Your Essential WordPress Security Guide for site Safety
Welcome to the Essential WordPress Security Guide.
With a substantial increase in cybercrime and a direct link between website security and SEO rankings, it has never been more essential that You Protect your WordPress website and make it as secure as possible.
As a small business owner, reputation is paramount to success, and failure to protect yourself and protect your WordPress website visitors against any known and avoidable issues could be detrimental to success.
At Twisted Spire, our website designers use purely WordPress for numerous reasons but ultimately because it is the most popular and robust platform available, powering nearly one-third of the world’s websites, which means it will not simply ‘boom and bust’ or fizzle out of existence any time soon.
However, because WordPress is so popular worldwide, it also gets a large proportion of unwanted attention which is why as a website owner, you need to be a little more vigilant regarding security. Use this essential WordPress security guide to help beef up your site.
So, what can you do to protect visitors? Here are my five essential steps to protect your WordPress website that you can do today, and protect your WordPress website from the majority of malicious attacks.
1.Hide the Admin Area
Why do people not restrict access to the WordPress admin area? 9.5 times out of 10 when conducting a security health check on a client’s online presence I find that the admin area is openly exposed to Joe Public and ripe for a brute force attack where someone can try to hack in (with ease for people with the right tools) – it’s the same as leaving a front door key under the welcome matt, you are simply inviting trouble in.
Try it out yourself right now and check five direct competitors above and below you in Google Rankings by simply typing either /wp-admin or wp-login.php after their website address. How many do you think you will find with open access to their admin area? 3, 6, 9?
There are many plugins available to hide the admin area, but WPS Hide Login is my favourite choice as it is a very light plugin that lets you easily and safely change the URL of the login page to anything you want and works on any WordPress website.
Download this WordPress Security Guide Infographic. Keep it next to your computer or share it with your friends, colleagues and family as a reminder of actions you can take to stay safe.
2. Use Two Factor Authentication (2FA)
We all know or have certainly used Two-Factor-Authentication before, its a method becoming more and more popular for logging into sensitive places like bank accounts and social media profiles and is a method of securing accounts requiring that you not only know something (a password) to log in but also that you possess something (a mobile device). The benefit of this approach to security is that even if someone guesses the password, they need to have also stolen a physical possession to break into the account.
My preference for this is a plugin called WordFence which has a host of powerful security features including 2FA.
After entering your username and password to enter the admin area, you are required to enter a code from either your mobile phone or a secret code that was given to you when the system was set up.
3. Keep your WordPress site and plugins up-to-date
It is VITAL to keep your core WordPress files and any plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the time, it is important to have them fixed.
At Twisted Spire we check and update our clients managed websites daily to ensure that all vulnerabilities are patched as soon as the relevant information is available as part of one of our core services.
4. Limit Login Attempts
The steps listed in this essential WordPress security guide are in no particular order as many people have different opinions on which action ranks higher than the next.
You can limit the number of times the wrong password or username is used to try to enter a website and block the offender for a set amount of time. This reduces the chances of malicious brute force attacks being successful – provided your username isn’t ‘admin’ and password ‘1234forgetmenot’.
White list IP Address
If you only use a single point to access your website’s admin area, such as a home or works computer, consider whitelisting your IP address.
By whitelisting your IP address you will be only allowing access to your website from a device connected to the home or work network.
If however, you like to access the admin area of your website from different locations, such as when out and about and using a laptop in Costa Coffee (NOT RECOMMENDED) then whitelisting the IP address would not be recommended as it is the IP address of the network you are using to connect to the internet – not the actual machine (laptop) you are using.
5. Ensure your computer is free of viruses and malware
If your computer is infected with a virus or malware software, a potential attacker can gain access to your login details and make a valid login to your site, bypassing all the measures you’ve taken before. This is why it is very important to have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.
My advice is DO NOT USE free anti-virus software, you are just asking for trouble, instead, invest in a well-known brand, avoid buying directly from the software developer and shop around, there are often some great offers available from PC World as well as online platforms. I recently got a great deal on Amazon – probably the last place people would think of buying anti-virus software.