WordPress is a popular website platform for many businesses, but it can be vulnerable to hackers unless steps are taken to ensure its security. For those just beginning their WordPress journey, there are certain measures that should be taken in order to protect one’s site from malicious activity. In this article, we present the top ten tips for WordPress website security for beginners. These simple steps will help keep your content and user data secure and make sure your WordPress website is running as smoothly as possible.
Use Strong Passwords for Secure WordPress Hosting
For WordPress beginners, website security is an important but often overlooked element of getting your website up and running. A solid security plan is essential for any website owner to ensure that no unauthorized access is allowed. And one of the best ways to improve your WordPress security measures is to ensure all users have strong passwords in place.
It may seem simple, but one of the most important steps that you can take to make your WordPress website more secure is to require strong passwords for all of your logins. And yes, for sites with customers or external users, this does include those accounts.
So, what does it mean to have a strong password? Well, here’s a hint, your favorite food or sports team with an exclamation point at the end…don’t do that. Passwords are not typically guessed or hacked by people. There are usually complex scripts behind the scenes that are run through their program repeatedly to crack your password using tried and tested combinations of common characters. The password that you can remember easily is also likely within the scope of these scripts. For any login, including those aimed at adhering to WordPress security best practices, you’ll need to create some more strength in your passwords to keep people (and bots) from hacking your accounts.
A strong password will have the minimum following characteristics:
- At least 10 characters, but more are encouraged
- Include numbers, capitals, and special characters – these throw off the hacking algorithms by adding exponentially more new variables into the mix
- Updated to a new strong password around every 3 months
Generate a Strong Password
The good news is that you don’t have to think up these passwords for every user every time they are updated. There are a couple of different tools at your disposal when working with WordPress.
If you are generating passwords for site users, there is a built-in complex password generator built right in as a WordPress security plugin. Use that feature as a standard in your WordPress security best practices toolkit and provide the password to your users using a secure delivery method.
If users are being added to your database automatically, for example, customers of e-Commerce sites, or any site that requires user accounts for any reason, there are plugins to help you enforce complex passwords. This will require the user to follow a set of rules when creating their passwords. iThemes Security is a great example of one of the best WordPress security plugin options that will help to keep user accounts secure with strong passwords.
Worried about Remembering Your Strong Passwords?
Password managers are the key to keeping your passwords stored securely. Most people are not able to remember complex passwords, especially if they are being generated for every separate login. This can become a big challenge for businesses and individuals trying to adhere to proper WordPress security practices. There are several password managers on the market that can help you not only store your passwords, but generate them, remind you when they need to be updated, and test the complexity of existing passwords.
A few of our favorite password managers include:
- 1Password – https://1password.com/
- LastPass – https://www.lastpass.com/
- PassCamp – https://www.passcamp.com/
Finding a good password manager and keeping your passwords complex and up to date is one of the most important WordPress security measures.
Update Your Username – Don’t Use the Default
What else can you fortify besides your passwords? You guessed it: your username! All of those bots and scripts are trained to start with the default usernames as well.
Be sure to update your username to something relevant to your business. It doesn’t have to be as complex as your password, but always avoid using the default, “Admin.”
Already created your user account with the default username of “Admin”? No worries, there are some easy steps that you can take to update your username.
Keep Your WordPress Core Installation Updated
As hackers, unfortunately, keep hacking, you’ll need continual WordPress security checks. Your friendly core WordPress development team can help. They continue to develop fixes and patches to prevent those new vulnerabilities from affecting your site.
Each time one of these fixes is issued, it is included in the most recent version of WordPress. This is why it’s so important to keep your core WordPress files updated. There are many advantages to keeping your core files updated, such as performance and usability optimizations. But, most importantly, you can’t take advantage of vulnerability fixes issued by WordPress without updating your software.
The great thing about the WordPress core updates is that they’re often reported in your dashboard, so when you log into your website’s backend, you can see a message that reads something like, “An updated version of WordPress is available. You can update to (insert link with the latest update) automatically or download the package and install it manually.”
This message is often accompanied by two buttons: one that allows you to “Update Now” and the other that allows you to download the latest update package.
