You might be asking yourself why you need to worry about keeping your WordPress website secure. This is a massive CMS platform, used for 43% of websites in 2022. Shouldn’t this also mean that it is one of the most secure platforms on the market? Well, yes and no. The WordPress core installation is extremely secure, and overall WordPress is a secure CMS.
However, part of the beauty of WordPress is its flexibility, and a large portion of that flexibility comes from the open-source community of WordPress developers. Because WordPress is open-source, we have access to third-party plugins that help to expand the functionality and truly power the WordPress CMS to create almost any kind of website that we can imagine. But, working with outside developers means that nothing is guaranteed in terms of security.
Fortunately, the WordPress community prioritizes security. So, as long as follow a few best practices to keep our websites up-to-date, we minimize security risks substantially. In this article, we are providing some tips to keep your website safe from malicious activity, and running smoothly.
Take Regular Backups of Your Site
This is probably the most important step that you can take to prevent data loss due to an attack, a code conflict, or anything else that could prevent your site from functioning as expected. We recommend taking a backup of your site at least once every month and keeping at least 3 months of backups on file. This will ensure that you are able to restore your site to a recent version that is functional in the event of a failure. There are a number of ways to keep your site backed up.
This is probably the easiest way to keep your site safely backed up without the help of a web professional. Most hosting providers offer automatic backups as a paid service. Some of these services will allow you to restore your site and database to a specific day and hold a history for a number of months. If you don’t have someone backing up your site manually, this is usually pretty affordable and definitely worth the cost!
Backing Up Through cPanel
If you have access to your website cPanel, there are typically several tools that you can use to back up your site. There is a standard backup tool built into cPanel. You can find out how to use that tool in the cPanel documentation.
Most hosting services also now come with WordPress Toolkit installed. This is a great tool, not only for backing up your site, but also for monitoring your plugins, themes, WordPress installation, and other site details. If you don’t already have it installed, you can reference cPanel documentation for the installation process.
ManageWP is a WordPress manager dashboard, and it may be one of the easiest ways to keep your sites backed up. You can set up an account for free, and only choose the services that you need. This includes a backup service that holds 3 months’ worth of daily backups. The best part about this service is that it is basically set it and forget it…until you need it. Manage WP is also great for backing up and monitoring multiple sites through a single dashboard.
Use a WordPress Backup Plugin
There are a number of backup plugins that will allow you to easily back your site up through the WordPress admin. There is some variance in the reliability of these plugins, but a couple that we would recommend include All-in-one WP Migration, and UpDraft Plus.
Choose a Secure WordPress Hosting Service
Choosing the right hosting service is a great way to ensure that your WordPress site is safe and secure. Many hosting providers have services geared for WordPress websites and have managed WordPress hosting. While shopping for a hosting company, you’ll want to look for a couple of services that will help you to keep your site secure and to avoid headaches caused by malware and other malicious activity.
- Automatic backups are an excellent feature to start with, as we mentioned above
- Some hosts will guarantee to keep your site secure and free of malware
- Of these companies, some will also include a service to restore your site, free of malware, in the event that your site does become a victim of an attack.
Keep an eye out for these services when shopping for hosting. Hosts recommended by SharedTEAMS will include these services as well.
Install an SSL Certificate and Enable HTTPS
We all know, at this point, that we need to install an SSL Certificate on our site in order to get the little browser lock symbol to display that our site is a secure one. The reason that browsers require us to do this is that the SSL encrypts our user data and prevents it from being compromised. This is especially important for sites that request sensitive data from users, such as credit card numbers or social security numbers. Most hosting providers now offer a free and convenient SSL option.
Once you have your SSL installed, you will need to make sure that all of your files are running through the encrypted HTTPS connection. You can either force HTTPS through your hosting account, or use a plugin like Really Simple SSL to accomplish this. Be sure that HTTPS is working correctly on your website before enabling SSL through a plugin. Not doing so could cause you to lose access to your site.
Keep the WordPress Core, Plugins, and Themes Up to Date
Keeping your WordPress site is the most important, and possibly the most overlooked action that you can take to keep your WordPress site secure and safe from Malware Attacks and other functionality issues. Software is constantly being updated and improved upon, and plugin and theme developers are always working to keep their code optimized for WordPress. If you allow your plugins or themes to become too outdated, they may eventually develop incompatibility issues with WordPress, and with other plugins used on your site, which is what leads to site errors, and functionality issues.
Theme and plugin developers are also keeping up with the latest security vulnerabilities and fixes, and they frequently release new versions to stay on top of these vulnerabilities. Not updating means that you’re missing out on the work that these developers are doing to keep sites using their software safe.
Update to the Latest Version of PHP
PHP is the language that WordPress is built on. Your hosting server is set up to use a specific version of PHP. It is always best to update to the latest version of PHP, not only to keep your site secure but also to improve load times and performance and prevent conflicts and site errors. However, some themes and plugins are not compatible with the latest version of PHP, so updating to the latest version can cause errors on your site. Before beginning this process, it is always best to take a full backup and be prepared to run a full review of your site. If your site is incompatible with the latest version, it may be wise to have a developer help you narrow down the cause.
Run Monthly Security Scans
It is important to run security scans on your site and is recommended to run one each month. The sooner that you become aware of malicious activity on your site, the better. If you are aware of an attack in the same month that it happens, you are much more likely to be able to install a site backup to resolve the issue, and not have to go down the rabbit hole of trying to find and eliminate the malicious code.
Use Secure Passwords. No Really, Use Secure Passwords!
I know that it’s tempting to use your favorite Golden Retriever’s name or the “Go[InsertYourFavSportsTeam]!” as your password because it is easy for you to remember. However, those kinds of passwords are not anywhere near the level of security that you’re looking for. Access to your admin account is one of the easiest ways for hackers to find their way into your site code.
Complexity is the key to a secure password. You will want to use a secure password both for your WordPress admin login and also for any users on your account. If your account allows users to create their own accounts, such as a subscription or eCommerce site, either implement a secure password requirement when creating an account or lock down all sensitive information and code on your site from the user roles who can create their own passwords for accounts.
There are a number of password generators online that will help you to develop a secure password. Document these passwords somewhere safe. You can store these in a protected file on your local machine. There are also several services, such as PassCamp, 1Password, and LastPass that will not only generate passwords for you but make them easily accessible on your local machine.
By the way, it’s also a good idea to change your admin username to something other than “admin.”
Add Restrictions to Your Site
Though it may require some assistance from your developer, there are other actions that you can take to add restrictions to your site. We’ve already mentioned locking down your content from site user accounts. You can also lock down your site editor from Admin accounts. Admin accounts are often the easiest way for a hacker to access your site code because the code can be edited directly through the Admin dashboard in WordPress. You can make some adjustments to your code that will remove this capability, and require a user to have FTP/SFTP access in order to change the code.
You can also change the login URL for your site. The admin page is generally pretty easy to find, by adding “/wp-admin or wp-login.php” to the end of your site URL. This is how bots will easily find the login page. However, there are plugins, such as Change wp-admin login, that will allow you to change this login URL to whatever you want, protecting your site from that type of vulnerability.
Website Security Matters to Your Business
You know how much time, money, and effort you’ve invested in your business website. It is important that you take the necessary steps to keep your site secure. A malware attack that goes unnoticed can take days or sometimes weeks to fix. But, by investing a little time in some simple best practices, you can ensure that your site is protected from malicious activity, errors, and code conflicts. It may take you some time to put these things in place, but it will also save you from an extremely time-intensive and costly headache down the road. Inquire with SharedTEAMS about our monthly Website Maintenance plans, and allow us to help you keep your site secure and optimized.