Whose responsibility is the security of your WordPress website?
Ultimately, it’s yours.
While WordPress regularly updates its core security and developers do the same for their plugins, there are a number steps it’s up to you to take to ensure yours is not one of the 20,000 plus websites blacklisted as ‘unsafe’ by Google each week.
Many of these websites have been hacked or fallen prey to malware. All of these will take more effort to restore, relaunch and make secure than the steps those website owners could have taken to boost security in the first place.
(If you want to see how many sites Google identified as unsafe in the last week, month or year, take a look at their interactive Transparency Report.)
Clearly, taking your WordPress security seriously is important. A hacked website can damage your reputation, revenue and, ultimately, your business. That’s why we recommend being proactive in protecting your website, taking steps yourself and / or seeking the expert support of professionals.
So, here’s our 2019 guide to WordPress Security best practices for your website’s security. We’ll begin with the simplest steps and move on to one’s that protect a bit better but also need a little more tech savvy (or some WordPress experts on-hand to help you out) to get right.
Keep your WordPress site, theme and plugins updated.
Keep your software updated.
We’ve all heard it, we know we should, but how many of us really do it?
Keeping your website, theme and plugins up-to-date with the latest updates and security fixes is vital to keeping your website safe and secure. While WordPress will do major updates automatically, many minor ones need to be actioned manually and the same goes for your plugins.
It’s also a good idea to hide your WordPress version number. Even seemingly innocuous information like this helps hackers and they are not the people you’ll want to be helpful to. Your version number can be easily hidden though many of the security plugins available today.
Install WordPress Security
You can find a WordPress plugin for almost anything and, when it comes to security, you’re spoiled for choice.
Any good WordPress security plugin will audit and monitor elements like file integrity, failed logins and malware scanning as a minimum. When it comes to additional security services, focus on what your site needs most and check out reviews and ratings to see what your fellow WordPress community members think.
You can also ask us about the security plugins we’d recommend.
Choose a good host
And while we’re on the subject of expertise, choosing the right host for your website is a huge factor in the security of your WordPress website.
The disadvantage of choosing a standard host from WordPress is that you’ll be sharing a server with any number of other users. This is less secure than having a dedicated server running for your website alone as any weaknesses in their websites could lead to a breach of yours too.
Sharing a server with other websites built and managed by the same developers is also more secure, as the web hosts will often employ specialist security measures and build websites to a high level of security.
Another advantage of choosing a professional website host is that your website is likely to run faster (and not just away from hackers!)
Reduce the number of users and the risks of idleness.
Keeping access to your admin area to a minimum limits the number of potential doorways a hacker could use into your website.
Ask yourself who in your organisation really needs access to your website’s admin area. If its not crucial to someone’s role, best not to give them access.
You can also logout idle users to prevent someone else jumping onto their open browser when they leave their desk and creating havoc. It’s the same system that banks have—when tellers logout each time they leave their desks—and WordPress enables you to create an auto-timeout, further reducing the potential for human error.
Install WordPress Backup solutions
If the worst does happen and you get hacked, getting your website back online and secure becomes your urgent first priority. Having a recent full-site backup is crucial to limiting the amount of time your website is down.
Whether you back-up in real-time, daily or weekly depends on the type of site you’re running. If in doubt, do it more often than you think you need to. Ask yourself: how long will it take to recover six days work? If it’s longer than you’d wish, opt to back-up daily or in real-time.
Backups should be sent to a remote location that isn’t your server or host. If it’s one of these then you make it as vulnerable as your hacked website. With many cloud storage options available, make backing up part of your regular WordPress security routine .
Now, let’s take a quick look at some of the other steps you can take to secure your website. Many of these require a little more coding know-how and are services Code23 can provide to keep your website safe:
With password managers, there are no more excuses for weak or easily solvable passwords. It’s a good idea to change these regularly too, especially anytime there’s a change in your organisation.
Get an SSL certificate to encrypt data
By securing data transfer between user browsers and your server through encryption, this step will make impersonating you (and therefore gaining access) much more difficult.
Install a Web App Firewall (WAF)
Installing one of these allows you to block malicious traffic before it can even reach your website.
Add Security Questions or 2FA to Login
Adding an additional security question or 2-factor authentication gives you an extra level of security whenever anyone logs in to your website. These can be enabled through readily available WordPress plugins. For more information, check out this article on WordPress Security Questions.
Limit login attempts
Through plugins like Login Lockdown, you can limit the number of attempts a user can have in accessing your website. If they fail three times, for example, you can lock them out of your website for an allotted amount of time and, with some plugins, even ban IP addresses permanently.
Change admin username and password protect important pages
Your username is half of your login credentials, yet how many of us think of making this part of our security strategy? Changing your login username to your email id is one simple way of making a hacker’s life a bit harder, but it’s not the only one.
Protecting important areas of your website can be done in two key ways:
1) Customise the URLs for your server side pages: admin (/wp-admin/), login (/wp-login.php/) and configuration (wp-config.php). Leaving them with these generic terms makes them incredibly easy to guess and gives a hacker a clear target to work on.
2) Password protect these pages. Your configuration page, for example, contains information on the installation of your site which, if accessed, makes your website incredibly vulnerable to attack. So, if the hacker does guess the URL, slap a password on the page so they aren’t able to waltz in to the heart of your website.
You can even change the default database prefixes (/wp-…/). Be careful though: if done incorrectly, this can do major damage to your website. This tip is one definitely worth asking for help on, unless you’re really confident playing around with code.
Turn off Directory Indexing
Your directory is like the nucleus of your website and is where all the files, pages and other information for your website is stored. Making this publically accessible is really risky as it allows hackers to recognise potential weaknesses they could take advantage of.
Turning off Directory indexing and browsing is pretty simple. Add ‘Options ALL – Indexes’ to your .htaccess file and you’ll keep your directory strictly need-to-know.
Disable file editing, PHP file execution and XML-RPC
File editing (built-in code editor in admin area), XML-RPC (helps connect your site to apps) and PHP file execution are three elements of your website that it is better to disable than leave running. They are areas where your site has a potential weakness and, as this article points out, can make you vulnerable to typical types of attack.
Some of the steps we’ve outlined are simple but others are less so. Regardless, staying vigilant gives you the best chance of avoiding security issues.
Once you head deeper into coding territory, we’d strongly recommend seeking at least some professional support unless you’re already a savvy coder. Errors in code can have damaging effects on your website so best not to take too many chances.