New Year, New President, new web host (if you just joined us), now is a great time to do a security audit of your WordPress website!
Unfortunately most people put this off until its to late costing them unwanted downtime and extra expenses trying to get it cleaned.
In the last two weeks I’ve personally been cursed out for this three separate occasions! People really freak out when their website is suspended!
I can’t really say I blame them, downtime sucks, especially when you didn’t know you were doing anything wrong.
So that’s the purpose of this blog – to teach all you smart webmasters to be responsible with your WordPress websites :).
1. Use Strong wp-admin Credentials
It really doesn’t help that Softaculous defaults their one click installation to use admin as the username and pass as the password. I wonder how many people neglect to change this? Perhaps I’ll tweet this blog post out at them.
Understand, there are thousands of bots out on the Internet that spend all day doing dictionary attacks on your wp-admin page. Once they gain access, it’s their site! This can be solved by using a simple password generator.
I’ll never forget, one of my websites was once hacked because one of the admins had his password set as “firstname123.” That’s one of the first things the dictionary attack bots go after!
2. Update WordPress, Plugins, Themes Often
In the last two years, WordPress has done an excellent job with their auto updater. I know, it can be a bit frustrating when an update breaks some of your code, but this is one of the top reasons why a website gets hacked.
Especially when you’re running multiple websites, it can be easy to forget about updates, so leaving this option on is a great way to keep your site safe and secure.
It’s not a matter of if, it’s a matter of when your website gets hacked if you’re using an old version of WordPress.
3. Don’t Install Poorly Coded Themes/Plugins
Before installing a new plugin and/or theme, do some research! Reviews will let you know a lot about the developer / product, but look at the change-log to see how often it’s updated. Good scripts and themes are updated frequently.
Since WordPress is open source it makes it easy for amateur coders to develop a cool plugin that they can charge for. Unfortunately many of these have been developed without proper quality assurance testing.
Personally, I’ve even fallen victim to this, buying themes on ThemeForest, then finding out later it was coded very poorly. All hackers have to do is “train” their bots to look for certain themes, giving them wide open access to your website!
4. Install A Good WordPress Security Plugin
There are a lot of WordPress security plugins on the market, but you should use one that alerts you when things are out of date or when a failed login happened.
I’m a big fan of Wordfence but it can be taxing on your server load if you get a lot of daily unique visitors. I’d say if you get under 1,000 daily visitors, give it a shot.
If you do more than that, you may have to have your developer take a look at your setup and determine what would be your most efficient security plugin.
5. Use Secure Connections (https)
If you’ve tried to login to your wp-admin without https it’s likely you’ve encountered errors with session handling! This is actually a good thing! You should ALWAYS use https on at least your wp-admin area, but really your entire site.
With SSL now being free and automatic (thanks to Let’s Encrypt) you should ensure every domain and subdomain uses https. I was telling a customer the other day, I feel like it will soon be a requirement across the Internet and I can see Google de-indexing non-ssl websites.
I actually have a video tutorial recorded about using SSL and WordPress here.
6. Backup Your Site Daily
Just like security plugins, there isn’t a lack of WordPress backup plugins out there! Regardless which one you decide to use, make sure you can take a backup nightly and store it somewhere offsite such as Amazon S3 or your local hard drive. (a lot of our customers like BackupBuddy)
While we also backup your site nightly here at NameHero, it’s HIGHLY recommended you have your own copy. That’s the first thing our techs are going to ask if you run into malware; “is it possible to restore from an older backup.”
This will save you a lot of headache being able to revert to a previous backup before any malicious code was installed. Also, don’t make the mistake of backing up your website on the same server it’s hosted, that won’t do you any good!
If you follow these six-tips and frequently audit them, you will keep your website safe from hackers and online. If not, you’ll eventually learn why you should have!
While we do offer WordPress malware scanning / removal nightly here at NameHero, by the time we find it, your sites already in trouble! Our scanner can help preventing the cancer from spreading, but it cannot prevent it! Only you can do that!
Feel free to comment below with any questions!
Ryan Gray is the founder and CEO of NameHero, one of the fastest growing independent web hosts in the United States. Ryan has been working online since 1998 and has over two-decades experience in Internet Entrepreneurship.