For some reason people have the assumption that WordPress sites aren’t secure and are easy to hack into. Wordpress is actually an extremely secure platform, however it can get hacked into quite easily if you aren’t careful or don’t know the proper precautions to take to protect your site.
Many web designers and developers don’t know the first thing about properly securing a WordPress site. They may be great at design or setup, but ensuring the site is properly secured is equally as important if not more important than having a good looking site. Below are 7 tips for keeping your WordPress site protected and secure from hackers.
1: Backup, Backup, Backup:
While this may not be an actual way to prevent hacking, it is a sure way to fix a hacking relatively easily. You should always have a full backup of your website available, which includes your website files, databases, emails, and anything else on your server. We provide full backups everyday for our clients to ensure there is always a recent restore point available, but it amazes me that over 90% of our clients never ask us if we take backups of their website. It also amazes me how many web hosts and web development companies never setup or take backups and we’ve heard horror story after horror story of what happens when a backup isn’t available.
In the event that your site does get hacked into, it generally only takes about 20 minutes to restore a full backup for a moderate sized web hosting account. Just be careful on restoring this too quickly — you’ll want to ensure you grab the access logs and identify how the hacker was able to get into the site first so you know what to fix once the account is restored.
2: Secure Your User Name / Password:
By default, WordPress uses the user name “admin” and allows users to setup any password they wish. We’ve had clients use passwords such as “password123”, “asdfgh1”, and other easy to crack password combinations.
We always recommend changing the default WordPress user name away from admin. There’s robots programmed to try and crack into WordPress sites, and most of these robots are built with the assumption that the user name is “admin” by default because the majority of site owners never change it.
In addition, a strong password is required for WordPress sites. A strong password isn’t your birthday, it’s a password generated from a password generator tool. These tools will generate a password between 15-20 characters long which will yield an extremely secure, virtually uncrackable password. Be sure to store your login details in a safe, secure location.
3: Check Your Computers:
This is actually one of the most common ways a WordPress site gets hacked into, yet is rarely talked about. The majority of hackings that we’ve seen actually occur due to a virus or malware being installed on a computer. The virus will track your keyboard strokes and record your passwords not only to your WordPress site but to anything else you login to.
It’s important to regularly check your computers for viruses and malware. In addition to running the scans, make sure you’ve updated to the latest virus definitions to stay up to date on new viruses. And lastly, make sure your internet connection uses a firewall and your anti-virus software is set to real-time monitoring.
4: Secure Your Server:
Another common way for a site to get hacked (WordPress or otherwise) is having a server which isn’t properly secured. Servers also require unique user names, strong passwords, and regular updating, so if you don’t have a fully managed server make sure you stay on top of these aspects otherwise your entire server could become vulnerable to a hacking.
5: Keep WordPress Updated:
Wordpress, like any software, isn’t perfect. There are constantly bugs and security flaws found in WordPress, and each time a new version is released, the security flaws in the old version become public knowledge, leaving outdated sites extremely vulnerable.
It’s important to stay updated with WordPress updates. Remember to always take a backup and consult with your web developer prior to running a WordPress update yourself. Depending on the modifications they made to your site, you may need to take extra steps to perform a full WordPress version update.
6: Keep Your Themes and Plugins Updated:
Much like WordPress, plugins, extensions, themes, and anything else added to your WordPress site should stay up to date. It’s extremely important to check with your web developer prior to updating plugins and themes as they likely modified parts of the core plugin to provide added functionality for your site. In these cases, a manual update is often required.
7: Hide Signs Of WordPress:
Whenever we develop a site, we always remove the “Powered By WordPress” in the site’s footer as well as any meta information in the HTML which reveals that the site is WordPress and the version number. This prevents robots from easily identifying that a website is running WordPress, especially when it’s running an older version of WordPress with known security flaws.
While these 7 tips won’t protect your site from every hacker out there, they will certainly prevent the vast, vast majority of hackings. Having a site hacked into on WordPress is rare. We estimate that 1 in 100 clients gets hacked into during an average year, and 99.9% of these hackings are because the client has a virus on their computer which revealed their login details or the client changed their password without our knowledge to something easy to crack. Follow these 7 steps and your site will be strong and protected for years to come.