7 basic security tips for WordPress websites
So, you’ve got your dream website for your business. Then you need to protect your lovely website and protect your hard work and your business’ reputation.
Here’s our list of the 7 basic essential steps you need to take to lock down and secure your wonderful website.
1. Go premium for your hosting
Before we even get to WordPress and the steps you can take within your WordPress installation we need to talk about hosting. You can stick on as many plugins and extra security features, but if your home is built on the edge of a cliff, you’re going to need to expect to get very wet one day!
For any new business owner, it’s very tempting to look for a bargain and to protect your bottom line. While buying cheaper printer paper or cutting electricity costs might be a sensible step to protect the pennies, hosting is one area where you need to pay out.
It’s tempting to go for the cheap hosting to save yourself money, but you really do get what you pay for with hosting.
When purchasing hosting don’t look at the cost but look at the features. You will need enough disk space for your business website to grow. You also really need to avoid hosting companies who put big limitations on bandwidth and the number of visitors you can have per month. Your host should celebrate your success, not limit it!
Beyond all that, your hosting provider must have firewalls with DDoS protection. They should also provide daily backups as part of the hosting package. Finally, any decent hosting company must provide you with free access to install a LetsEncrypt SSL certificate.
Before you even begin to install WordPress you must ensure your website is hosted with a provider that takes security seriously. You must also ensure you’ve got an SSL certificate installed before you install WordPress.
2. Get a CDN
You may or may not know about the role of a content delivery network (CDN). The role of a CDN is to speed up connections between your domain (e.g. tinybluerocket.co.uk) and the hosting and the user who is trying to load your website.
We strongly recommend using Cloudflare as your CDN. It is free to start and works well without any financial cost.
What a CDN does primarily is to host a copy of your website in a server located in most corners of the world. This means that if someone from Sydney and someone from New York tries to load your website they aren’t trying to connect to the hosting server in London but to there local CDN server. By hosting your website content closer to the user, it speeds up the time it takes for them to load your website.
A CDN isn’t just about speed or location. They also provide an extra layer of security with an additional firewall. Firstly, and most importantly, Cloudflare helps protect against DDoS attacks. These sorts of attacks throw lots of bad traffic at a website until it can’t cope and goes offline.
The next important security feature from a CDN like Cloudflare is to protect against data breaches. Since GDPR, putting your customers or users at risk of losing their data can be very expensive. Not just in reputation and trust, but also in potential fines. Cloudflare protects user’s login details and bank details to ensure you and your customers are safe from data breaches.
Finally, CDNs like Cloudflare help protect websites against malicious bots. While there are some great AI bots out there that help businesses and their customers, there are also many bad bots. These bad bots can aim to scrape data from your website, create fake payment pages or look to steal data. Cloudflare works to protect websites against these malicious bots.
Setting up a CDN, such as Cloudflare, is very simple. It can be even easier with some premium hosting providers. Even though Cloudflare provides layers of protection, you do still need high quality hosting in the first instance.
3. Use a secure username and password
Would you walk onto a busy street and hand out your bank details to strangers? Probably not, what a ludicrous idea!
You’d be surprised, though, at the number of people who use basic login details for their WordPress admin dashboard.
When you install WordPress you are asked to provide a login username and password to allow you admin access to the WordPress dashboard. While it might be tempting for me to put ‘Alex’ as my username and ‘alex123’ as my username — I won’t forget those login credentials — it’s just silly.
When it comes to login details for anything online I recommend Dashlane. With a password manager like Dashlane, you can store all of your login details in one very secure place. No need to remember your password anymore, so you can make it complex.
One of the features of Dashlane is that it can help you create login details. It can generate a username and password of up to 40 characters which would be near-impossible for anyone to guess. You can then use these ‘random’ login details for your WordPress installation and securely store them with Dashlane.
Before submitting any login details, take a few seconds to check how robust they are. The Kaspersky password checker will tell you how many days, months, years or even centuries it will take a brute force attack to guess your password. Try to get one that’s ‘10,000+ centuries’!
