Nothing gets my goat faster than hearing someone say, “Oh no – don’t use WordPress for your website – it’s not secure!” What a bunch of bunk.
The core development team for WordPress takes security VERY seriously. But like any other system, there are potential security issues that may arise if some basic security precautions aren’t taken.
That said, there is no such thing as a perfectly secure, impenetrable system. No one can guarantee that your site won’t get hacked or have problems, but there are many things you can do to reduce your risk.
1. Update WordPress, Your Theme and Your Plugins
None of the other tips in this list – or any other – will do you much good if you don’t keep WordPress updated to its latest version. That goes for your themes and plugins, too.
If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.
The latest version of WordPress is always available from the main WordPress website at http://wordpress.org. Official releases are not available from other sites — never download or install WordPress from any website other than http://wordpress.org.
2. Use STRONG passwords for EVERYthing
Yes, I know it’s a pain to remember what look like gobblety-gook passwords like this: z9u4212#!)1Li%P. But if it’s a pain for you, it’s also a pain for anyone who is intent on doing you harm. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed.
WordPress has a password strength indicator to help you – take it seriously – use a password it deems strong. For help creating strong passwords, use a strong password generator.
Avoid creating passwords that:
- Use any version of your own real name, username, company name, or name of your website.
- Are a word from a dictionary, in any language.
- Are short.
- Are number-only or alphabetic-only password (a mixture of both is best).
To make your life a little easier with all these strong passwords, use something like LastPass to keep track of them. 3. If You’re Not Using It, DELETE It
If you have additional themes installed, other than the one you’re actively using, delete all of them except one. Then, make sure you keep that extra theme updated, even though you’re not actively using it. It’s handy to keep one around, just in case you have the need to troubleshoot a problem with your active theme. Having one of the default themes present and ready to activate makes troubleshooting theme and plugin conflicts much easier.
Speaking of plugins – get rid of any you are not actively using. Further, take an inventory of your plugins every so often and make sure they are all still required. Any that aren’t? Delete.
4. Backup! Backup! Backup! NOW.
Backing up your site is a MUST. Both full site backups, and regular, incremental database backups. Do you have a backup plan? Can you successfully restore your site from the backups you make? Have you tried?
Your hosting provider should also be making backups of your hosting account. Verify this, and make sure you know how to restore from one of their backups, if you need to, or verify they can – and will – do it for you, if it becomes necessary.
5. Make Sure Your Computer is Virus- and MalWare-Free
No amount of security on your WordPress site or your hosting account will help if the machine you use to access, maintain and manage your site is full of viruses and malware. Always make sure your operating system is up-to-date and the same goes for your browser of choice. Security vulnerabilities on your computer mean security vulnerabilities for your site.
Get Help, If You Need It
These 5 steps are steps most people can take themselves. But there are many more ways to protect your site, and they are far more technical in nature. If you just felt a shiver down your spine, fear not – we can help. We have dozens of happy clients with a WP Anti-Hack Plan, and we’d love to help you, too.