Overnight, you notice a new link on your WordPress site. It’s a bit strange, because you don’t remember adding that one, but you assume you just forgot. A few days later, you see another one. Suspicious, you click on it – and quickly realize it’s a site you’ve never even heard of, let alone tried to direct people to.
You’ve been hacked, but an extra link or two is the least of your worries. If someone gains access to your WordPress site, they can add malicious links or even redirect your entire site to a different address. In the worst cases, hackers can lock you out of your own site entirely.
How do you prevent this from happening to you? How can you keep your WordPress site from being hacked? We’ll cover some reliable tips to keep your WordPress site safe and secure.
The importance of WordPress Security
Roughly half the WordPress sites out there have been or will be hacked in some way. Relatively few of those will be the drastic worst-case scenarios, but all will somehow harm your site and benefit someone else’s.
If your business is hosted on WordPress, then basic WordPress security is a fundamental aspect of your business. You wouldn’t leave the front door to your bricks-and-mortar shop unlocked when you went home for the evening, so don’t leave your virtual front door open to attackers.
Fortunately, WordPress security doesn’t have to be overly complicated.
Basic WordPress security steps (no coding)
How to prevent a hack on your WordPress site? Let’s start with the basics.
- Update WordPress
You don’t have the time to manually check for bugs, add new functionality, and address known problems with your WordPress software. Fortunately, that’s exactly why WordPress regularly issues updates. Keep your core software up-to-date to take full advantage of the hard work WordPress developers are doing to keep you safe. It’s not foolproof, but it’s a crucial first step.
While you’re at it, don’t forget to also update your themes and plugins, which will often have their own updates separately.
- Use strong passwords
Your old “Irock123” password isn’t going to cut it, particularly if you use the same password for multiple websites. And let’s face it, we all have dozens of website passwords to remember, so it’s easy to fall back on the same one. We all do it – data from security breaches shows that the most commonly-used password has been either “password” or “123456” for the past decade.
Don’t be one of those people. The majority of WordPress hacks stem from stolen passwords, so use a strong one and rely on a password manager to remember it for you. It may seem like an extra hassle, but it’s one more step on the road to WordPress security.
- Change “admin” username
It goes hand-in-hand with using a strong password. WordPress hackers are well aware that the “admin” is a default user; unless you change that default, they get half the username/password combo for free. Don’t make it any easier on them – change your “admin” username to something unique.
- Run a tight ship
Two aspects to this tip. First, don’t give your password to anyone. If you do have to grant administrator permission to someone, be sure you know and trust them and that they understand what the expectations are for them to use the site.
Second, delete old post revisions in WordPress. Keeping old versions of posts can be handy if you need to go back and undo a change, but over time they can clutter up your server, take up space, and slow things down.
Keep a tight, clean website and leave fewer openings for bad actors to exploit.
- Use a WordPress security plugin
There are a number of security plugins available for WordPress sites. Of course, be careful – when you add a plugin, you’re adding a security risk. But a high-quality and well-respected plugin can boost your website security immensely.
What exactly do they do? Most will require additional security keys and passwords, and will also provide a firewall to block attacks before they can even land.
- Always apply a security certificate
TLS/SSL certificates encrypt your information as it transfers between your website and a user’s browser. Think https…instead of http. When you see https, it’s a sign a security certificate has been applied to a site. Applying a security certificate to your site has never been easier, or cheaper. There is never an excuse not to add one to a site today. In fact, depending on the features available on your site, it’s possible that a free certificate that can be applied in minutes is perfectly acceptable for your site security. Check with your host and see what TLS options they have available. For us, we are fans of Let’s Encrypt, which recently in February issued their billionth TLS certificate.
- Don’t forget your basics!
Don’t login to your site on a public wifi. Change the administrator username. Backup your site. It’s all basic stuff, but it can be easy to overlook these steps. They may be simple, but they’re the foundation of a good approach to WordPress security.
Advanced WordPress security steps (some with coding!)
Not content with the basics? Here are some steps for anyone who is willing to go through some extra work. One or two might also require a bit of basic coding.
- Turn on two-factor authentication
You’ll need to download the Two Factor Authentication plugin. You’ll also need a Two Factor Authentication app on your phone. Once you’ve installed both, you’ll be able to scan a QR code with your phone; this will generate a code on your app which you’ll need to enter in order to login.
Two-factor authentication is quite simple to do, and adds a step which is quite common in the real world: a second way of verifying who you are. If you’ve ever been asked for a credit card’s security code and Zip code, then you’ve done 2FA in real life. It makes even more sense online, and many 2FA plugins also let you receive an email.
- Log out idle users
With the right plugin, you can use the same trick your bank does – logging off inactive users. An inactive logout plugin lets you boot anyone out who isn’t actively using it.
- Add security questions to login screen
Once again, you can download a plugin to add security questions to your login requirements. A hacker may be able to figure out your password, but do they know the name of your childhood pet salamander?
Conclusion
Most of these tips focus on two areas: technical wordpress tools like modified code, firewalls, and security plugins, and improving login requirements.
Adding two-factor authentication and security questions to your login doesn’t make it impossible to be hacked, but it can make you a tough target. Firewalls and a good web host will stop many attacks before they even start.
WordPress security doesn’t have to be hard, but it’s almost always worth the effort.