Digital Marketer

From New Zealand, lives in Spain.
Servicing clients from all around the English speaking world.

Security Essentials for a WordPress Site

How to secure your website from hackers?

Hackers! On the news and media in general hackers get talked up as an elite group of people that are smarter than you and can break into any site they want. The stories we hear of them stealing confidential info from businesses and holding the company ransom in order to get control of their site back. Most ‘hacks’ going on around the web are just annoying spammy scripts that mess with your site and are not sophisticated enough to get any real useful info, all they do is break your site so it wont load or maybe redirect your traffic to a spam site selling something.
The fact that most of these hacks going on are pretty basic and so protecting your site from them is not difficult.

Is a WordPress website safe or not?

Yes it is absolutely safe but just like your house it is only as safe as how it is set up and your habits, if you leave your windows and doors open all the time and keep no track of who is coming and going from your house, chances are one day you will get robbed.

What are the top things to do for WordPress security

Let’s break down the key things you can do to help secure your site. I do these for each of the sites I build as none are labor intensive and go a long way to help protect your site from hackers and save you headaches down the road.

  • Have the site run on HTTPS
  • Use WordFence security plugin
  • Use a paid Security service (optional)
  • Host the site with a good company
  • Keep everything in your site updated
  • Have a backup of the site

I will break those points down a little further to bring you up to speed.

HTTPS vs HTTP

We don’t need to go into the details on this as there are tons of articles about the intricacies on how each work but all you need to know is the ‘S’ in ‘HTTPS’ stands for secure.
It means when your computer requests a website to load the chat it has with the server (where the site is hosted) is encrypted so only your browser and the site server know what is being passed back and forth.
This is a must to have set up, it is essential and most people expect to see the padlock symbol when they visit a webpage. It is so simple to do that it says a lot about a company that doesn’t bother to configure their site to be HTTPS.
Most hosts offer a SSL Certificate for free and it can be set up on some hosts in a matter of clicks.
Bonus: Having the site on HTTPS is good for SEO so for the little effort required to set it up the benefits make it a no brainer.

What is the best plugin for website security?

WordFence!
Why? It is free and it is great, it has over 3 million active installations and a rating of 4.8/5 so they are doing something right. What it does is run scans to look for malicious scripts and it will highlight them so you can act on them before they do damage. It is very easy to set up and is one the essential plugins I install on every site I work on.
wordfence scan checklist
If you use and like and want to get more features you can always pay for the pro version to increase your site security.

Use a paid website security service

I don’t do this with every site as sites for small business usually have no important information in them and paying for a service isn’t justified. We do it for sites that are dealing with more sensitive information like eCommerce websites although I should note that WordPress sites running WooCommerce don’t store any of the payment info on the site, that is all handled by the payment gateways (Stripe and PayPal for example).
For one client who has his site hosted on GoDaddy (I do not recommend them at all as a host) they quoted him $250/year for 1 site. This is really expensive and there are other companies to use that are much cheaper, we ended up going with WebARXsecurity for $150/year.

Host the site with a good company

All hosting companies are not created equal. Where you host your site can be a factor in keeping your site secure, most are good nowadays but one thing to note is what PHP the site is running on. Some hosts do not update this automatically unless you specify you want it updated and it is important to keep it on the latest version, depending on the host you will be able to do it yourself or you will need them to do it.
If you log into your WordPress dashboard and see this notification get in touch with your host to update it.

PHP warning for out of date server

Keep everything in your site updated

This is very easy but requires regular action, it includes updating the plugins, the site theme and WordPress itself whenever updates roll out. It is easy to do with just a few clicks but should be done at least once a month.

Why is this keeping your site up to date important?

This is probably the most common way sites get hacked, hackers find vulnerabilities in plugins and exploit them to get into the files of your site. When the plugin and theme authors learn about problems they release a patch to fix the problem which usually means it gets fixed long before a bad guy ever was able to get around to your site. Of all advice around securing your site this would be the most important, it is extremely easy but is required every 2-4 weeks.

2 side notes related to this:
It is best to remove any plugins you don’t actually use on the site or consolidate plugins that are doing the same thing. Many site owners have multiple people work their site over the years and each of those people add plugins to achieve whatever new feature was requested (often they use a plugin even when it is not necessary usually due to them not being good at their jobs). Some sites I see have so many plugins running I wonder how they keep the site working properly, often these are unnecessary with multiple form plugins running, or multiple code injectors which are just adding extra bloat to the site and increasing the possibility that it can be exploited.

Related to this is to go to Users in your Admin and delete anyone who is not an active user in the backend of the site, having a lot of people with access to the site admin is a risk that you shouldn’t have with site. Keep only the essential people in there and if you get someone new to help with something delete their profile once their job is done.

Have a backup of the site

It is always good to keep backups of your site in case this happens, I have my sites hosted with Siteground which run a daily backup of the sites for free and allow me to restore any version within a few clicks which is a great peace of mind.

If you use a paid security plugin as mentioned earlier some of these have backups as a feature that can look after it for you or you can pay for a backup service such as UpdraftPlus.

siteground backups screenshot

What are good ways to make WordPress more secure?

Some extra things to help if you are feeling super motivated and want to do some added steps to help:

– Change the default username to not be ‘admin’

If they are trying to crack your site at least don’t have the username set to ‘admin’ as that saves one field that they need to get right.

– Move the admin login page

All WordPress admin login pages sit on the path /wp-admin/ so you can help hide that page by moving it to something random. There are plugins to do this or you can follow a tutorial to do it which are straightforward but does require changing some code in the WordPress theme files.

– Limit login attempts

This is a good idea as it will block someone from being able to see the login page after they put in the wrong details X number of times (whatever amount you specify). There are specific plugins for this or if you have a paid security plugin most likely this is built into the package.

– Two factor authorization

Again another good idea, this is free on WordFence. You have an app on your phone which you will need to use each time you log into the site. This stops hackers from forcing their way through the login but does not help with vulnerabilities on your site such as out of date plugins.

What should you do if your WordPress site was hacked?

In my experience the easiest, fastest and best action to take is to restore an old version of your site from before the hack happened. This ensures the site will be back up running just how it was and there will be no traces of the hack still around somewhere in the code that can be almost impossible to find. There are services that help to fix hacked sites but they can’t guarantee the results and are often expensive, it will always be cheaper to get rid of the hacked site and restore an older version.

Someone came to me with a hacked site and asked if I could help and I reached out to a service in India who said it would be $250 but they could not guarantee they would be able to fix it and it may cost more depending on what they find out. We opted to restore an old version of the site we found on his server (a compressed zip file) and then used the http://web.archive.org/ to check if anything had changed on the site since that version.

If you do restore an old version of the site remember that it was that site that was hacked in the first place so it is a good idea to make some extra effort to stop it happening again. Covering the points outlined in this article should be enough to do it, if you are already doing each of those and you still got hacked I would suggest using a paid security service that offers WAF (web application firewall).

Other Articles

How To Optimize A Page For SEO

This checklist is to help you ensure site content is optimized and to give an understanding of some important parts of a page. Once the target keywords of a page are decided follow these steps to ensure you are maximizing the SEO opportunities to rank for that search term. Remember…