How to Keep Your WordPress Website Secure: Your Guide To NOT Getting Hacked
WordPress security: not exciting, not fun, but absolutely necessary. If you’re unclear on how to keep your WordPress website secure, then here’s a run-through of simple, essential security measures you can take to keep those pesky hackers at bay.
Why WordPress Security Is Important
WordPress now powers 43% of the internet, which is pretty mind-blowing. It’s open source software with a huge, worldwide community of users, developers and fans. But that also means there’s quite the community of hackers, with thousands of attacks taking place on WordPress sites worldwide every single day.
Some hackers are in it for the money, some are in it to prove their skills, some are purely in it for (malicious) fun. Whatever the reason, they’re out there, they’re highly active, and your website is a potential target.
The danger of getting hacked is that attackers can gain access to sensitive information about both you and your visitors, leaving you vulnerable to identity theft, password leaks, ransomware, and lots of other consequences which will cost you time and money to rectify – as well as the inevitable damage to your reputation.
Website Security Is Essential – Even For Small Businesses!
If you’re thinking “my website’s too small / simple / insignificant to be at risk”, then you’re sadly mistaken. Small business websites can be a target because they’re often poorly protected, leaving them vulnerable to attacks. And since any website can be used to distribute malware and attack other websites, no site is immune.
A secure website is vital to gain the trust of your users so they have a positive experience with your business. Plus – don’t forget that Google expects your site to be secure, and uses security as a ranking factor in the search engine results. It’s too important to ignore.
So that’s the scary part over. Let’s take a look at things you can do to protect your WordPress website, keeping it safe from attack.
How to Keep Your WordPress Website Secure: 6 Steps to Take
The good news is that there are plenty of straightforward actions you can take to secure your WordPress site.
1. Be Smart About Passwords
Probably the most obvious one, so let’s start here. If you’re still using “password123!” as the admin password on your website, you’re not going to last long before being hit by an attack. Hackers use automated systems to guess passwords, and all the old favourites will be figured out within seconds.
Set strong passwords on your site, particularly for users with admin privileges.
And don’t share passwords either: it’s easy to set up a new user in WordPress and only takes a minute, so give everyone who uses your site their own login.
2. Keep Your Software Up To Date
Updates in WordPress don’t just add new features – they also patch any security vulnerabilities. So it’s essential to keep all software regularly updated, including the core WordPress files, themes, and plugins.
WordPress itself is pretty secure, while third-party plugins are responsible for a high percentage of security breaches, so pay close attention to updates on those.
A word of warning on running updates:
Your WordPress website ecosystem involves lots of different pieces of software that all fit together to create your unique website. That’s part of the beauty of WordPress and what makes it so flexible.
But it also means there are many moving parts that have to play nicely together – which doesn’t always happen. Plenty of website owners have experienced the panicked feeling when you run a load of updates all at once and your site breaks.
So take your time and run updates one by one. That way you’ll have a better idea of where any problems have come from.
3. Use Quality Web Hosting
Web hosting is the space you buy on a server to house your website files and make them accessible online. There are a vast number of hosting companies to choose from, and it can be overwhelming knowing which one to pick.
All web hosting providers should offer secure space for you to host your website, but not all hosting is created equal. In fact, one report identified that 41% of hacks are due to a vulnerability on the web hosting platform.
The most secure option is having your own dedicated server, but that is way out of the budget of most small/medium businesses. Most small businesses will be on a “shared hosting” plan which is where multiple websites are hosted on one server.
Shared hosting keeps the service affordable, but does have security risks. It’s possible for hackers to use other sites on the same server to gain access to yours.
The answer is to choose a hosting provider who takes security seriously, has measures in place, and responds swiftly to any security breaches. This will likely add a few pounds to your monthly bill, but is well worth the money.
4. Take Regular Back-Ups (and have somewhere to keep them)
Make sure your WordPress site is backed up regularly. There are a couple of easy ways to do this – and you should probably be doing both.
Firstly, your web host might offer regular automated backups. If that service is available, make sure you have it turned on. And run manual backups too before you make any big changes or run major updates.
Secondly, you can use a WordPress backup plugin (e.g. UpDraft Plus is one of the most popular) to take regular backups from directly within your WordPress dashboard.
I always recommend the belt-and-braces approach of having both of these methods set up. You can never have too many back-ups.
Lastly – make sure you’re storing your backups somewhere secure and AWAY FROM YOUR OWN COMPUTER AND WEB SERVER, such as secure cloud storage. Why? Because if you’re storing your precious backups on the server and the server goes down, what will you do then? Same goes for your laptop which can crash / get dropped / be left on the bus.
5. Secure Your WordPress Login Area
This one is less obvious to many website owners so is important to mention. Your WordPress login area is vulnerable to hackers in its default state, so it’s worth taking a few steps to secure it.
6. Use a WordPress Security Plugin
There are plenty of security plugins available for WordPress which will take on a lot of the heavy lifting of WordPress security for you. Popular options include WordFence, Sucuri and iThemes Security.
They all have different features and settings, but they’ll all help you ward off hackers, scan your site for vulnerabilities, and pinpoint anything that doesn’t seem quite right. You can set email alerts so that the plugin will notify you of anything that requires your attention, giving you peace of mind to get on with your business.
Keeping Your Website Safe Takes a Little Work But Is Worth It
I hope this article has been helpful in showing you some simple ways to keep your WordPress site secure. Keep on top of your software updates, use strong passwords, secure your login area, back up your site, and use security plugins.
Trust me, it’s worth the extra effort to protect your site from getting hacked.
Need Help with WordPress Security?
If this all sounds overwhelming, it might be time to get some help. If you’d like to chat about securing your website, then get in touch.
I offer website maintenance plans where I’ll handle all of this for you (and more) for an affordable monthly fee.
Looking for help with your website?
I’m a WordPress developer who loves helping small businesses grow their online presence with great looking websites.
Want a new website or to overhaul an existing site? Got a broken WordPress site that’s driving you crazy?
Just let me know what you need and I’ll be happy to help!