Do you wake up in the morning and think "How can I secure my WordPress site today?"
No! I didn't think so.
Heck, it is not even what is on my mind and I think about WordPress A LOT. At best, I think "I should check my blog stats." The truth is, we shouldn't have to think about such things but we have no choice.
Bonus: Download a free checklist of the first plugins that I always install on a new WordPress Blog.
Hackers are out there doing their hacking thing and so we need to take steps to protect our digital property.
There are a host of efforts that you can take to protect your site. You can hire a company like Sucuri https://sucuri.net/. They are fantastic but they aren't cheap.
If you are on a budget and not ready to take on another expense start protecting your site by taking these 9 actions today.
Important Note: Make sure that your site is backed up before you make any changes.
[clickToTweet tweet=”WordPress Security and website security matter. 9 tips to secure your site. ” quote=”WordPress Security and website security matter. 9 tips to secure your site. “]
1. Change your admin passwords
It is not uncommon for a WordPress site to have multiple admin accounts. There is absolutely nothing wrong with that, so don't worry.
However, each username and password is an opportunity for a hacker.
This is why you should change the passwords for each admin on a fairly regular basis. My recommendation is to do this quarterly at a minimum.
How do you change the WordPress Admin Passwords?
Step 1: Log into WordPress with a user that has Administrator access.
Step 2: Click on Users
Step 3: Click on Administrator
This just allows you to only see the admin users.
Step 4: Click on Edit under a user
Step 5: Scroll down and click on Generate Password
Step 6: Create new password
Step 7: Write down new password
Step 8: Scroll down and click on "Update User"
Step 9: Repeat process for all Admin Users.
Read This Article: How Do You Keep Up With All Of Those Passwords?
2. Delete Unused Themes
Elegant Themes is one of the most trustworthy WordPress theme shops out there. They create incredible products but even the greatest have vulnerabilities. This is just the reality that we live in.
You can read all about what happened with them right here: https://wptavern.com/critical-security-vulnerability-discovered-in-elegant-themes-products and how they responded. This is how a great and stable developer handles such a situation.
Why am I telling you this story?
Two things have to happen to secure a WordPress theme when a vulnerability is found. First, the developer has to be aware and second the user (that's us) has to notice the update.
That is two points of potential failure and that is often enough for a hacker to have a joy ride. As a WordPress user the easiest way to remove points of failure is to delete all of the themes that you aren't using. Then you only have to keep an eye out for updates on one theme.
A common misconception is that if a theme isn't active on your site, it isn't vulnerable.
Let's clear that up right now. If I a theme is installed on your site it is vulnerable.
How to update a WordPress Theme:
Read This Article: How To Update Your WordPress Theme
Step 1: Log into WordPress Dashboard
Step 2: Click on Appearance
Step 3: Click on Themes
Step 4: Click on Theme to open it up
Step 5: Follow prompts to update theme.
How to delete a WordPress Theme:
Step 1: Log into WordPress Dashboard
Step 2: Click on Appearance
Step 3: Click on Themes
Step 4: Click on Theme to open it up
Step 5: Click on Delete
Step 6: Confirm Deletion
3. Update WordPress
WordPress powers 26% of the web. Users publish about 41.7 million new posts and leave 60.5 million new comments each month.
That is an outrageous amount of traffic to one platform which means it is a lovely lovely target for hackers. Considering the fact that WordPress is also open source software, it means that hackers can carefully study the code.
This is why updating WordPress when they have security updates is critical.
Of course, there are serious drawbacks to updating the WordPress core because you never know how a plugin is going to react or a theme.
It is not uncommon for a WordPress core update to break a website. Keep in mind that there are several layers to a WordPress site. All of these layers have to work together seamlessly or the site breaks down.
This is why it is critical to backup a website before you make any changes.
4. Update all Plugins
Again this is a risky venture so make sure that your site is backed up. You may also want to verify that this new plugin update isn't going to conflict with the current version of your theme.
Nothing but warnings here!!!
A few months back I had just finished helping a new client with his website. It was completely done and everything was just as he wanted it. Then one of his plugins had an update.
Seems simple enough right?
Well, after hitting update his entire site crashed. It was dead as a dead can be. It took some intense research to discover that the latest version of that plugin would not work properly with the current version of WordPress. In the end we had to restore the site to the previous day.
Thank goodness the client had daily backups from his hosting company.
How to quickly know if plugins have updates waiting.
Step 1: Log into WordPress Dashboard
Step 2: Scroll down until you see Plugins on the left
Step 3: Is there a number next to Plugins?
If yes there are plugins that have updates waiting. If there isn't a number there are no updates at this time.
How to update your WordPress Plugins
Step 1: Log into WordPress Dashboard
Step 2: Click on Plugins
Step 3: Find a plugin that needs updating and click on "update now"
Step 5. Update your theme
6. Hide the login page
Previously, we blogged about how hackers seriously hardcore want to get into your site. The reasons could range from using your site for SEO spam to other nefarious activities.
Regardless a brute force attack is a time consuming and difficult hack to recover from. While we can never 100% protect ourselves there are some key things that we can do. One of them is to hide our /wp-admin page.
This just makes it a bit more difficult for the hacker to gain access to your WordPress blog.
So here is one more step that you can take today to protect your blog. You can change the log-in page to something secret.
- Install the plugin
- Activate the plugin
- Go to WordPress Dashboard
- Click on General Settings
- Click on General
- Scroll down to the bottom and change your "Login url"
- Click on "Save Changes"
Important Tip: Make a note of what you changed your login page to and even consider bookmarking it. Whatever you do don't hide it from yourself too.
