WordPress is one of the world’s most popular content management systems (CMS), powering over 40% of all websites. Its popularity also makes it a prime target for hackers and cybercriminals daily. As a WordPress blogger, it is important to take website security seriously and protect your site from threats.
This means don’t blindly follow what other bloggers recommend in online community groups or add a plugin because some other blogger recommends it. Unless they know what they are saying, they are most likely just re-telling something someone else told them.
Most bloggers don’t have the time or desire to learn WordPress security’s ins and outs to know what is and isn’t good advice. Can you risk taking the opinion of someone who’s perhaps no more skilled in WordPress than you?
If I’ve learnt anything in all my years around blogging, most people fake it till they make it, and online community groups are full of questionable advice daily.
Why Website Security is Important for WordPress Bloggers
As a blogger, you pour your heart and soul into creating valuable content for your readers, turning your blog into your source of income.
What blogger isn’t aiming to meet the entry requirements for Mediavine or Raptive’s ad networks to start earning some real money?
But have you considered the security of your WordPress website when aiming for that goal? Protecting your website from malware or being hacked is crucial to ensure your blog’s livelihood and to maintain your audience’s trust.
WordPress is not immune to security vulnerabilities. Security issues are reported daily. Suppose you wake up tomorrow to find your blog hacked, corrupted or, at worst, deleted. Could you recover it quickly enough to avoid negatively impacting your revenue, its SEO potential and future traffic growth?
Below are the best WordPress security tips for bloggers. I believe they can set you on the right path without overly complicating how you blog or by putting the fear of god into you with endless alert emails. They are by no means the perfect setup but they are a good middle-ground. If you run any form of e-commerce on your blog, the below is the minimum you should be aiming for.
Common WordPress Security Threats
WordPress security threats can come in various forms, including malware, brute force attacks, and phishing scams. Some of the most common security threats include:
- Outdated plugins and themes: Outdated WordPress plugins and WordPress themes can contain vulnerabilities that hackers can exploit to gain access to your website.
- Weak passwords: Weak passwords can be easily guessed by hackers, making it easier for them to gain access to your website.
- Malware and viruses: Malware and viruses can infect your website and cause significant damage, such as stealing personal information or crashing your website.
- Brute force attacks: Brute force attacks involve hackers attempting to guess your login credentials by trying numerous password combinations.
- Phishing scams: Phishing scams involve hackers sending emails or messages that appear legitimate but are designed to trick you into providing personal information.
Securing Your WordPress Site
Securing your site isn’t complicated, despite what you might read online. And yes, you can take things much further than I’m highlighting in this article. But as a blogger who is most likely managing your blog by yourself, you want the best bang for your buck, so to speak. Preferably free, or at least until you start making an income.
Choosing a Good Hosting Provider
Choosing a good hosting provider is the first step in keeping your WordPress site safe. Look for a hosting provider that charges more than you’d pay for a couple of coffees at the local cafe monthly as a starting point.
If the hosting is cheap, the host will care very little about the security of your site. Not to mention, cheap hosting is always underpowered and will lack any good built-in security and performance options you need.
Your web host is the foundation you build your site from. Don’t cut costs here, or you’ll be chasing your tail not only with security but also site speed and day to day frustrations just using the site.
Look for a WordPress hosting provider that focuses on WordPress or provides WordPress-specific hosting. The good ones aren’t cheap. There’s a reason for that.
Some of the better ones to look at are:
- Big Scoots
- Assistant WordPress Hosting (My hosting service, which is packed full of security and performance options out of the box)
Keeping WordPress Updated
Keeping your WordPress site updated is required to maintain its security. WordPress releases regular updates that include security patches and bug fixes. On top of that, plugins and themes also get regular updates weekly or even daily. Make sure to update your WordPress site, plugins, and themes as soon as new updates become available.
And yes, some WordPress updates might change the admin dashboard or how your blog works, but is staying on an old version of WordPress where there might be security vulnerabilities the best decision? We all hated the Gutenberg block editor, but these days, most new bloggers don’t know any different. Don’t let your routine or comfort factor drive your WordPress security.
Do you avoid running updates for fear of breaking your site? Here are a few reasons why dealing with that is better than the alternative:
- Security patches: WordPress updates often include patches that address known vulnerabilities. By keeping your WordPress version up to date, you can protect your website from potential attacks.
- Bug fixes and improvements: Updates include bug fixes and improvements that enhance your website’s overall performance and functionality. By staying updated, you can ensure that your site runs smoothly and efficiently.
