I love building websites using the WordPress framework and so does the rest of the Internet community.
27% of the web uses WordPress, from hobby blogs to the biggest news sites online.
— WordPress.org
The downside to using such a popular system is that it puts you at risk of hackers and malicious attacks against your website. I’ll cover a few basic steps you can take to help protect your website from an attack.
1. Ensure WordPress Core, Themes and Plugins are kept up-to-date
Outdated software is the #1 cause of security issues for WordPress websites. At the very least you should be checking for updates to WordPress Core, Themes and Plugins every month and updating them whenever you see an update is available.
If you don’t log into your website often, you can set up automatic updates via the wp-config.php file. Learn more about configuring automatic backups from WordPress Codex
2. Remove Unused Themes and Plugins
In addition to keeping everything updated, you should also make certain that the plugins and themes you have installed are all being used. Sometimes you’ll try out a few plugins or themes before finding one that suits your needs. Remember to deactivate and delete all the other plugins or themes to limit any vulnerabilities that the files may contain.
When choosing plugins or themes, make certain you get them either from the WordPress repository or from a trustworthy site.
3. Choose a Unique Username
We strongly recommend choosing a unique username. The most common username attempts that we see via our security plugin are:
- admin
- your domain name ie: norlink
- variation on your business name
We recommend setting up usernames based off the person who will be using the account and creating separate logins for each person. Don’t forget to set their nickname under their profile to something different than their login name.
4. Use a Strong Password
Along with setting a unique username. using a strong password will also help. We love using Free Password Generator to create passwords for us to ensure that each client has their own unique passwords.
5. Limit the Number of Accounts with Administrator Access
WordPress comes with 5 standard user roles:
- Administrator – Has access to everything including plugins, themes and the file editor. Use caution when settings up accounts with this level of access
- Editor – Somebody who can publish and manage posts including the posts of other users. We recommend setting high level users to this account.
- Author – Somebody who can publish and manage their own posts. Great for staff who only need access to your blog posts
- Contributor – Somebody who can write and manage their own posts but cannot publish them.
- Subscriber – Somebody who can only manage their profile
If you need to tweak the level of capabilities a user account has, we love the plugin User Role Editor. It lets us set specific capabilities for a user without compromising the website security.
6. Install a Security Plugin
There’s a few different security plugins that you can run on your website. Our favourite is iThemes Security Pro (Pro or the free version). There’s also WordFence Security, BulletProof Security, Shield Security and more.
Need Help Securing Your Site?
I’d love to help you secure your website whether it’s a one-time security audit of your site or if you want to subscribe to one of our WordPress Website Care Plan Packages. I’m here to help.