With the recent warnings given by the National Cyber Security Centre urging all UK business owners and organisations to bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine, it has never been more essential that you protect and secure your website and make it as secure as possible.
This article will give you five essential steps you can take today to protect your WordPress website which can be used as a WordPress security checklist with a handy infographic that you can download.
The security of our clients’ websites has always been an extremely important part of the service we offer here at Twisted Spire because we know that as a business owner, reputation is paramount to your success, and failure to protect yourself and secure your webpages against any known and avoidable issues could be detrimental to success.
At Twisted Spire, our website designers use purely WordPress for numerous reasons but ultimately because it is the most popular and robust platform available, powering nearly one-third of the world’s websites, which means it will not simply ‘boom and bust’ or fizzle out of existence any time soon.
However, because WordPress is so popular worldwide, it also gets a large proportion of unwanted attention which is why as a website owner, you need to be a little more vigilant regarding security. Use this essential WordPress security guide to help beef up your site.
Here are my five essential steps to protect your WordPress website from the majority of malicious attacks.
Why are you failing to protect your WordPress website admin login area? 9.5 times out of 10 when conducting a security health check on a client’s online presence I find that the admin area is openly exposed to Joe Public and ripe for a brute force attack where someone can try to hack in (with ease for people with the right tools) – it’s the same as leaving a front door key under the welcome matt, you are simply inviting trouble in.
Try it out yourself right now and check five direct competitors above and below you in Google Rankings by simply typing either /wp-admin or wp-login.php after their website address for example www.yourdomain.co.uk/wp-admin. How many do you think you will find with open access to their admin area? 3, 6, 9?
There are many plugins available to hide the admin area, but WPS Hide Login is my favourite choice as it is a very light plugin that lets you easily and safely change the URL of the login page to anything you want and works on any WordPress website.
Download this WordPress Security Guide Infographic. Keep it next to your computer or share it with your friends, colleagues and family as a reminder of actions you can take to stay safe.
We all know or have certainly used Two-Factor-Authentication before, its a method becoming more and more popular for logging into sensitive places like bank accounts and social media profiles and is a method of securing accounts requiring that you not only know something (a password) to log in but also that you possess something (a mobile device). The benefit of this approach to security is that even if someone guesses the password, they need to have also stolen a physical possession to break into the account.
My preference for this is a plugin called WordFence which has a host of powerful security features including 2FA.
After entering your username and password to enter the admin area, you are required to enter a code from either your mobile phone or a secret code that was given to you when the system was set up.
It is VITAL to keep your core WordPress files and any plugins updated to their latest versions to protect your WordPress website. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the time, it is important to have them fixed.
At Twisted Spire we check and update our clients managed websites daily to ensure that all vulnerabilities are patched as soon as the relevant information is available as part of one of our core services.
The steps listed in this essential WordPress security guide are in no particular order as many people have different opinions on which action ranks higher than the next.
You can limit the number of times the wrong password or username is used to try to enter a website and block the offender for a set amount of time. This reduces the chances of malicious brute force attacks being successful – provided your username isn’t ‘admin’ and password ‘1234forgetmenot’.
White list IP Address
If you only use a single point to access your website’s admin area, such as a home or works computer, consider whitelisting your IP address.
By whitelisting your IP address you will be only allowing access to your website from a device connected to the home or work network helping you to protect your WordPress website even more.
If however, you like to access the admin area of your website from different locations, such as when out and about and using a laptop in Costa Coffee (NOT RECOMMENDED) then whitelisting the IP address would not be recommended as it is the IP address of the network you are using to connect to the internet – not the actual machine (laptop) you are using.
If your computer is infected with a virus or malware software, a potential attacker can gain access to your login details and make a valid login to your site, bypassing all the measures you’ve taken before. This is why it is very important to have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.
My advice is DO NOT USE free anti-virus software, you are just asking for trouble, instead, invest in a well-known brand, avoid buying directly from the software developer and shop around, there are often some great offers available from PC World as well as online platforms. I recently got a great deal on Amazon – probably the last place people would think of buying anti-virus software.
I hope this article was useful and you take the steps listed above in the WordPress security checklist implementing all of the actions sugested.
If you require any assistance protecting your WordPress website please do contact me direct. Provided you have administrative rights to your website I can assist you whether your site is hosted with Twisted Spire or not.
Do not delay and action the WordPress security checklist today and keep your website safe, secure and online.
Do not forget to download the above infographic to use as an aid memoir and do subscribe to my newsletter for handy hints and tips to keep your website in tip-top condition and get the most from your website.