As the most popular platform for building websites, WordPress is a prime target for hackers who look for vulnerabilities they can exploit to gain access to your files and data. Hackers try to infect your site with malware, steal personal data, ransom you for access to your website or even completely destroy it.
To ensure your WordPress site is secure, there are a number of things you should do immediately after configuring the settings so that the hard work you put into creating your site is not lost. In this article, we’ll explain the security measures you should undertake, why you should undertake them and how they can be easily achieved. (For full protection, there are additional security features that your web host should provide and there are some security settings which you should have set up during configuration.)
Here are our 5 vital post-installation WordPress security tips
1. Install a security plugin
Security plugins offer website owners some exceptional security features. These include:
- blocking attackers and the network of IP addresses they attack you from
- preventing web crawlers, scrapers and bots from scanning your site for vulnerabilities
- enforcing users on your site to use strong passwords
- locking out brute force attackers
- scanning for vulnerabilities in files, themes and plugins and for other backdoor hacking security holes
- malware and phishing scanning
The list above contains the main actions that the plugins undertake, but they also carry out numerous other security activities which can harden your website.
There are several good-quality, security plugins to choose from and you can install them directly from your WordPress admin panel. (Click on ‘Plugins’ in the sidebar, select ‘Add Plugin’ and type ‘security’ in the search box.)
The most popular security plugins are Wordfence, BulletProof Security, Sucuri, All In One WP Security and Firewall and iThemes Security. You can read more about each of them by following the link. All of them are free, but some do have premium features. You should always read the plugin description and reviews before installing.
2. Automate your WordPress, theme and plugin updates
One of the biggest security vulnerabilities of WordPress is having outdated software running on your website. As hackers find ways to exploit weaknesses in software, developers are constantly releasing updates to patch any security holes.
You need those newer versions to ensure you are not leaving the backdoor to your website wide open – especially as hackers scan the internet looking for older versions they know they can break into. For this reason your WordPress software, themes and plugins need to be updated constantly.
If you install a security plugin, like Wordfence, you will be notified by email if you have any out of date software on your site. Unfortunately, these plugins don’t (yet) update the software for you; instead, you should install a plugin to do the job.
There are a small but increasing number of plugins which will do this for you. One of the most comprehensive is WP Updates Settings. These plugins enable you to automate updates to themes, plugins and WordPress itself. (WordPress automatically installs security updates but not major ‘core’ updates.) Using an updater plugin will ensure your software is always up-to-date and save you lots of time over the long run – especially if you run several websites.
3. Stop bots and deter hackers with a Captcha plugin
Most people will be familiar with Captcha as it is used on many websites. You are often required to fill it in when writing comments or filling in forms and it is usually seen with a tagline that says, “Prove you’re human.” The reason it proves you are human is that it asks a random question which a piece of software could not answer, but a person could. By requiring you to answer the question, it prevents hackers using automated software to submit comments, fill in forms or more importantly attempt to log into accounts.
One of the biggest advantages to Captcha is that it can be used on the login to your WordPress admin panel.
Here, its role is in preventing brute force attacks. In such an attack a hacker will use software to guess your username and password. It can make thousands of attempts every second until it gets the right combination. Adding Captcha stops the software working and forces the hacker to work manually; massively increasing the time it takes to get access. In most cases, the hacker will give up and find easier sites to hack.
If the hacker continues to work manually, you can always configure your security plugin to block users who make too many failed attempts to log in.
The other security advantage of using Captcha is that it prevents spammers from using automated software to leave comments on your websites. These comments frequently contain links to spurious websites or cause malware to be downloaded onto the computer of anyone who clicks on them. Not only are they a potential threat to your viewers, if Google finds them on your website, it could affect your Google ranking.
4. Lock down your admin panel with two-factor authentication
The most secure way to protect access to your admin panel is to use two-factor authentication. Two-factor authentication works in the following way: you log in as normal, but before being given access to the admin panel you are sent a text message to your phone with a unique code. Only after you input the code on the website will you be given access.
The advantage is that even if a hacker manages to find your username and password they still won’t get to your admin panel unless they have your phone in their hands. Whilst it does take longer to sign in and you do need your phone with you – this is a small inconvenience for the security offered.
There are several plugins which offer two-factor authentication and it is available with some of the security plugins, though often as a premium feature. In addition, there is a new type of two-factor plugin called Clef, which works in a different way and doesn’t require any passwords to be used at all. You can learn more about it by watching the video below.
5. Backup your data for quick and painless recovery
Ideally, you should choose a web host that provides a backup service as part of your hosting package, however, if this is not available then it is essential that you find an alternative way to backup your website files and your database in case your website is taken down or becomes infected. A backup can save years’ of work from being lost and ensure that your business is back online very quickly.
One alternative method is to use a backup plugin which will save the data on storage such as Google Drive, Dropbox or your own computer’s hard drive. There are a number of backup plugins to choose from in the WordPress repository – check carefully to see which one offers you the functions you need for your business.
We cannot stress enough the importance of securing your website: hackers are constantly trying to break into websites and most website owners aren’t even aware that the attacks are taking place. The figures in the tables below show the number of blocked attacks on a small UK website over a 2 week period.
By following our post-installation WordPress security tips, you will be protecting your website from the outset. As a result:
- your admin panel will be robustly secure
- hackers and spammers will be blocked
- malware will be prevented from infecting your site
- other forms of intrusion will be thwarted
- backups will help you recover quickly and ensure you keep trading
If you are looking for a web host that has expertise in WordPress security and offers dedicated WordPress hosting with a raft of security features included, visit our WordPress Hosting page.