If you’re like most WordPress site owners, you had your website built by a reputable web designer, they hand it over to you hopefully advising you about WordPress security and that your new website will need updating to keep it current and secure, then life happens and you forget to update your site. That’s fine until one day you get an email or phone call and are asked why your website isn’t online, they are not seeing the web pages they expected but instead are being shown some dodgy website selling mobile phones or another tricky website.
What’s happened? Your website has been HACKED!! And it can be pretty stressful and costly getting it back again.
Why Do Hackers Hack Websites?
When considering why hackers are attacking websites, you might think that there’s a specific reason they target you as a website owner—your business, your reputation, or your information. But the truth is, hacks don’t often single out someone. Most of the time, hackers spot website vulnerability. This is what determines why certain websites are targeted.
Hackers are ready to take advantage of any possible exploitation without taking into consideration your type of business. who you service, or how well your website is doing. The reasons why will vary depending on the hacker.
What do they want with my website?
Here are a few reasons hackers want to get into your website.
Credit card information, including CVV and billing address to make use of it for online transactions.
Contact information later sold to unethical marketers.
Username and passwords to access and take over your server resources.
Classified information to leak or extort.
High security information that can discredit competitors, such as individuals or organizations.
Malvertising and affiliate spam directed at visitors.
SEO spam directed at search engines.
Some targeted attacks will also be made to show the vulnerability of users, accessing and retaining login credentials.
Websites are being attacked more and more frequently these days and as WordPress powers over 30% of all websites on the internet (some sources report over 40%) it is a prime target for being attacked. Hackers are constantly looking for Vulnerabilities in website code and WordPress developers fix the code to stop your website from being infected.
Your website is made up of a Theme to display the web pages in a web browser, plugins that give extra functions to the website and the Core WordPress system (CMS) that brings all the components together for your website to look amazing online.
Updating your WordPress core, theme and plugins with the most up to date code keep your website safer and up to date and on top of that from time to time developers add new features and enhance existing ones so updating your website brings this new and upgraded functionality for you to use.
How do I secure my WordPress Website?
This guide will show you 7 Quick Steps to securing your website I will run through:-
Installing an SSL Certificate
Back up your Website
Update your WordPress Core, Theme and Plugins
Secure your Admin area
Install a Firewall and Malware Scanner
Choose reliable hosting
Use strong Passwords
1. Installing an SSL Certificate.
What is an SSL Certificate? Have you seen the padlock in the address bar of your browser? This means the website you’re looking at is protected by an SSL Certificate. Browsers these days will warn you if you visit an unsecured website so you can decide to stay or go.
An SSL certificate encrypts the data that is sent to and from your website to your visitor’s browser, it protects sensitive information and shows your visitors you are more trustworthy which builds trust.
Techy Tip – Google gives sites with SSL a ranking boost over sites without.
Depending on your hosting company, you may receive an SSL certificate for free, if not you will be able to find an SSL service online that offers free SSL certificates. Your hosting company or web developer will need to add your SSL certificate to associate it to your domain name.
Once your SSL certificate is installed you will only want to use the secure version of your website as both secure and not secure will exist. The best and easiest way to do this is with a plugin, Really Simple SSL forces the secure version of your website to be used. Just download the plugin and follow the instructions.
Techy Tip – The beginning of your web address determines whether your website is using the secure version or not. https:// = secure version http:// = not secure.
2. Back up Your Website.
No matter the size of your WordPress website, finding a way to keep it safe from issues such as updates gone wrong, hacking, user error and server crashes should be of the utmost importance. If you’ve not set-up regular backups of your site yet, now’s the time to get it done. (Source) Need I say more?
Your host should carry out regular backups of your website files and database, I would check if they are as it is a real good idea to have more than one backup solution. With your hosting provider giving the first backup solution, then you should have a second ‘remote’ backup solution. There are several good back up solutions available WPBeginner have published an article comparing what they consider to be the top 7. I use UpdraftPlus for my websites and the websites I manage it is a trusted solution with huge support and the free version gives you just about everything you need to back up your site.