We know, it’s easy to get busy and start missing or ignoring all the little notes WordPress sends you in your dashboard, but it’s important that your core and your plugins and themes are all up to date. Once you start getting behind on these things, the functionality, speed, and user-friendliness of your site suffer. And those small errors on the page can be enough to turn away prospects, as well as leave your WordPress site open and vulnerable to new and evolving cyberattacks.
Update Themes and Plugins Regularly
Much like your WordPress core files, theme and plugin files can become vulnerable to viruses, malware, brute-force attacks, and more after a while. But a good plugin will always have a great development team behind it.
Do your research when selecting a plugin to ensure that it is well-supported and frequently updated. Those updates come with new features and improvements to functionality, but they also include fixes for any existing security issues. Keeping those themes and plugins up to date is another important factor in maximizing your website security.
But, not all iterations are perfect! Occasionally an update will come with a bug or an incompatibility that can affect your site functionality or even take it down completely. You should back up your site before making any updates. You should also make sure that you have an easy way to restore your site, via hosting or FTP, so that you can get it back up and running quickly. WordPress website security for beginners often means checking and double-checking that you have your site and information stored and backup in safe places.
Overall, your theme and plugin updates should all make your website run more smoothly. They should also often be tailored to creating time-saving and efficient solutions to common problems and workflows.
Update to the Latest Version of PHP
PHP is “a programming and scripting language to create dynamic interactive websites.” It runs on your web hosting server. If someone visits your website, their browser sends a request to your server to view the page. Then the PHP code runs on that server and generates an HTML page for the visitor to view in their browser. It’s simply the communication method that allows your website to be seen by others who are not operating on the same server as your website.
PHP is maintained by its developers, just like WordPress. It’s important that you keep your site running on the latest version of WordPress that is compatible with your plugins and themes.
Every PHP update comes with significant improvements to security as well as performance. In fact, this is one of the best ways to ensure that your site is running smoothly and performing well. It’s also one of the best ways to enforce security.
Because not all developers keep up with the latest changes to PHP, it is easy for a PHP update to take down your site. But don’t fret! You can typically revert the PHP version and troubleshoot the issue. There’s a lot of support out there to help guide you through the PHP update process.
Run Frequent Backups
On average, hackers attack someone’s data website, and other online content every 39 seconds. It’s no secret that you should run frequent backups of both your site files and database. Should anything happen to your site, you will always want to be able to roll back to a previous version of the site before the problem occurred.
One of the most popular backup rules is the 3-2-1 Backup Strategy: it states that you should have at least three copies of your data, two of which should be local (but on different devices), and one copy that should be stored off-site. Because we continue to see emerging threats across all networks, platforms, website and browser types, and more, your backups should be run frequently to ensure that no matter when an attack, error, or breach occurs, you don’t lose any of your hard work and content that resides on your website.
Some of the key benefits of having backup software in place and running frequent backups include things like:
- always having access to your business’s data and website files
- protecting vulnerable and proprietary data from being put into the wrong hands, deleted, or held for ransom.
- being able to quickly restore information and functionality without a hitch
- increase confidence in your brand’s safety and trustworthiness for customers and stakeholders alike.
Often malware issues can go on for a while without being detected. Daily backups are recommended as a way to ensure site security by allowing you to roll back to a better time before there was malware on the site.
There are many hosting companies that now offer daily backups with the ability to easily roll back to a point in time. Flywheel and Siteground are two that come to mind.
Install SSL Certificate and Enforce HTTPS
This may be obvious at this point, but it is essential to install an SSL certificate on your website. It’s typically one of the first steps you’ll take when setting up a new site and is also now tied into your appearance of security on the web. This means that people may not visit your site if they don’t see the little green lock next to your listing or in the address bar, so not having an SSL could affect your traffic.
More importantly, the SSL certificate is the industry standard for protecting data in online transactions. Your SSL is what keeps the data of your users safe when making transactions on your website, including filling out forms and making purchases.
Most hosting companies now offer a free SSL that you can simply install on your site as part of your hosting plan. It’s usually as simple as the click of a button, and you’ll have encryption set up between the browser and hosting server.
