activity to ensure productivity and thwart possible WordPress hacker attacks.”
- Login LockDown – “Limits the number of login attempts from a given IP range within a certain time period.”
- iThemes Security (formerly Better WP Security) – “Protect your WordPress site by hiding vital areas of your site, protecting access to important files, preventing brute-force login attempts”
* Note: Always check the compatibility of these plugins with the WordPress version you’re currently running on your website.
Protecting your WordPress website is a lot more than adding a few plugins and walking away. It’s about being pro-active and having a sound security strategy.
What’s your security strategy for your website?
If I’ve missed any tips you’d like to share, let me know in the comments below.