Techy Tip – If you use Updraft Plus you can use Google Drive to store your backups remotely.
3. Update your WordPress Core, Theme and Plugins.
As you now know, WordPress routinely releases updates, which include new features, fixes, and WordPress security patches, that protect your site. Theme and Plugin developers do the same. Updating your WordPress site with the most up-to-date release will help keep your website secure.
You can stay informed about WordPress updates by signing up for email notifications. In addition, you can visit WordPress.org website to read and download the latest patch. Your WordPress dashboard will also alert you to updates.
You can auto update your website so you don’t need to worry about updates, here is a plugin that can help you with this WP Auto Updater
Techy Tip – Delete any unused plugins and any unused themes – leave one extra theme just in case your current theme breaks.
Auto Update or not Auto Update?
Now after saying that, it is important to note, auto updates are not always the way to go!
Why? Because WordPress Core, Theme and Plugins you use are constantly being updated which often leads to conflicts between these 3 components of WordPress, so if you have auto updates set up no doubt you will leave them to do their thing which is fine until BOOM!! Something goes wrong and your site is down.
Your first thought may even be, your site has been hacked! But in reality, a plugin has auto updated, it isn’t compatible with your theme and has broken your website giving you a huge headache to get it back up and running again.
Manual Updates are the way to go?
I believe manual updates are the safest option to keep your WordPress site up to date and secure as you can check your website is working at each step of the update process. Make sure you have a current back up before carrying out any updates, then update one item at a time checking your website is still working after each update.
Tech Tip – Waiting a week or two after an update’s release date before updating your website can help you to avoid compatibility issues.
4. Secure your Admin area
When creating a WordPress site, the default username is ‘admin’ every hacker knows this and ‘admin’ will be the first username they try when attempting to get into your website, think about it if your username is ‘admin’ all they need now is your password and they’re halfway there!
You can change your username a few ways, here are 2:
Use a plugin
A plugin such as Username Changer makes changing your username easy. Just install the plugin, go to the “Users” menu and select “Username Changer.” Select the user with the ‘admin’ account and update the account username.
Create a new user
To create a new user with a different username than ‘admin’ you will need a different email address than the one on the ‘admin’ user. Next click Users – New User from the dashboard menu fill out your new user details ensuring you use a username that isn’t admin. Don’t forget to set a secure password and the use role as administrator. Once you save the new user and set their permissions, you can delete the old user with the “admin” username.
5. Install a Firewall and Malware Scanner
a WordPress security plugin can protect your website from brute force attacks, malware, and hackers, a lot of WordPress security plugins will have features like:
Built-in firewall protection
Login screen protection
Letting you know what plugins and themes are out of date
I use Wordfence for my own and clients website security, I like that the Wordfence firewall (WAF) works from your website’s server not in the cloud on the WordPress security Companies server, meaning your website data is not being (albeit securely) sent to a remote service to be scanned.
Without hosting you can’t publish your site online. But hosting does much more than simply host your site. It’s also has a bearing on your website load speed, performance, and security. Check the WordPress security features of your hosting to ensure your site is as protected as it can be.
7. Use strong passwords
LastPass, Dashlane and Keeper Security are 3 password different managers, choose one that generates secure passwords and keeps your saved passwords with the highest security.
Use passwords that have a mix of upper and lower case letters, numbers and symbols of 8 or more characters.
Hopefully, this short guide will help you ensure your WordPress website is as secure and that you have a better understanding of what needs to be done to make it more hacker proof. Take my advice take a look at all these steps and implement them on your website if you don’t feel confident or knowledgeable to make the changes yourself take a look on Google for more comprehensive information, ask if your Website Developer for help or ask me I’m only too willing to help where I can.
I offer Website Care Plans which help to secure your WordPress Website and more but don’t think you have to sign up for a plan if you want to do it yourself and need advice, just get in touch and if I can help, I will.