It can happen in an instant.
One minute your WordPress site is running fine, the next it has been hacked, causing you reputational damage and losing you clients, customers, money and credibility.
If you want to avoid this nightmare scenario happening to you, then keep reading and discover the top security tips and best practices that’ll keep your WordPress site safe 💯💥.
Why WordPress security is important
Before we provide you with the tips and best practices that’ll keep your website safe, we wanted to provide you with some context💻💾.
WordPress security shouldn’t be viewed as an optional extra. Instead, security should be a fundamental part of your website maintenance.
In addition to the problems we set out in that opening paragraph, if your site gets compromised, the following things could happen:
- You could lose private customer information, making you responsible for paying a scarily large fine. For example, British Airways was fined £183m because of a magecart attack on its website.
- Hackers may be able to distribute malware to your users, damaging their computers or other devices.
- You may have to pay a ransom to hackers in order to regain control of your website. The average ransom paid in 2021 was a staggering $170,404💵💰.
Aside from the reputational and financial impacts of a compromised website, you may also face the wrath of Google😱.
Google currently blacklists around 20,000 websites for malware and 50,000 for phishing each week. If this happens to your business’ website, then it’ll take you an enormous amount of time and effort to not only recover your website, but rebuild your rankings and other SEO factors.
So, with all that in mind, let’s take a look at 8 tips and best practices that’ll keep your WordPress site safe and secure.
Keep WordPress updated
Yeah, this shouldn’t really need to be said. But, here we are saying it!
WordPress is one of the world’s most popular Content Management Systems, powering just over 60% of the world’s websites. But, because it’s so popular, WordPress effectively has a big target painted on its back🎯. And, it’s the outdated versions of WordPress that are most susceptible to hacking.
Whilst WordPress automatically installs minor updates, major releases need to be updated manually.
But, that’s not all. WordPress also comes with hundreds (perhaps even thousands) of different themes and third-party plugins – each of which can provide a ‘backdoor’ into your site for hackers if not kept up to date.
So, on a regular basis you should be manually checking that you have installed the latest version of WordPress and that the individual plugins on your website are up to date too.
Install a security plugin
As well as keeping your version of WordPress update and using secure hosting, it also helps to install a dedicated security plugin 🔓🔐.
Having a security plug in on your website is a bit like having a security guard at your office. It’s the job of the security plugin to constantly monitor your site, checking things like file integrity, failed login attempts, malware scanning and more.
There are multiple WordPress security plugins available, but one of the most popular (and arguably effective) is Sucuri.
Make your login more secure
One of the ways in which hackers can gain unauthorised access to your WordPress website is via your login page 📢.
It may sound beyond obvious, but don’t have your website’s login details as:
Admin
Password
Frankly, if those are your current login credentials, you need to stop reading this article right now and change them. Please!
In addition to having non-generic login credentials, it’s also helpful to add a security question to your login screen. This will provide an extra layer of security, making a hacker’s job much harder (remember, it’s impossible to reduce all risk of a security breach, but it’s your job to reduce the risk as much as possible).
Oh, and don’t share your login credentials with the rest of your office. Where possible, you should provide website users with individual login credentials. This not only increases security, but provides an audit trail should a set of credentials be used to access the site and do something untoward.
Limit login attempts
In addition to the login best practices above, you should also limit the number of login attempts people can make. As a default, WordPress allows users to try to login as many times as they want – which will make your site vulnerable to brute force attacks 😈👊.
To avoid this, you should change the number of failed login attempts a user can make. If you have a firewall in place this is generally already taken care of. However, if you’re not using a firewall, then you’ll need to install a plugin such as Login LockDown which will record the IP and timestamp of every failed login attempt.
Install a backup solution
As we just mentioned, it’s impossible to reduce all risk of a security breach occurring. So, if the worst does happen, you should make sure you have a backup so you can quickly restore your site 😎.
The easiest way of backing up your site is to use a dedicated plugin such as UpdraftPlus or BlogVault.
Once a backup plugin is installed, you should make regular full-site backups. But – don’t save these full site backups to your hosting account. Instead, you want to save your backups to a remote location such as a cloud service like Amazon or Dropbox.
In terms of how often you should conduct full-site backups, this is largely determined by how often you update your site.
Use a firewall
Using a firewall will block malicious traffic before it even reaches your website 💥.
There are two main types of firewall that are commonly used for WordPress websites:
DNS Level Website Firewall
This type of firewall routes your website traffic through a cloud proxy server. This effectively ‘filters’ the traffic, meaning that only genuine visitors are sent to your web server.
Application Level Firewall
An Application Level Firewall is a plugin that examines your website’s traffic once it reaches the server, but before loading most WordPress scripts. As you can imagine, this type of firewall is not as efficient as a DNS Level Website Firewall as it still puts load on your server, but nonetheless, it’s better to have a firewall rather than none!
Move your website to SSL/HTTPS
By enabling SSL (Secure Sockets Layer), your website will use HTTPS rather than HTTP. SSL is a protocol that encrypts data transfer between your website and the user’s browser. This makes it far more difficult for someone to seek out ‘holes’ in your website’s security. 🔐🔑
It’s super easy to use SSL for your website. In fact, upHost offers free SSL certificates to customers, so you won’t have to worry about obtaining and installing one yourself.
Remove your WordPress version number
Many hackers will tailor their attacks based on the WordPress version of their target site.
They are able to see what version of WordPress a website is using by looking at the site’s source code.
You can hide your version number with most kinds of security plugins. However, if you’d rather do this manually you can do so by adding the following function to your functions.php file:
function wpbeginner_remove_version () {
return “”;
}
Use secure hosting
Do you know who your WordPress site is hosted with?
It can be easy to click and forget when it comes to hosting, but if your website host isn’t on top of security, then you could easily find that your website has been compromised.
Yes, we know you’d expect us to say this, but your hosting service plays the most critical role in the security of your website.
A good hosting service (oh, hi there! ✋😀) provides a secure foundation for your website, making it far tougher for any potential troublemakers to access your site 💯💪.
A good hosting service will be continuously working in the background to maintain the security of your site, doing things such as:
- Continuously monitoring their network for suspicious activity and failed logins.
- Putting tools and procedures in place to detect and prevent DDoS attacks.
- Updating their server software, php versions and hardware on an ongoing basis to stop hackers from exploiting vulnerabilities in old software and hardware.
- Having disaster recovery processes in place to recover your site and its data should the worst happen.
Secure your website today with upHost
Excellent hosting is the foundation of website security. If you want to make sure your website’s as secure as possible, then speak to upHost today.
We’re committed to providing the best hosting possible, at the best possible prices. Whether you’re a new business, an established business or a freelancer or sole trader, upHost will have a hosting solution that works for you.