WordPress can rightly be called one of the most popular content management systems in the world, if not THE most popular one. The simplicity for users, paired with extreme flexibility (with the right themes and plugins, you can make your WordPress site pretty much anything you want), and accessibility — it all contributes to its immense popularity.
However, on the flip side, such popularity also makes WordPress vulnerable, attracting all sorts of attacks.
Let’s look into the ways to keep your WordPress site safe and secure.
A good place to start when it comes to WordPress (or any other website, for that matter) security is choosing hosting you can trust. When looking for a hosting provider, you need to ensure that they provide up-to-date stable versions of software, as well as thoroughly monitor for vulnerabilities and malware. Another thing to look for is whether they offer you reliable methods for backup and site recovery, as well as whether SFTP or SSH connection is available.
The next line of defense is on you as a user. Many WordPress sites fall victim to hackers’ attacks due to having outdated versions of WordPress and/or plugins, or not installing the latest patches and updates. If not kept up to date, these files become increasingly vulnerable to exploits.
To reduce the risk for your site (and also increase its stability), updating WordPress to the latest version is a must, as well as making sure all themes and plugins you installed (be it from a WordPress site or third-party developers) are also all up to date.
By default, WordPress automatically installs most of the minor updates via the Auto-Update function, but in case of major releases, you need to manually start the update. This can be done via Dashboard>> Updates. Before you initiate the update, make sure to back up your site, so that it could be restored in case anything goes wrong.
In the past, WordPress used to set the default username as “admin” and many website owners never bothered to change it. And although WordPress has since started to require users to select a custom username after they install WordPress, some one-click WordPress installers still set the default admin username to “admin”.
As a result, “admin” is usually the first username hackers try when they launch a “brute-force” attack against your site. So if you have the “admin” username, it’s wise to change it to something unique as soon as possible. There are 3 ways to do that:
The same logic applies to passwords — including the passwords to the admin account, FTP accounts, and so on. They should be hard to guess and unique to your site. You should also change them regularly.
Another way of reducing the risk will be restricting the permissions to access the site directories and disabling file editing for some of the user accounts. For example, for someone helping to edit older blog posts, you might give temporary permissions by granting them an appropriate user role (in this case, to “Editor”) in the Users menu, and revoke them later by reducing permissions (perhaps back down to “Subscriber”) once the user no longer needs that access.
Another thing you should consider is limiting login attempts and setting notifications for excessive logins.
As we mentioned before, there are plenty of WordPress plugins for every purpose out there, including a vast selection of security plugins that will add another layer of protection to your site. For example, If you do a search for the “Security” category on the official WordPress site>>Plugins tab, you will find over 4000 security-related plugins, from all-in-one solutions to specific feature sets.
Here are some useful plugins that will help you keep your site safe:
Keep in mind that when you install a WordPress security plugin, you’re granting it access to your WordPress files, directories, and database, and you can’t limit this access. So before installing the plugin, you should check what access it will require. This information can be found in the plugin documentation.
If in doubt regarding the plugin’s reputation, you can also check the reviews as well as the active installs. If the ratings are low or there aren’t many users, keep looking. You should also check to make sure it works with the current version of WordPress and has been updated recently — avoid older plugins that may have their own security holes or conflict with the current version of WordPress.
Even if you are absolutely positive that your WordPress site is protected from outside attacks, it’s still a good idea to back it up on a regular basis, especially whenever you add or change content. Keeping a backup handy will help you restore your site quickly in case of any errors made when editing, accidental loss of data, moving to another hosting provider — and, of course, if your site gets hacked or compromised with a virus.
When backing up your WordPress site, make sure you are backing up both your site files and database, as both are needed for your site to function properly.
To be on the safe side, it is also a good idea to keep backups on cloud storage like Dropbox, Google Drive, or similar services, so it could be at hand even in case the hosting server is down or your hosting account became compromised as well.
The popularity of WordPress is what also makes it a target for many attackers — but luckily, there are a number of things users can do to protect their WordPress sites.
Keeping the site regularly updated and backed up, and with trusted security plugins running, will greatly minimize the risk of it being compromised.If you’d like more tips on keeping your WordPress site secure, we have a couple of resources that can help.