When you're running your own business and website, there are times when certain tasks get pushed further and further down the to-do list. I know one of those tasks for a lot of people is website security. You might find yourself saying things like, "I'll get this taken care of next week," or "I know I need to do this, but it can wait until tomorrow." Tomorrow turns into the next day. The next day turns into next week, and pretty soon it's months later, and you still haven't taken care of it. Our guest author today is Anna Bogushevskaya. She helps build and maintain websites, so part of her job is ensuring all of her clients understand and keep up with website security. Lucky for us, she's sharing 8 powerful tips for WordPress security. These are simple and quick things we can do right now. And on top of tighter website security, we'll have a greater peace of mind! Read on for her awesome tips.
Several years ago, when I started building websites, I learned about WordPress security the hard way.
One morning, I switched my computer on, opened my site, and…Boom!
I saw a black screen with a brutal man carrying a couple of pistols, saying, “Your site has been hacked.” There was even some rock music playing in the background. Yes, the hackers went all out with background music and a graphic.
I wasn’t impressed.
The situation was terrible. The whole site was gone. I had no access to the dashboard, and moreover, I hadn’t backed anything up.
I looked for support from my hosting company, but they deleted all my databases and returned everything I had to zero because I was hacked.
“Amazing” support, right?
So I had some major damage control to work through. First, I had to rebuild the website from scratch. Second, I never wanted this to happen again, so I asked myself, “What should I do to avoid this situation in the future?”
I studied a lot of resources to get the answers, and after implementing the following tips, I haven’t had any more hacking experiences.
So, now I want to share some basic tips to keep your WordPress site secure. These 8 tips for WordPress security are quite simple. Anyone can follow them, even if you’re not technically savvy. Let’s go!
Change Your Default Admin Login Name
When you install WordPress, it uses “admin” as the default username for the administrator account. This admin username should be changed right away because most hackers know that WordPress suggests “admin” as the login name by default. Of course, hackers will try to gain access to your site by using this username. It’s the first thing hackers will try.
Here’s a great post that will walk you through changing your WordPress username if you didn’t do that when first installing.
Regularly Back Up Your Website
These days most people know the importance of backing up your site. But, just in case you haven’t thought about it yet or you haven’t taken steps to make it a regular task, I want to reiterate how important it is to never miss this task. Make sure your website and all databases are backing up to some external disk or the cloud, preferably once a week.
Many hosting companies suggest you back up services as well. But, at the very least, it’s always a good practice to back up your site and databases to external sources, like your computer, an external disk, or Dropbox.
Another option is to install a backup plugin.
Here are a few great plugins I’ve tested.
This is a premium backup plugin for WordPress, and it’s the most popular. You can schedule your backup as a daily, weekly, or monthly task. You have the option to store the files in Dropbox, Amazon, FTP, or to email them to yourself. They have different payment options, as well, either a yearly subscription or a lifetime license.
This plugin allows you to create a complete backup of your site, as well as to store it on the cloud service or download it to your computer. This plugin is free, but it has a premium version with extra features.
This is a free plugin for WordPress that allows you to create a backup of your entire website and its database then upload it to your Dropbox account. Dropbox is also a free service, which gives you space to store files on their cloud server. Another great thing about this one is that by backing up everything to your Dropbox, you can access your files from any device. All you need is an internet connection.
The premium version of this plugin allows you to create scheduled backup tasks and get a backup status e-mail that reports copy, clone, or migrate websites.
With the free version, you’ll need to backup manually.
This free plugin is one of my favorites. I use it on almost all my websites and suggest it to my clients as well. With this plugin, you create a schedule, upload the files automatically, and store them on the cloud (Dropbox, Amazon S3), FTP, email them, or store them directly on your computer.
I like BackWPup because it’s extremely easy to set up and use.
Keep Your WordPress Site Updated
Many people still think WordPress is not a secure CMS (Content Management System) because of its open source. But the WordPress platform takes security seriously. Even some big media and government sites are using WordPress, so it’s a secure and stable platform, especially if we’re talking about a small business website.
The most important issue here is that you should keep WordPress and all plugins up to date. Because, normally, every update contains the most important security updates as well. When you see the notifications that an update is available, make time to keep everything current.
Use Strong Passwords
This is simple. Uppercases, numbers, special symbols, and long passwords work well. Never use your name, your spouse’s name, your date of birth, or any other personally identifiable number in your passwords. Make it harder for automatic tools to guess your password. The more random the better.
Use a Good and Reliable Hosting Company
I have a lot of personal experience with different hosting companies, both good and bad. For instance, the one I mentioned above, who deleted all my files from their account, was simply bad and not a helpful company.
Moreover, sometimes some bad hosting companies will even make your site “hacked,” and then instead of any support, they quickly suggest you use their partners’ services to clean your site from malicious code. Of course, this requires money and is usually not cheap!
Look for a hosting company that gives their attention to security. Choose hosting that:
- Supports for the latest versions of PHP and MySQL
- Is optimized for running WordPress
- Has great customer support (so critical)
- Has malware scanning built in
But when we’re talking about hosting, the most crucial thing I look for is how their support system works. I'll only work with a hosting company that cares about a lot of things for me. Even if I’m asking them something silly or something they’re not responsible for, I want to know that they'll help me out. Also, they must take their security system seriously.
I can’t stress this enough. Good hosting is big deal.
Make Sure You Use Correct File Permissions
Even though this is a bit on the technical side, it’s an important part of keeping your WordPress site secure.
Setting a directory with permissions of 777 could allow someone to upload or modify a file, which can ultimately cause a malicious attack. Here are a few quick and dirty tips.
- All directories should be 755 or 750
- All files should be 644 or 640
- wp-config.php should be 600
For more details, check this WordPress guide about changing file permissions.
To get started, simply go to your File Manager from cPanel and check the codes there, just in case.
Hide Your Login Page
This is one of my favorite things because it’s so simple but so very useful.
When you install WordPress, it gives you a default login URL for your admin dashboard. It’s either “/wp-admin/“ or “/wp-login.php.” Malicious parties know this, so they try to attack your login page. Moving your login page makes it difficult for hackers to perform a brute force attack.
Here are few good plugin solutions for this.
Hide Login+: This plugin allows you to create a custom URL for login, log out, sign up, and Admin pages.
Lockdown WP Admin: Another plugin that hides the WordPress admin.
Anything you can do to make a hacker’s task more difficult is a win for your security. They might just move on to a less secure site that will take less time and effort to get into.
A Few All-in-One Solutions
You may also want to consider an all-in-one security solution to protect your website. WordPress has a few good plugins that will take care of a lot of security issues for you.
Just remember to install plugins from reliable sources only. Preferably, they should be published on the Wordpress.org website.
Your website’s security is something you need to take seriously. If your site is hacked, there’s a high risk you’ll be blacklisted because your site will send spam (usually this is the main purpose of hacking your site). Even if your site is new, don't think it'll go unnoticed. Newest websites are even more likely to be hacked.
Start with these simple tips and you'll greatly reduce your risk of meeting a hacker's smile one day, like I did.
Anna Bogushevskaya is a founder of "Digital Drive with Anna." She's a Digital Marketing Strategist with a focus on Search Engine Optimization. Anna helps bloggers, entrepreneurs, and small businesses to optimize their websites, get more free traffic, and achieve better positions in search results.