May 27th, 2017
Our top tips for WordPress Security.
We’ve seen a lot of WordPress hacks over the years, from viagra adverts taking over a brand’s home page, to fake PayPal pages that can steal sensitive user details from eCommerce websites. So we wanted to provide some tips on how to keep your site as safe as possible.
WordPress in general gets a lot of stick when it comes to security, but it’s not so different to any other system, website software or digital platform.
You’re safest online, whether a person or a business, when you observe some key points to cover your back. We’ve collated our top tips from our in-house WordPress specialists on how we keep our own systems and our customers websites (and their data) as secure as possible.
So here goes…
Keep WordPress Updated
The WordPress CMS, like the internet itself, is ever-evolving and growing. Updates to the software are released on a regular basis to keep things nice and secure, as well as to release new features.
Updates can scare people, but they’ve become commonplace in our lives. Just look at iPhones – user’s apps just update in the background now without even knowing it’s happened.
As a Development Agency, we’ve experienced that the biggest reason causing hacked websites is simply that they’re on a far outdated version of WordPress. If you keep the software regularly up-to-date, it’s a lot more secure.
Quick tip: for an internet-critical business, updates are best performed in a staging environment and tested before affecting your live website.
Keep Plugins Updated
Similar to updating your software, it’s important to make sure your WordPress plugins are also up-to-date.
Some plugins even have connections to third-party sources and for various reasons can pass data back and forth to your website. This makes them a point of vulnerability if your security is out of date. Hackers often attack plugins to exploit access to your website and the data it stores/handles.
Using the plugin dashboard in WordPress is nice and easy. Make sure every plugin you’re running is fresh and up-to-date.
Quick tip: make sure you delete any inactive plugins that you’re not using, as you’re less likely to monitor these and if something’s wrong with them, you probably won’t know about it.
Use Secure Login Passwords
This one annoys everyone, myself included, but let’s keep with the times!
Your website is at its safest when you maintain a secure password (not something like jeff123) for your WordPress login area. The best passwords are 10 characters or more and include a mixture of uppercase and lowercase letters, numbers and symbols. The simple reason for a stronger password? They’re harder to crack.
And yes, they’re tougher to remember, they’re less convenient than your pet, favourite celebrity or your boyfriend’s name, but they’re the start of keeping your online data nice and safe. This is especially important if your customer’s data is in the back-end of your WordPress site too.
And if your password is essentially your company name… don’t get me started.
Systems like LastPass or Dashlane are really handy for safely storing and quickly retrieving complicated passwords. After all, you’re more likely to do it when it’s easier to login, aren’t you? I know I am.
Quick tip: try not to use the same password for your WordPress login as you use for other websites like social media profiles, accounting software, etc. If they’re the same and those other websites are hacked, the bad guys could use your password to login to your website, and vice versa.
Update Your Passwords
More than just having a strong password, you’re a lot safer online if you change your password regularly.
There’s a really awesome, simple website that let’s you generate a strong password really quickly. Check out strongpasswordgenerator.com.
And it’s not just your WordPress login that it’s important to do this for. Make sure your hosting account, domain account, FTP login details and other methods of accessing your customer’s data all have regularly updated passwords. Stay one step ahead from those hackers – keep them guessing.
Keep it fresh, keep it safe.
Quick tip: if your website users have login details to access your site, in the event that your website data is compromised, it may be a good idea to ask your customers/users to reset their password. There are ways of automating this process to force them to login and reset their password.
Limit Login Attempts
Have you heard of brute force attacks? If you have, it’s no surprise, as they’re the most common form of website hacking.
They happen when a hacker repeatedly attempts to login to your website or server until they crack your password. A simple way of preventing this from happening is to limit the number of login attempts allowed on your site.
There are plugins available to do this for small and simple sites, but the best way of handling this is to have a professional server firewall in place.
Quick tip: a good WordPress host will have dedicated systems in place to prevent brute force attacks. It’s worth enquiring with them to make sure this is something they provide. Brute force attacks are horrible and can often bring down a whole website if there’s nothing in place to help prevent them.
Don’t Use Cheap Hosting
This sort of follows on from the last point, but it’s an important one for those who value their website security.
Your open-source WordPress website is an investment into your business, just like a beautiful shop fitting for a high-street retailer. Your hosting is like your shop rent, but on the internet (and much cheaper in most cases).
Bad hosting causes a lot of problems for website owners, so it’s worth getting the best server management you can afford. Companies who specialise in WordPress hosting will always help you get the best out of your website security as well as speed optimisation and more.
Hosts who care, and who know most about the software your website is running on, are less likely to experience hacked websites.
A report by WP White Security showed that 41% of hacked WordPress sites were as a result of the host, not the website itself. This is down to good practices such as having a WordPress firewall in place.
Quick tip: WordPress specialist hosts know what they’re talking about, so when they suggest using the latest versions of PHP, core software and uninstalling certain plugins that could be vulnerable, it’s well worth listening to them.
Use an SSL Security Certificate
SSL (secure sockets layer) is a crucial element in protecting your customer’s data when they’re using your website. Google have become a big fan of this, as they strive to promote better and better security standards across the internet.
In fact Google are evolving their SSL policy over time to almost force website owners to use them, by showing users whether a website is secure or not when using the Chrome internet browser.
These security certificates, in their simplest form, create an encryption to safely pass data between a viewer and the website server. They are especially critical when taking card details online and are more common on eCommerce websites at the moment. But soon enough they’ll be required on every website, regardless of the type of activity.
We’re a big fan of SSL, as you can imagine. They increase website security vastly. Something well worth having in place to make sure your customer’s data is collected securely.
Quick tip: there are free SSL certificates available. If you’re website is running a CDN though, to help images load faster, you’ll have to buy a ‘wildcard SSL certificate’ which should cost around £200.
Just in case something does happen, it’s a good idea to make sure your data is all backed up, regularly.
As a business, the data you collect and the content you produce on a daily/weekly basis are valuable. Backups are a good way of making sure this is never lost. And another big reason for backups is the ability to roll your website back to a previous version if something goes wrong, which is a really quick way of reversing any malicious code that’s been added to your site.
Backups can be taken by your hosting provider and also by the development agency who manage your website. There are standard types of backup for your WordPress site, server backups and off-site backups.
Server backups are stored on the same server as your website. Off-site backups are collected and stored on a third-party server.
Quick tip: it’s great to have a server backup, they’re nice and quick to restore. Off-site backups are far better though, just in case the server running your website experiences a serious issue, your data would all be retrievable from a different, unaffected location online.
Run Security Software
This seems like a bit of an obvious point, but we’re still surprised at how few businesses running WordPress have some kind of security scanner in place on their site.
There are plenty of good and bad plugins out there to handle this, but our favourite is by far is the security scanner by Sucuri. They’re leaders in website security and collate data from all vulnerabilities and hacks to know when your website is likely to experience issues.
The purpose of Sucuri’s software is to stop attacks against your website and then, if something does happen, to help clean up your website.
Quick tip: be careful, there are a lot of security plugins out there that can actually make your website more vulnerable than protected! Various plugins also cause slower loading speeds for your site, which isn’t helpful at all.
What would an awesome, lengthy blog post be without a quirky sales message?
Seriously though, if you’ve got questions about WordPress security, or your experiencing a vulnerability at the moment, then one of our experts would love to help.
This is what we do, all day every day, so please give us a shout: call 02921 961661 or email [email protected] for more info. We don’t bite.