- Compatibility: Updating WordPress ensures compatibility with the latest versions of plugins and themes. Using outdated versions may lead to compatibility issues, which could compromise the security and functionality of your website.
- Stay ahead of hackers: Hackers are constantly looking for vulnerabilities in outdated versions of WordPress. By regularly updating your website, you can stay one step ahead and minimize the risk of being targeted.
Strong Passwords and User Permissions
Using strong passwords is a non-negotiable for securing your blog. Choose a strong password that includes a mix of uppercase and lowercase letters, numbers, and special characters. Additionally, limit user permissions to only those who need access to your site. This reduces the risk of unauthorized access and helps keep your site safe and secure.
Did you add a VA to help on the site, but they no longer work for you? Delete them. Get tech help from someone? If you no longer work with them, delete them.
Who’s to say, while your password is secure, that theirs is? And maybe they used the same password on multiple sites?
A strong password is not the name of your pet, your favourite football team, your favourite band or a dessert.
Use the below as a guide on how to create a strong and secure password:
- Length and Complexity: Make passwords at least 12 characters long or longer. Use uppercase and lowercase letters, numbers, and special characters in your password.
- Avoid Common Patterns: Avoid easily guessable patterns such as “123456” or “password.”
- Unique Passwords: Don’t use the same password for multiple accounts online. If one account gets compromised, all other accounts could be at risk.
- Password Managers: Use a password manager to generate and store all your passwords securely. This way, you don’t have to remember all your passwords. I use and love 1Password for this.
- Update Passwords: Update your passwords regularly. Every three to six months is a good rule of thumb. This reduces the chances of someone gaining unauthorized access to your website.
- Two-Factor Authentication (2FA): Enable two-factor authentication for extra security. This requires users to provide a second verification step, such as a unique code sent to their mobile device and password manager.
Note: Sadly, most 2FA plugins for WordPress are insecure and can be hacked as after all they are just a plugin too. But having one is a better deterrent than nothing at all. And it gets you into a good habit since most online services need this now.
Don’t Use WordPress Security Plugins
Yep, you read that right DO NOT use a WordPress security plugins to secure your site. WordPress security plugins are rubbish. They slow down your site, send you endless scary email alerts that you might not understand, have confusing admin interfaces and bloat out your WordPress database, making backups larger, and your web host complain.
They are just plugins open to being hacked and compromised like all other plugins. All the popular WordPress security plugins have been compromised in some way, shape or form.
For those who run a WordPress security plugin, think back to the last time you took action based on one of those emails. Have you ever?
Also, did you know that all those security plugins are stealing resources from your hosting server to process potentially hundreds of millions of suspect hits to your site each day? You know that web host you only pay $10 a month for that you find slow all the time? Find yourself hitting your web host’s resource limits often…
Save your sanity, and just don’t install them. I don’t run any big security plugins on my client’s sites, and we get by just fine. Why? Because there are better, more proactive ways to manage and improve the security of your site.
Regularly Backup Your Website
Backing up your WordPress site is the ultimate security insurance for your blog. It provides a safety net in case your website gets hacked or experiences technical issues. With a backup, you can easily restore your site to its previous state, minimizing downtime and potential data loss. If you run ads on your site, you want it up at all costs. A few hours of downtime might be a lot of money for you.
Secondly, regular backups protect you from human error. If you accidentally delete an important file or make changes that negatively impact your site’s functionality, having a backup allows you to revert those changes quickly.
There are several methods you can use to back up your site. One option is to utilize a backup plugin such as UpdraftPlus or BackWPup, which automates the backup process and allows you to schedule regular backups. These plugins also offer options for storing your backups on cloud platforms like Dropbox or Google Drive.
Another method is to manually back up your site by exporting the WordPress database and downloading all the files from your website’s hosting control panel. This approach requires more technical knowledge but gives you full control over the backup process.
Don’t rely on your web host to maintain backups, either. Especially on cheaper hosting (I’m looking at you HostGator and Bluehost). Many provide backups but don’t guarantee them, so if you have a backup from your web host, download it or restore a file now and then to be sure it works.
Regularly backing up your WordPress site is the best insurance you can get for your blog. It could be the difference between having your blog and a potential disaster where your blog is gone for good overnight due to a security breach.
Implementing Advanced Security Measures
For those of you more comfortable with the technical side of your blog or just know how important security is to your blog. Here are some of the best security measures I think bloggers can implement to ensure the safety of their WordPress site that won’t cost you a cent.
