How to help keep your WordPress website secure

Written by Karl Chevalier: Senior digital executive.
· 4 minute read

Keeping your website safe and secure is an important aspect of your business, and something that many people overlook. Here’s a quick few steps you can take to keep your website safe from hackers and attacks in 2017.

Update WordPress

The first thing we recommend doing, and something that is easily achievable is updating your WordPress core to the latest version. At the time of writing this blog, wordpress is currently on version 4.8.3 and powering 29% of the worlds internet. Because of this, WordPress is a popular target for hackers, and due to it’s open source nature, many people can study the code and look for vulnerabilities. Luckily however, the WordPress team work diligently to release updates that fix these issues quickly. Keep an eye on your current version, and make sure you always update to the latest version to make sure you retain your security.

Keep a backup

This second point is closely related to the first, and that is keeping a backup of your website files. This is often recommended before updating your WordPress, to make sure you have a backup in case your website isn’t compatible with the latest WordPress version. This can be easily done by downloading all your website files from your server using an FTP client. This means that in the event that something does go wrong with your website, you always have the latest version of your site saved offline. It’s also recommended that you keep two versions of your website in two different locations to make sure you do not lose it. In many cases, your website wont change very often, so an entire site change only needs to be done once every so often.

Keep your plugins up to date

Hackers study plugins to find vulnerabilities that they can exploit. Many websites that have out of date plugins can be easily compromised, and leave your entire website at risk. Updating plugins can be easily done and will only require a few minutes of your time.

Use as few plugins as you can

It’s not secret that plugins do present a risk to WordPress websites, and have to be regularly updated. Therefor, the best way to reduce this risk is to limit the amount of plugins you use. Plugins are very helpful and can make your life a lot easier most of the time, however you should try and limit the number of plugins you use. This will in turn reduce the amount of times you have to update your plugins, and reduces the risk of plugins going out of date and causing issues on your site. Many themes come pre-packed with a number of plugins they require to function correctly, which brings me back to an earlier blog that explains the benefits of purchasing a bespoke website vs template.

Only download plugins from WordPress

Plugins are often made by a third party, with most of them being freely available throughout the internet on a number of different websites. Downloading plugins from here rather than the WordPress store presents another increased security risk, and one that you don’t need to make!

Check the summary of reputable plugins

Each plugin listed on the WordPress directory has summary which includes the number of active installations, and the ratings that users have given that plugin. This gives you a chance to compare different plugins and make sure the plugin you are installing is safe and reliable.

Remove disused plugins / Replace abandoned ones

As we have said previously, for every extra plugin installed on your site you increase the security risk slightly. If for any reason you have a plugin on your website that you no longer need, the best thing to do would be to delete it. This is also the case for plugins that have ceased being supported by their original creator. If a plugin isn’t being supported anymore, the best thing would be to delete it and find a similar one that is being supported.

Two Factor Authentication

Help prevent brute force attacks with two factor authentication. This can be done using the Google Authenticator app, which can also be used for other websites such as Gmail.

Disable WordPress File Editing

It’s not always possible to guarantee not to be hacked, therefor you should take steps to make sure that if you do get hacked, you don’t give away any valuable information. Disabling wordpress file editing is a small trick that is easily done and can prevent brute force hackers accessing any of your precious code.

1

2

  // Disallow file edit

  define( ‘DISALLOW_FILE_EDIT’, true );

Limit Login Attempts

By default, WordPress lets users try and login using different passwords / username combinations as many times as they like. This makes your site susceptible to brute-force attacks where hackers will use thousands of different password combinations until they get success with one. However, using a simple WordPress security plugin such as WordFence will block any IP address that fails to log in after a couple of failed attempts.

In summary, there are many plugins that can increase the security of your WordPress site. However, as we mentioned above, reducing the number of plugins used on your site in itself increases your security. It’s important to make sure that if you use plugins that you make sure you keep them up to date and keep an eye out for plugins that might need updating, or no longer get supported.