It’s estimated that WordPress powers more than 40% of the world’s websites. Because WordPress is everywhere, it’s a massive target for hackers, scammers and techno-miscreants. Protect your website by following some straightforward techniques.
One: Protect the Logins
Reduce the number of administrators on your site. Each site should usually have two administrator accounts. So try to avoid having three or more admin accounts.
Enforce strong passwords for administrators. In fact, enforce strong passwords for everyone, if you can. If an administrator complains about having to use a strong password to log in, then they should reconsider being a website administrator.
Use Two Factor Authentication for administrators. Two-factor authentication is a strong way of securing your WordPress admin accounts 💪
NEVER email passwords to each other. It’s a classic, but just don’t do it. If you need to send a password to someone, use a tool like WhatsApp or Signal – they’re end-to-end encrypted and you can delete the message afterwards.
Two: Housekeeping & Hosting
It’s amazing how many WordPress sites have automatic updates disabled. The argument goes something like this:
“I disable automatic updates so the website doesn’t break because of an update.”
It might be tempting to fall into this “if it ‘aint broke, don’t fix it” camp, but hackers constantly look out for sites with out-of-date plugins. The trade-off is worth it. Updates very rarely break a website. Sometimes a bit of CSS might go a bit wonky, but tweaking the CSS from time-to-time is a small price to pay for knowing that the software is always up to date.
Make sure your hosting is good. If you don’t need a full VPS or cPanel installation, don’t use one. Managed WordPress Hosting is by far the best solution for the vast majority of small and medium-sized sites out there.
Three: Keep an Eye on those Plugins
Most plugins do more than you really need them to do, which means that every plugin on your site has more code in it than you need. Every line of code added to a project increases the opportunity for a bug to creep in.
Less code = less chance of bugs/vulnerabilities
So… just keep things tidy. If two smaller & leaner plugins can replace one mega-plugin, go for the two smaller ones.
Make sure you really do need all those plugins. You might’ve installed a plugin at the start of a project, figured you don’t really need it but just left it in there. Do some housekeeping and completely delete any plugins you’re not using.
Use a scanner like GOTMLS to check your site’s plugins for known vulnerabilities. If a plugin has a known vulnerability, then the hackers will know about it too.
There’s no magic know-how to keeping a WordPress site secure, just:
- Keep the admin accounts secure.
- Use Managed WordPress Hosting, so the maintenance and housekeeping are done for you.
- Get rid of unused plugins, and try to avoid big bloated plugins if possible.
- If you need a bit of peace-of-mind then something like Wordfence can help. But with proper WordPress-specific hosting, it’s a bit overkill.