Two-factor authentication (2FA) is an additional security layer that requires users to provide two forms of identification to access their accounts. By enabling 2FA, bloggers can prevent unauthorized access to their WordPress site even if their login credentials are compromised.
There are several 2FA plugins available for WordPress that you can install as a plugin. But as I mentioned above, be aware these are just plugins that can be compromised like all other plugins on your site. Once you are hacked, all plugins on your site become open to exploitation. So your 2FA plugin becomes unless at that point in time.
Cloudflare is free to use and can help boost your site speed and provide an amazing firewall between your blog and the greater internet. Aside from the speed benefits it affords you, the web application firewall (WAF) offers amazing site protection.
Think of this as doing the job of one of those WordPress security plugins at a level before that sort of traffic even reaches your blog.
If the bad attempts on your login page are stopped before they even reach your site, you don’t need as much complexity on your blog or server. This also means less bad traffic to your blog, so your hosting server isn’t working overtime, serving rubbish requests. This means a faster blog, and we all love a fast blog.
The settings I set for my clients in Cloudflare that are above the default are:
- Custom page rule applying additional security to the WordPress login and WordPress admin page of the blog. This stops many of the bad login requests, or brute-force requests your blog gets daily.
- Firewall rules to block specific countries from loading the site. If your blog has no need for an audience from China, you can just block all traffic to it from there.
- Block bad bots or web crawlers from overloading your site with hits.
- Add extra protections to the comments section of your site to avoid mass comment spam.
All of that can be done on the free tier of Cloudflare and goes above and beyond what your average website security plugin offers. And as I said, all these blocking requests happen before the traffic reaches your blog. Keeping it safe from unnecessary load or traffic.
The 7G Firewall
The 7G Firewall is a block of rewrite rules you save into your website’s htaccess file (if your host supports it) that can block malicious requests to your site.
It offloads many security tasks a security plugin does to your hosting server. So, while not as good as using Cloudflare mentioned above, it still performs faster and better than running a plugin on your site. The server can process these requests much quicker than WordPress does, as it runs on top of the server.
Think of it as a series of layers; the deeper you go, the slower it gets. WordPress is the last layer. Your server is a layer above that, and Cloudflare is at the top layer. The further you block something from WordPress, the better.
I will say, however, that this isn’t for everyone and is best added to your blog by a WordPress developer or support person. That is because editing your htaccess file incorrectly can stop your site from loading correctly. And some rules it actions do not always play nice with your plugins and theme code on your site.
Dealing with Security Breaches
You should always be prepared for security breaches. Even with the best security measures in place, a hack is always possible. If a security breach happens, you should immediately minimize damage and prevent further harm.
Identifying a Hack
The first step in dealing with a security breach is identifying that a hack has occurred. Some signs of a hack include:
- Unusual activity in the website’s logs or WordPress dashboard. Maybe a new plugin has appeared?
- Unexplained changes in the website’s appearance or content
- Strange pop-ups or redirects
- A sudden drop in traffic or search engine rankings
If you suspect that your website has been hacked, take immediate action to investigate and confirm the hack. I recommend hiring a WordPress support professional or contacting your WordPress developer for assistance.
Resolving a hacked site is often complicated, and you risk making it worse by attempting it yourself.
Recovering from a Hack
Once a hack has been confirmed, here are the steps to recover the website and prevent further damage:
- Identify the source of the hack: This can be done by reviewing the website’s logs, looking for suspicious files or code, or using a security plugin to scan the website. Best done by your WordPress developer, support person or 3rd party security firm.
- Remove the hack: Once the source of the hack has been identified, remove the hack by deleting any malicious files or code and restoring any damaged files or content.
- Change passwords and update security measures: After removing the hack, change all passwords associated with the website and update all security measures, such as plugins and themes.
- Notify users and search engines: If the hack has affected users or search engine rankings, notify affected parties and take steps to restore trust and credibility. Check Google Search Console notices and validate any security concerns. Otherwise Google might warn readers that your site is not safe in search or via their web. browser.
Want The Best Security and Hosting For Your Blog?
Here at Assistant, we’ve just finished testing a far more secure 2FA and overall security setup that I’ll encourage all clients to take up. It provides real protection without the bloat or performance impact. This can be set up with all clients signed up to our WordPress Care Plans or just WordPress Hosting.
We pair our custom hosting servers with four security-focused modules to add 2FA login protection, brute force login protection, enhanced password security and login session protection. So should the worst really happen to your blog and it does get hacked, the hackers still won’t be able to take over your site, install plugins or do as they please.
If you’d like to learn more about the services we offer, get in touch today.