Here are Top 10 Actions You Need to Take to Secure Your Website & Secure WordPress
When it comes to Security and securing your WordPress site, it’s not a case of if you will be targeted or hacked, but when.
Securing your WordPress site should be key factor when embarking on a new website.
If you assume you will have hackers trying to hack your site, then that’s probably a healthy paranoia to have.
These following steps should therefore significantly help prevent these attacks.
These 10 tips aren’t just our view, they are actions you should seriously look at. Hackers are more sophisticated than ever, and a mass platform such as WordPress, is a real target.
1. Update all plugins to latest version
Updating all your plugins and keeping WordPress updated, is probably the easiest and most obvious action to take.
You’d be surprised how older sites no longer have the regular house keeping they once had.
Check your site(s) weekly for out of date plugins and update them.
If a WordPress plugin is no longer supported, or it’s no longer supported for your version of WordPress, consider an alternate plugin.
More importantly, ensure WordPress itself is always updated.
2. Remove unused plugins
Another obvious action to take in securing WordPress is, to consider removing inactive plugins.
It’s good practice therefore to use as few a number of plugins as possible. Having fewer plugins not only improves performance, but reduces any potential conflicts and helps towards securing your website.
3. Make sure your site utilises SSL (HTTPS)
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
HTTPS is the protocol used here to provide the encryption over the Internet. HTTPS guarantees that users are talking to the server they are meant to be, and that no one else can intercept, analyse or change the content they’re seeing in transit.
Nowadays sites are ranked on SSL and it’s more or less mandatory to use SSL i.e. to secure credit card and login information.
A login form will often set a cookie for example, which is sent with every other request to your site that a logged-in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session.
To defend against these types of attacks, you always want to use HTTPS for your entire site.
It’s no longer as difficult or costly as it once was. Let’s Encrypt provides totally free and automated certificates, which you’ll need to enable HTTPS. Check with your Hosting provider to make sure they can support and offer FREE SSL certificates.
We work with A2 Hosting, who offer FREE SSL via Let’s Encrypt, for all our sites.
FULL 2019 Review of A2 Hosting can be found here
4. Use a Security & Spam Plugin
We use the Akismet Anti-Spam plug along with Shield Security, but there are many security plugins equally as good.
The Shield Security plugins features in our Top 10 Must Have Free Plugins for 2019 and is recommended when it comes to securing your WordPress website.
Shield Security – Plugin
5. Limit file upload ability
If you have a site where members can upload files, consider locking that down where possible, either by limiting the format of the uploads, but putting measures in place to make sure trusted member only, have access to uploading files.
TIP: There is a useful plugin call WP Upload, which allows you to limit the file types your users can upload.
6. Hide the Admin Login url/link
This is a really effective strategy, along with making sure the login page is NOT indexed by search engines. i.e. changing your login from example.co.uk/wp-login.php to something like example.co.uk/entrance or any text. This can help against what’s called Brute force attacks, where hackers run scripts to try and guess your standard login page’s admin credentials.
As part of this, avoid keeping or using admin as the user name and use more complex passwords, again with your own customer login location.
Example from the Shield Security plugin.
7. Limit Admin login Countries and IP address
Another effective strategy is to limit both the country and the IP address that can be used for Admin login into your site. (Clearly not user)
As an example, I live in the UK and only ever access my WordPress sites from home, hence my admin login should only be from the UK and on a fixed IP address.
The plugin we recommend for this is Login IP & Country Restriction, which is simple to set up, assuming you’re don’t lock yourself out by entering the wrong IP address or country. A really simple but effective method to secure WordPress.
8. Check validity of Plugins i.e. reputation and frequency of updates
WordPress relies on many plugins and securing WordPress itself should encompass locking down and checking your plugins for validity. This can easily be done right from your WordPress website, under Plugins simply select Add New, and search for the plugin in question and see how old it is etc.
TIP: Recommended reading : Top 10 Free WordPress Plugins For 2019
9. Make use of reCaptcha on all forms
You have probably seen reCaptcha in operation, where a grid on nine pictures comes up and you have to select the request images. A pain right, well it might be, but checking the login or form is being submitted by a human and not a bot, is crucial.
There is also a version of reCaptcha that is less intrusive and requires simply a human to tick a box.
We therefore recommend using reCaptcha where possible to prevent spam and securing your site.
TIP: Find out more here https://www.google.com/recaptcha/intro/v3.html
10. Regularly check your site
Lastly, what we call Website husbandry or general maintenance. It’s key you check your site regularly.
More importantly backup your website at least once a week.
If your site ever gets hacked, you might have no choice but to wipe and restore it, last resort, but better you have a recent backup.
TIP: Use a backup plugin such as Updraft, for manual or scheduled backup, locally or to the cloud.
Remember, Secure your website Today and if your not the web designer, ensure your web design company are taking all these precautions. A good web developer should be all over this…
Let us know if we missed anything and feel free to comment below should you need any advise.
Remember, it’s really worth spending time getting in the mind of potential hackers. Healthy paranoia when it comes to web security, is a good thing.