7. Use Login LockDown
If a hacker has gotten to your login page the fight isn't over. There is still more that you can do. You can limit the number of login attempts over a certain period of time.
Now keep in mind that this works against you too. If you suddenly forget your password and try too many times, you will be locked out.
8. Is your computer secure?
Whether you are on a pc or a mac, you need to make sure that your computer is virus free. The best way to do this is to keep your computer up to date. Outdated software is a playhouse of joy for a hacker. It is how they find their way in. This is exactly why those annoying security updates really matter.
9. Is your web browser up to date?
Currently I run Google Chrome, Firefox and Safari on my primary machine. There are plenty of browsers to choose from these days. Take a moment and go verify that all of your browsers are up to date.
Conclusion​
WordPress Security is a crucial part of your business. We all take our site for granted until something goes wrong. Fixing a hacked site or a broken site is time consuming, even for the pros. This is why doing all that you can to prevent attacks is critical. Not only does prevention save you a major headache but it can also save you a great deal of time and money. That is something that we can all get behind.
I haven’t been hacked on my site yet but someone gained remote access to my computer years ago and I still remember what a pain it was to fix – and how scary. Prevention is the key. Make it so hard they’ll pick on someone else. Great tips.
I’ve had my site hacked and it was a nightmare. I know your tips are spot on and necessary. I do use Sucuri and also learned a few things here. Thanks Renee!
Teresa,
Hi! It is really great to hear that this tips have added value for you. As always, if you have questions feel free to come back and ask away.
Blog on,
-Renee’
Great list of things we should be doing to protect our sites. As I was going down you list, I was feeling pretty good that I had done everything. Then I got to hiding the login. Ooops! Will be taking care of that right away.
Renee,
A great article and since I have kept up and got things together and keep up it hasn’t been touched. A great article.
Lori English
As you know, my website was hacked and disappeared! Boy, was that ever stressful. And also as you know, I did hire sucuri. Worth every penny!
But mostly, thank God I have you, Renee! I sure wouldn’t want to be navigating these waters without you!
I am bookmarking this page and will come back when I am fresh (that would be in the morning) and change the passwords. Thank you so much for not only making a recommendation, but also giving beautifully clear instructions on how to accomplish it!
What a fantastic comprehensive article! I need to do many of these things, and will be bookmarking this. Thanks for some great insight!
Robin,
That is fantastic to hear. If you ever have any questions please feel free to reach out. We all know how important WordPress Security really is.
Blog on,
-Renee’
Thanks for all the valuable tips in this post, Rene! I think I am pretty safe, but I did forward your suggestions to my developer…just to make sure. Although we don’t do daily backups, he does them enough to also have a very current website version ready. We just updated to WP 4.7 and I believe the spacing of my content in now more in the centre, with lots of white space in the sidebar and left margin. We’re constantly checking vulnerabilities of my site and taking the actions to stay secure. Appreciate your insights as always!
Hey Renee,
These tips are so important to remember, thank you for sharing!! I have had no issues with hackers but always good to know how to protect yourself and have a safe WordPress site :)
Security is something that’s overlooked a lot on self-hosted website.
Webly,
Yes, it sure is. To be fair security is also a bit of effort and it keeps us from creating content. However, since we spend some much time and tears on our blog, we seriously need to keep it secure.
Good Luck!
-Renee’
These are GREAT tips and all are very important. I wish more small business owners would take at least HALF of this stuff more seriously. Thanks for providing!
Renee. These are some great ideas. I am pretty careful about the updates but have not changed my password ever. Guess it’s time to do it!
Alene,
Yep, it is time. Just this morning I was thinking about this for all of my clients. It is time to send them a reminder.
Blog on!
-Renee’
Some great suggestions, Renee! I asked my web host (a friend) and she said she backs up my website every evening, so I do all updates the first thing in the morning before I do anything else. Saves a lot of aggravation in case I have to get a back up from her. I did go through my site and delete old themes at your suggestion and tomorrow I will work on your other suggestions. Thanks!
Carol,
That is so fantastic to hear. Knowing that you have those backups is a great comforting feeling.
Blog on,
-Renee’
Thank you for these great list of tips. This is something i Never thing about, so i need a kick up the behind sometimes to remind me of these things.
Sonya,
Awesome. Well let this be your kick because these things can be quite important. Good luck!
-Renee’
Renee, these are wonderful tips and I love how you have explained everything so clearly. Hopefully many will take your advice and perform some, if not all, of these tasks to keep their website secure!
Mindy!
Thank you so much. Blog security, WordPress Security and Website Security are so darn important. We all don’t like to think about it but it is urgent. In Today’s world we have to lock our cars. We also need to lock up our blogs.
Blog on,
-Renee’
This is on my to-do list for sure! I’ve done the latest WP update, but I need to go back and do some of the other tasks. Thanks for the reminder! I’m also going to cross reference your suggested plugins too.
A lot of good suggestions, I did not know about the plug-in for how to hide the login page. And will try that out.
Katarina,
Yeah, that is a sweet plugin for sure. Just remember to make a note of that login page. :0
Cheers,
-Renee’
Thanks for identifying these. Nowadays, it is really important to back up all the time. Even though you pay for back up, it is a great idea as it is like your insurance. You never know when you would have an attack.
Lorii,
Yes, that is exactly right. It is like your insurance. It only matters when you need it.
Blog on,
-Renee’