Whether you’re maintaining a personal blog, putting together a portfolio, or building a business website, security is paramount. As a platform, WordPress is hit more than almost any other by cybercriminals. Don’t worry, though. Securing your site is actually a lot easier than you’d expect.
Security can be overwhelming. Even a user-friendly content management system (CMS) like WordPress is, when you look under the hood, fairly technically complex (at least for a layperson). At the same time, it’s not something you can afford to ignore, even if you’re just using WordPress to host a simple digital portfolio.
According to research released by security firm Sucuri, WordPress accounted for nearly 90 percent of hacked CMS sites in 2018. It’s not that WordPress is itself insecure. It’s a popular target because it’s a popular platform.
And it’s a popular platform because it’s easy to use.
The good news is that just as WordPress is easy to use, it’s also easy to secure. A lot of WordPress security guides are clearly written by people who work in IT – and they aren’t necessarily written for laypeople. This isn’t that kind of guide.
This is one that won’t make your head spin. Because at the end of the day, securing WordPress doesn’t require extensive expertise in PHP, an understanding of existing vulnerabilities or knowledge of the techniques most commonly used by hackers. It just requires that you take a few simple steps.
- Change your username. Your username should be both unique and different from your display name. Stay away from the default username assigned by WordPress, as this makes it a lot easier to crack your account.
- Use a strong password (or a password manager). Per webcomic XKCD, start with at least four random words, completely unrelated to one another. String them together, and add characters, numbers, and symbols as necessary. Alternatively, you could simply use a password manager.
- Limit access. Generally speaking, you should only have one administrator account on your site. Most people don’t need to be able to install new plugins, change your theme, or add new users.
- Keep things up to date. The vast majority of attacks are not sophisticated. They exploit existing – and usually patched – vulnerabilities. Simply by updating your WordPress installation and plugins, you can stymie these attacks.
- Pare down your plugins. Each plugin represents a potential avenue of attack. With that in mind, you should only use the plugins you absolutely need.
- Only download from reputable sources. When in doubt, only download plugins and themes from WordPress’s official library. If a developer maintains its own website, do a quick Google search before downloading. Make sure they have a good reputation and look at what reviewers say about them. Additionally, if a plugin or theme normally requires a license or subscription, do not download from any sites that claim to offer it for free.
- Install an anti-spam plugin. Most WordPress installations come with Akismet Anti-spam. Double-check to make sure that you have it in yours, and download it if you don’t. It’ll protect you from spam comments, which can often be a delivery vessel for malware.
- Install a malware scanner. I recommend Sucuri Scanner. It’s free, and acts as an all-in-one solution that monitors file integrity, scans for malware, and detects failed login attempts. It also adds a firewall for an additional layer of protection.
- Install a brute force protection plugin. A plugin like Loginizer or Login LockDown can prevent attackers from trying to break into your WordPress site by guessing your password.
- Enable SSL. SSL adds another layer of security to your site, and it’s something I’d strongly recommend. Simply log in to your dashboard, click on Settings, then scroll to your WordPress Address (URL) field. Replace HTTP:// in your address with HTTPS:// then click Save Changes.
- Secure your own connection. A lot of people forget that securing their WordPress site means also practicing proper cybersecurity hygiene in their day-to-day. After all, even if you’ve done everything right with your installation, an attacker could potentially gain access through a compromised or unsecured network. With that in mind, you should – as noted by Blog Herald – enable privacy settings in your browser, using a VPN to encrypt your traffic, and encrypting the data you store on your hard drive.
- Safeguard your systems. Just as a compromised network can provide an access point, so too can a computer or smartphone that’s been hacked. Pay attention to the software you download and avoid unsecured Wifi whenever possible. Use security software as well, like Trend Micro, Kaspersky, or Sucuri.
Securing your WordPress site doesn’t need to be some herculean effort that leaves you with a splitting headache. As I’ve shown above, it’s as simple as installing the correct plugins and practicing a bit of common sense. Follow the advice here, and you’re already more secure than most WordPress sites, and that much safer from cybercriminals.
About the Author: Terry Cane is the COO at SEOHost.net, a reliable and supportive SEO hosting partner.