Website security costs can hit more than just your pocket. A random hacker can cause you hours of tedious work in your backend or send you to a pro because your site has crashed. I will show you some website security tools and how to check website security. A few simple steps can save you a heap of trouble down the line.
Security is not about perfect security – there is no such thing, but you can reduce risk. Here are a few ways you can help your WordPress site be more secure.
Not all web hosting providers are created equal and, in fact, hosting vulnerabilities account for a huge percentage of WordPress sites being hacked. Don’t just look for the cheapest company. Do some research and find one with a good background in strong security measures.
Some qualities you may want to look for in a host:
Readily discusses your security concerns and which security features and processes they offer with their hosting.
Provides the most recent stable versions of all server software.
Provides reliable methods for backup and recovery.
Always keep your plugins, themes and WordPress updated. Not updating can leave your site open to attacks.
Make sure all your computers are free of spyware, malware, and viruses. No amount of security in WordPress or on your host will make a difference if there is a keylogger on your computer. Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
Potential attacks can be avoided with a good password. The goal of your password is to make it hard for others to guess. There are many free password generators available such as Last Pass and Dashlane.
WordPress also features a password strength meter to let you know how strong your password is. Things to avoid when creating a password:
- Any permutation of your own real name, username, company name, or name of your website.
- A word from a dictionary, in any language.
- A short password.
- Any numeric-only or alphabetic-only password (a mixture of both is best).
A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.
In addition to using a strong password, it’s a good idea to enable two-step authentication as an additional security measure.
There are many plugins and services that can act as a firewall for your website. Some of them work by modifying your .htaccess file and restricting some access at the Apache level, before it is processed by WordPress. A good example is iThemes Security or All in One WP Security. Some firewall plugins act at the WordPress level, like WordFence and try to filter attacks as WordPress is loading, but before it is fully processed.
We use iThemes and WordFence and are quite happy with the results.
Backups your data regularly. Make a schedule or use a plugin that creates them automatically like Backup Buddy.
A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password. Common sense would dictate that if you remove admin you’ll also kill the attack outright.
For the everyday, automated attack, removing the default admin or administrator username will work. Understand that when we say ‘admin’, we are speaking specifically about the username only and not the role.
Create a new user in WordPress at Users > New User and make that user with Administrator rights. After that, delete the ‘admin’ user. Don’t worry about the post or pages the admin user has already created. WordPress will ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.
Two Step Verification
The essence of two-step verification for WordPress security is exactly as implied in the name, two forms of authentication. It’s the recognized standard today for enhanced security at your access points.
I hope you find this useful and will begin to implement these steps if you have not already. If you have any questions, please leave a comment below or use our contact page.