WordPress is one of the most popular Content Management System (CMS) and it powers more than one-third of websites on the internet. With the multitude of theme and plugin combinations, vulnerabilities are constantly being discovered. And like any website out there, if you don’t take certain precautions, you are at risk of getting hacked. Let’s talk about some tips to help keep your WordPress website secure.
Select a good hosting company
A new client of mine learned all too well when they chose to with a cheap hosting provider who didn’t provide multiple layers of security options. It caused an absolute nightmare when their site was maliciously hacked with malware and traffic was redirected to a porn site. In general, hackers can gain access to your website in four possible ways:
• Not using secure passwords
• Not keeping your WordPress updated along with your theme and plugins.
• Using non-trustworthy plugins/themes on your website.
• Bad hosting! Good hosting company will provide you with layers of security features, including malware scans, 24/7 support that is 365 days a year, etc.
While there are several hosting companies out there, we recommend GoDaddy. Their price is reasonable, they offer the security features you need, and their customer service is second to none!
Purchase a premium theme or build a customized theme
You can purchase a premium theme right out-of-the-box that has been coded and tested by skilled developers for your WordPress site. Premium themes can be customized to match your brand, and usually have some sort of support for updates and issues. But beware that there are hacked versions of premium themes out there as well. To save a few bucks, a premium theme may be your only option. We provide quality custom web designs and quick turnaround – and best of all, our pricing is just un-matchable!
Use a Strong Password
While I agree it is an absolute pain to manage the multitude of passwords we need for today’s online activities. It is very important that you don’t use the same password for everything you use. And it is especially important that you not use a plain password that could be easy to guess. Use a complex password or one that is auto-generated with a variety of letters, numbers and special characters. And it is a good practice to change your passwords at least once a year.
Change your WP-login URL
By default, the standard WordPress login page URL to your site is “yoursite.com/wp-admin”. This is where you access the backend of your site. Leaving this as your default login could subject you to brute force attacks attempting to figure out your username/password combination. One of the best ways to prevent being hacked is to customize your admin login URL and add 2-factor authentication to your WordPress site. Also, note that you can check the IP addresses of the failed login attempts and specifically block those IP addresses.
Install SSL Certificate
SSL (Secure Sockets Layer) is necessary and mandatory for sites that use specific transactions, like to process payments, collect credit details, passwords, etc. Without an SSL certificate, the data being transferred over the Internet is delivered in plain text – and this can be readable by hackers.
In the past few years, Google has recognized the importance of SSL and provides sites with an SSL certificate a more weighted place within its search results. The search engine indicates that HTTPS – with an ‘s’ on the end – connections are secure with a ‘green lock’ icon. Google flags unsafe non-https sites with a ‘red lock’ indicating the site is not secure. We recommend to our clients that all websites should install SSL on their site, whether you accept sensitive information or not.
Update your WordPress version and Plugins
Another new client of mine was found to be 40 versions behind in WordPress updates. A good practice is to keep your WordPress up to date. The updates often are changes that are related to security feature updates. Keeping them current protects you being targeted for pre-identified loopholes and exploits that hackers would love to use to gain access to your site. We recommend that you purchase a ‘managed WordPress’ site whereby the hosting company automatically downloads the WordPress updates. However, you will need to update your plugins directly from your WordPress admin dashboard.
Limit Login Attempts
Limiting the number of login attempts will further help secure potential brute force attacks. The hacker gets locked out before they can finish their attempts at guessing your login info. Now keep in mind that if you frequently forget your login sequence, the settings could mistake you for a hacker. When enabling this feature in WordPress, be sure to whitelist your location so you aren’t locked out from your own site.
WordPress security is a crucial part of a website. Implementing these WordPress security tactics will have you well on your way to a secure site. If you need answers to additional WordPress security checks or help with your site, we are just around the digital corner. Message us or email us.