Despite how much time we all spend online, it’s easy to forget that most places on the web aren’t essentially ‘safe’. As a website owner you might find yourself entrusted with sensitive data and having to take security precautions to make sure it doesn’t fall into the wrong hands.Although WordPress is constantly updated to stay ahead of the curve when it comes to security vulnerabilities, every installation is different in and of itself. This is due to the fact that everyone will use different themes, plugins, hosting services and a myriad of other variables which can introduce weak points into their systems.
Regardless of your own particular configuration, there are a few simple security steps anyone can take to ensure their installations are more secure. In this post we’re going to run through some of the most important ones, which should take you less than 30 minutes to implement.
Let’s get straight to it!
Step 1: Back Up (Now and Forever)
You’ve probably heard this advice before, and with good reason, because whether you have a backup or not can make the difference between the life and death of your website in the most literal of terms.
Nowadays, many hosting providers take care of performing regular backups for you, but since this is such a crucial step, we recommend setting up an additional solution of your own.
Creating manual backups isn’t straightforward, so we recommend using a plugin solution such as UpdraftPlus. There are plenty of competitors in this field, but UpdraftPlus keeps things simple with a single-click restore option and the ability to schedule backups for your files and databases separately.
It’s also compatible with most cloud storage options and encrypts your files before uploading them. For example, if you wanted to link your installation to your Dropbox account, all you’d have to do would be to go to the plugin’s Settings tab, pick it from the list of cloud storage options and then click on Allow when asked for permission by the Dropbox API.
Step 2: Update WordPress Core, Themes and Plugins
WordPress takes security seriously. It employs a team of over 20 experts and researchers dedicated to keeping its millions of users safe, and often releases minor updates to address security flaws in-between major launches.
That said, WordPress’ massive user base makes it a perfect target for hackers hoping to gain the most bang for their buck. As recently as 2013, over 20% of WordPress plugins were found to be vulnerable to web attacks, and during 2015, a massive XSS vulnerability which affected major plugins was discovered.
Plugins are not the only targets within WordPress though – the core system itself, as well as themes, can also offer entry points for attackers. The best way to prevent problems from occurring is to keep everything up to date.
A lot of people tend to ignore update notices when going through their Dashboard, but we urge you to take a minute to go through your list of plugins and apply all the available updates whenever possible (not to mention always using the latest WordPress version). This is an incredibly simple step which can save you a lot of headaches down the road.
If you’re all about efficiency, there are plugin options to automate the updating process such as Advanced Automatic Updates, which enables you to pick exactly which parts of your install will take care of themselves.
Be warned that this option has one key drawback in terms of compatibility issues. Certain plugin updates could, for example, cause errors in your website due to feature changes, incompatibilities with other plugins, or with newer versions of WordPress core. That’s why we recommend doing updates manually from your dashboard routinely (ideally after your latest scheduled backup) and checking your website for errors afterwards, just in case.
Manually updating plugins doesn’t need to be a hassle, since you can do so in batches from either the Updates or the Plugins tab within your dashboard (both of which will constantly guilt you into it by reminding you of how many updates you have pending).
Step 3: Batten Down the Hatches (Of Your Login Page)
The login process is a linchpin of your website’s security and there are several simple steps you can take to stop potential attackers from gaining access to it. Let’s handle the quickest and easiest options:
Upgrade your password practices.
A safe password should at the very least be long and unique enough to frustrate dictionary attacks. If you don’t trust yourself to remember a complex password, you can always opt for a password manager such as LastPass or Dashlane. There’s also the option of passphrases if you’d rather not rely on software, and they have the advantage of being easier to remember using mnemonic techniques.
Limit access to the dashboard only to people you trust.
Each additional user with access to the ‘back of the store’ can compromise your security.
Use additional security plugins.
Consider additional plugin solutions such as Wordfence Security or All In One WP Security & Firewall, which introduce features such as blocking of known attackers, two-factor authentication, and enforcement of strong passwords among many others.
Web security is a constant race against people who are always on the lookout for undiscovered flaws. However, you’d be surprised at what the above few simple steps can achieve in terms of keeping your WordPress website (and your users’ information) safe.
Remember, the key steps are:
- Keep everything backed up.
- Keep everything updated – plugins, themes, and your WordPress installation itself.
- Keep your login page safe with a tough password and limited access.
What steps have you taken in the past to secure your WordPress websites? Share them with us in the comments section below!