Website security for a WordPress powered site is pretty obvious, have good passwords, keep everything updated and don’t install any theme or plugin that didn’t come from a reputable provider.
In reality, it’s a bit more complicated than that.
Security breaches come in all shapes and sizes, and while the above will hold you in good stead there are many more than you just cannot fully plan for or be available 24/7 to babysit your website to keep it safe.
So in addition to the above common sense options here are my 5 extra tips to ensure your WordPress security is that bit better than the average blogger.
1. Have Really GOOD Passwords
I know you think I’m just re-hashing the first point, but hear me out. How many of you have passwords that you can easily remember? Exactly, good passwords are not written like “13CuteBears” a good password looks like this “xWi_eqhx@4*9bit_8JVAR7kdDwp7U”.
And then do you use a different password for your email account, WordPress login, web host login, domain registration login etc. It only takes one of the many online services we use to get compromised and your single-use password for all the internet can bring you down.
A good way to make passwords easy, is to use a password manager like 1Password or LastPass.
2. Protect Your Login Page
Protection on a login page sounds over the top but it’s really good practice to stop those brute force attacks on your site. A malicious attack on your login page can quickly cause an overload to your hosting server. That gets the hosts attention and they start to slow your site or block it for using too many resources. If all those attacks hit a password prompt or challenge request instead of your site it’s a huge resource saver to your server.
The easiest way to combat this is to run Cloudflare as your DNS provider and set up a page rule to protect the site. The page rule can be configured to use Cloudflare’s under attack mode so they weed out all the bad requests before it even gets to your server. To set up the rule, log in to your account at Cloudflare and click on the”Rules” option at the top.
Add a page rule where the url matches the below (substitute your domain name in where mydomain.com is mentioned)
https://mydomain.com/wp-login.php*
Then from the drop down option select the “Browser Integrity Check” and turn it on along with setting the “Security Level” option to the max of “I’m Under Attack”
What this does is leans on Cloudflare’s security options to filter out all the bad or suspicious traffic to your login page so only legitimate requests get to your site and server. You’ll still see people try to login to your site if you log that sort of data, but it will stop the bulk of the obviously malicious traffic coming in. Best of all, all you’ll see when you load your login page is a short delay screen from Cloudflare before getting redirected to your login page.
If you don’t currently use Cloudflare on your sites I highly recommend it. Their free yes I said free plan offers some great protections that makes them a no brainer for your site.
3. Have A Good Web Host
This sort of goes without saying I feel but if you are paying $5/$10/$15 a month for hosting your website, then don’t expect the best level of care to be given. You are just a number among many many many others on the same web server as you. Big corporate hosting providers provide the bare minimum in terms of meeting specific WordPress security metrics and best practices.
You ideally want a host that focuses on WordPress hosting (like we do). This way you know setup wise your host is looking after your best interests. They set up extra out of the box security options like automated SSL certificates, actively block malicious attacks and ensure server wise you run the latest versions of PHP and caching systems.
I’m purposely glossing over all the things a good host does as it gets a bit technical. Just know that the more bespoke and WordPress focussed hosting providers are far better setup to protect you and grow your blog.
4. Have And Check Your Backups
I’ve harped on about having a website backup before and you probably don’t think a backup is a WordPress security feature. Your right it’s not, having a working backup is the insurance that if something terrible does happen to your site, you can fix it quickly.
You can’t protect yourself from all the evils on the internet but you can have that backup sitting there at all times should you ever need it. I hope it’s the one thing you spent time setting up and testing but never have to ever use. But if the proverbial does hit the fan you want to know you can recover from it.
5. Audit Who Has Access
Over the life of your blog, I’m sure you’ll have added admin users to your site for various reasons. You’ll have shared logins or granted access to your web host or domains as well to facilitate work on your site. How often since then have you reviewed who has access to what in your business?
Had a tech guy do some work but never removed their access once they were done? Hired an SEO to look over your analytics and site but never revoked their access to your data once they finished?
You have no idea how secure they keep their end of things, so if they get compromised it could, in turn, impact you as well.
The less exposure you can give to your site to be compromised the better off you will be. So spend 5 minutes reviewing who has access to what and remove anybody that doesn’t need to be there. For the ones who do need to stay, prompt them to update their password or better yet change the password for them and they can reset it next time they need access.
6. Bonus Tip
You can’t watch your site 24/7 so set up an uptime monitoring service like UptimeRobot to help tell you when your site goes down. Usually, a few seconds of downtime here and there is nothing (server restart or network issue) but your site having multiple downtimes for minutes at a time can be a sign of problems to look into.
7. Extra Bonus Tip
There are some great services out there that can provide WordPress security protection for your site and/or repair your site if it is compromised. I’ve touched on Cloudflare as an option that’s free to help prevent issues with bot/malicious attempt protection.
Others to look at that are far more involved in what they can do for you are:
And one final note. If you ever suspect something is not quite right with your site, or a reader emails to say they saw some nasty popup or a blog post show up that isn’t written by you. Get your site looked at by a professional or professional service. If you just restore a backup you are not fixing the problem, just undoing it till it happens again.
It might also be that your site was compromised some time ago and so restoring a backup won’t help and your site needs to be cleaned. Once you start moving files around and restoring backups it makes it almost impossible to help pinpoint the cause of the problem.
And as always if all of this sounds too difficult to set up or you just want someone to manage all the technical side of your site we have WordPress Care Plans that have you covered.