Finally, after you are sure that your SSL certificate is running correctly, you’ll want to force all of your site paths to go through HTTPS (‘S’ is for Secure), instead of the standard HTTP. There are a number of ways that you can accomplish this, including edits to your .htaccess file. We prefer the Really Simple SSL plugin, which will handle the rerouting of files for you. Be sure to scan your site after rerouting file paths. You may need to make some updates to make sure everything is working properly!
Hide Your WP-Admin Login Page
It’s important to hide your WordPress login page – this is the page URL where you enter your Admin username and password to gain access to your WordPress website.
It’s important to hide this page for several reasons, but one of the main reasons is that in 2020 alone there were 90 billion malicious login attempts against WordPress websites. Many of these attacks are brute force attacks, which means that a bot or hacker uses programming that continually tries random combinations of usernames and passwords in the hopes that they will find the right one – and these attacks can try 1,00 or a billion times to try and break into your admin website.
Remember how that first section in this article was about creating high-quality passwords? This is another reason why it’s so important.
There are also many reasons why it’s beneficial to hide your admin login page. If your login page is hidden, hackers and bots can’t find the page to start their attacks. The default pages are common knowledge, and it’s not hard to guess or figure out what the URL is for your website’s admin page. Hiding it is like putting your website’s sensitive login link into witness protection. You greatly decrease your risks of a breach through this form of attack.
Here’s a quick and easy tutorial and background article for step-by-step instructions on how to hide your admin login page. You can also use this Webcraftic WordPress plugin to safely rename wp-login.php and close off access to your WordPress admin panel for unauthorized users.
Choose Hosting Wisely
Every business needs a website. We know some people might not agree, but in an increasingly digital world, having a successful business is synonymous with creating a user-friendly, reliable website.
And every website needs a host. A web host is your site’s foundation, its home. It houses all the files, data, and programs, that create your business’s functional web presence.
Web hosting can also include shared hosting, cloud hosting, and VPS hosting. WordPress hosting is a sub-category of web hosting.
Shared hosting is where a website shares a single web server and related resources with other sites. This is a cheaper option for smaller sites, beginners, and small businesses with low online traffic volume. In this setup, the hosting provider is the one taking care of the server monitoring, updates, and backups.
VPS, or virtual partition, hosting is used to give a website specific resources from a virtual partition of a physical server. This is a great option for medium and larger businesses that offers much more flexibility and technical options.
With cloud hosting, a website runs on multiple cloud-based servers instead of a physical server. For busy sites with high traffic volumes, this is the best choice. You can read more about the differences and benefits of hosting options here.
Host Your Site on a Dedicated Server for Best Security
Though there are many benefits to VPS, shared, and cloud hosting, the protection offered by a dedicated server will far outstrip the other hosting types. This is also one of the pricier options when it comes to hosting your website.
Dedicated hosting is exactly what it sounds like – there is one server, and it only hosts data from one website. There’s no risk of exposure to other sites’ malware or viruses like with shared hosting. And all the server’s resources are dedicated to one website, which means improved speed, load times, and stability.
Like with anything related to IT and business ownership and management, there is no perfect answer for any security-based problem. Each website, visitor, and hosting type is unique and comes with its own set of risks, variables, benefits, and costs.
SharedTEAMS Web Team – Dedicated to Website Production, Maintenance, and More
Were there any WordPress security tips that surprised you? Anything you want to get started on right away to help secure your website? SharedTEAMS is made up of six specialized teams working together with your in-house teams and managers to create marketing and web solutions that bring your business goals to fruition and your band vision to life.
Our web team is well-versed in all things web and IT, we can help you by providing support where you need it most with our list of great website projects and estimates. We can help with website production, design optimization, SEO monitoring and enhancement, web page building, and site maintenance. We are also more than happy to accommodate custom projects tailored to your business’s specific needs, including WordPress website security for beginners.
Take a look at our website projects page and contact us anytime to schedule a meeting and discuss or arrange support from any of our specialized teams, or multiple teams at once.