All of that being said, you need to ensure when you log in to WordPress for the first time you go to ‘Users’ and change the ‘Display name’ to your own name. If not, your random username will publically visible and give hackers one part of your login credentials.
If someone is going to try to hack your website, at least make it hard for them by using extremely complex and robust login credentials for your WordPress admin dashboard.
4. Install a WordPress security plugin
By this stage you would have a secure hosting provider, added an extra layer of security with a CDN and chosen login details that would take a sophisticated bot until the end of time to guess. What more can we do?
Now we’ve worked down to the WordPress level it’s time to install a WordPress security plugin. After much extensive testing, I would strongly recommend using Wordfence. The free version is sufficient.
What does Wordfence do? Wordfence provides an endpoint firewall and malware scanner. Their ‘Web Application Firewall’ identifies and blocks malicious traffic. Their plugin does not break encryption, cannot be bypassed and cannot leak data.
Their malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. Essentially, they check your website files to make sure they have not been changed or compromised in any way.
You can even increase your login security with their Two-factor authentication (2FA). Also, they offer login page CAPTCHA to stop bots from logging in.
Wordfence provides a high level of WordPress-specific security that aims to keep the bad guys away from your website and its files.
5. Hide your login page
While Wordfence offers 2FA login security and CAPTCHA as well, one thing they don’t do it hide your login page.
Every WordPress installation starts out with the login page being in the same place. If you add ‘wp-login.php’ or ‘wp-admin’ to the end of the website’s address it will take you to their login page.
That might seem like a massive problem. If everyone knows where to go to log in to your website surely it’s making it easier? Wordfence are confident that you don’t need to hide your login page. They say that ‘security by obscurity’ is not necessary.
Around six months ago I started to use WPS Hide Login to move the login page to a different URL. I tested it out on a website that was getting hundreds of hacking attempts each week. While Wordfence was preventing these attacks I wondered if we could stop the attacks from happening altogether.
After a few weeks with WPS Hide Login activated I found that only a very small handful of hacking attempts where happening. While Wordfence is a great security plugin to protect your website, hiding the front door helps slow down the number of malicious login attempts even before Wordfence needs to flex its muscles.
6. Update, update, update!
One of the minor issues of owning a WordPress website is the constant need to update themes, plugins and the WordPress installation. What happens if you don’t keep updating?
When it comes to updates, the most common reason why a theme, plugin or WordPress installation needs updating is for security. As hackers and bots become more sophisticated, so should the technology preventing them. Hackers look for vulnerabilities. Once they find a weakness with a theme, plugin or with WordPress they will attack it. Once a vulnerability is spotted, the people behind the theme, plugin or behind WordPress will release an update to fix the vulnerability.
Keeping up-to-date with your updates is a fundamentally important and basic part of WordPress website ownership. If you worry that you won’t know when to run an update, Wordfence can email you whenever an update is available.
7. If all else fails, backups
All of that above being said, we need a plan B. What do we do if our best efforts aren’t enough?
Even with premium hosting, a CDN and WordPress security, a simple theme or plugin vulnerability can put your website at risk. Sometimes the bad guys still find a way in. So we need a solution to avoid having to delete your website.
Having regular backups is the ‘plan B’ solution. Firstly, of course, you’ve chosen a hosting provider who offers daily backups as part of the price. You can use their backup feature or ask them to help you roll back your website to the last safe version.
You can also make rolling back versions even easier with a WordPress backup plugin. We recommend Updraft Plus.
With the free Updraft plugin, you can take daily, weekly or monthly backups of your website and the database and store them in the cloud. Then, with one button, you can easily install a backup version of your website.
All of the steps above should be more than enough to protect your website, but it’s important to not be complacent. A viable backup provides a stress-free plan B.
There’s no point in getting a great website if you’re not going to build it inside layers of robust security. With great hosting, a CDN and WordPress-level security you can keep the bad guys out and let your lovely customers enjoy your lovely website.
Need help with your website? Get in touch today: https://www.tinybluerocket.co.uk