6 Simple Security Tips for Your WordPress Website
When running a WordPress website for your business, there’s only a few things worse than falling victim to a cyberattack.
On one hand, you stand to lose countless of hours of hard work.
And on the other hand, is the damage to your business reputation, and bottom line.
Imagine a prospective client discovering your business online, only to find your website flooded with adverts for illicit drugs.
Or, Google blacklists your website from search results because of the spam hackers have added to your site. Your website traffic grinds to a halt and new leads start to taper off.
No matter the exact consequence of a hacked website on your business, it’s a serious issue that demands proactive protection.
WordPress is the most commonly used CMS (Content Management System) in the world, you can create any type of website on WordPress from small basic one page websites to sophisticated multi page E-commerce websites.
Due to its popularity it is also more vulnerable to security hacks!
Remember when your website gets hacked, it is not a personal attack, most of the time the hacker doesn’t even know you or your business, they are just using it as a stepping stone on their journey to becoming better hackers.
Hackers look for easy targets, they look for sites that do not take their website security seriously.
You see hacking is one of the most sort after jobs in the world, all the biggest companies want the best hackers working for them, if they have the best hackers working for them then they are less likely to get hacked.
In this article, we’ll explore six easy (and actionable) security tips for your WordPress website. No coding required. Let’s dive in!
P.S I have added one more bonus tip at the end!
Tip #1: Update WordPress, Your Theme, and Plugins Regularly
Just as smartphones and computers have software updates that bring in new features, fix bugs, and keep things running smoothly, your WordPress website is no different.
Hackers find and exploit security holes in the software that runs your website behind-the-scenes. They can use technical vulnerabilities to inject malicious code or hijack your website entirely.
Keeping your website updated is the primary defence against this type of attack, as developers often patch security holes in updates before hackers have a chance to exploit them. This includes WordPress core, your website theme, and all installed plugins.
Tip #2: Uninstall Plugins You Don’t Need
It’s very normal to accumulate a ton of plugins over the years.
It’s also very normal for many of them to be now unnecessary and/or obsolete.
Even if you’re updating regularly, every unused plugin poses two problems. Firstly, it uses space and memory, which could slow down the loading time of your website. (Not good for SEO). Secondly, every plugin is a potential entry point for a hacker. (It’s an extra window in your warehouse you need to secure from thieves.)
The best option is to uninstall any unused plugins. However, ensure the plugin is not in use before removing it. First, deactivate a plugin and then check your website for any errors or formatting changes. If nothing has broken, only then proceed to uninstall.
Tip #3: Have an Active SSL Certificate
In simple terms, an active SSL certificate means that your website data is encrypted whilst travelling on the web.
You enter your WordPress username and password on www.example.co.za/wp-admin in order to login. These sensitive details travel across the internet from your computer to the website server where it verifies your credentials before letting you in.
It’s during this journey that a hacker could intercept the connection – and steal your username and password. SSL works to prevent this.
So, how do you get SSL for your WordPress website?
The good news is that many web hosting companies in South Africa (including Domains and XNeelo) provide SSL certificates for free. In fact, your website might be running SSL already.
To check, simply visit your website in Google Chrome and look at the URL address bar. If you see an arrow icon before the web address, your website has SSL. That’s great and there’s nothing further required.
If you see a hazard icon and the warning “Not secure,” it means that your website lacks SSL entirely, or there’s something amiss in the configuration. The next step is to contact your web hosting company and inquire about your SSL status. Although it’s possible to install and configure SSL on your own, it can be tricky.
Tip #4: Use a Strong Password for WordPress & Website Accounts
At the least, a strong password is 10 characters long, include a mix of numbers, uppercase and lowercase letters, two special characters (such as @, #, $, *, ! , ?), and not be re-used anywhere else. A password should not include any personal info, for example, the name of your business or your cat.
These best practices apply to your WordPress account, web hosting account, cPanel, FTP, and email mailbox. Hackers could use any of these platforms to access your website.
Tip #5: Backup
Regular backups of your website is perhaps the most important rule for WordPress security.
Because if a hacker does break through, then restoring from a backup is one of the fastest and easiest ways to get your website perfectly back to normal again.
How often you backup depends on the activity of your website. Publishing new blog posts and making edits weekly? Then daily backups are essential. ECommerce store with multiple daily sales? Backup hourly to safeguard customer orders and transaction details. If changes are more sporadic, say once or twice a year, then backup monthly as a bare minimum.
Fortunately, there is no shortage of free and paid solutions that can automate the otherwise technical back up process. You choose a backup frequency, a place to store the backup, and the backup solution does the rest automatically.
Here at DEZIGN-IT, we use a combination of All in One WP Migration, Updraft Plus, and server-side backup solutions on all our client sites. It’s worth having multiple backups from different sources in case something fails.
Tip #6: Know the Symptoms of a Hacked WordPress Website
What does a hacked website look like?
Unfortunately, there’s no simple answer.
Website hacks are sometimes immediately obvious. For example, the cybercriminal defaces the homepage or inserts obtrusive ads for illegal drugs.
Whilst in other cases, hackers go to great lengths to hide their attack. It can take weeks to months before you realise something’s gone wrong.
Here’s some of the more obvious symptoms to look out for:
- New links appearing in your website text. These often go to phishing websites.
- Existing links redirect to spammy websites. For example, the ‘About Us’ link in your menu redirects to an online casino.
- New adverts and pop-ups displayed on your website.
- New posts and pages on your website, often in a foreign language.
- Google Analytics shows massive spikes, or massive drops, in website traffic.
- Unable to login with your correct username and password.
- Password reset emails are not received.
Bonus Tip! Use the Wordfence plugin which has a free option!
Use a WordPress plugin like Wordfence to secure your website, at the time of this post Wordfence has been installed on over 4 million websites, Wordfence offers a FREE version of their plugin which you can install on your website, the free version has basic features like:
- Login Security
This is a good starting point and better than nothing, you can purchase the premium version if you want more features.
Taking some basic security steps like these can go a long way to protect your WordPress website from hackers.
It’s well worth the time and effort as recovering from an attack is both costly and complex. And of course, not to mention the impact to your business reputation and bottom line.
Any questions? Drop a comment below and we’ll try our best to help.