If you have a WordPress powered website, then security should be of utmost importance. WordPress now powers more than 50 million websites, making it a target the same way hackers target Windows computers. You know you’re “mainstream” once you start becoming a (worthwhile) target. You can see that from the second announcement this year that thousands of WordPress websites were hacked.
I Own a WordPress Website, What Should I Do?
1. Stay Up to Date: The first thing you should do is always make sure that all your plugins are theme files are up to date. WordPress is software that needs to be maintained, the same as a computer. It if’s out of date – it’s vulnerable and hackers can get in. If you have a shared hosting account with multiple websites and hackers break into one, they can infect them all.
2. Use Common Sense with Passwords and Logins: Time and time again we find clients that have the same password on their website as every other account they own (Facebook, Twitter, Banking, etc.). Use a Strong Password that you can’t remember and change it every month – and make if different than all other accounts you have. Use an admin account with a unique login name (that isn’t ‘admin’).
3. Use Basic WordPress Security Plugins: There are a LOT of great free WP security plugins in the repository you can download and install in your website. You don’t have to be technical or a security expert to use them. We offer WordPress security and hardening services, but if you can’t afford to hire someone – using one of these free plugins is better protection than doing nothing at all.
What are the Best WordPress Security Plugins?
We have used Secure WordPress for a very long time – because it does very basic things that give you better security:
- deactivates error message on login page
- removes version of wordpress for non-admin on dashboard
- removes WP footprint from the HTML code of webpages
- removes WP update messages for non-admins
- removes version of WP from scripts and stylesheets
- protects against malicious URL attempts
Beyond that there are lots of things we do manually to make WP security better.
There are lots of other WordPress security plugins that do individual things, like lockdown your login or perform secure logins. There are also ones that are “firewalls” protecting against hacker attempts.
There is one newer WP security plugin that does more than most others called “Better WP Security“.
It performs the following security measures:
- remove the meta generator tag
- remove login error messages
- change login URL’s
- limit admin access to IP or range of IP addresses
- ban bots or specific hosts
- ability to completely turn off login for period of time
- remove update notifications
- strengthen .htaccess files
- enforce strong passwords for accounts
- detects attacks to your website
- rename the admin account
- changes your WP db table prefix
- supports forced SSL wp-admin login
- changes your wp-content path
- turn on or off file editing from wordpress admin
Previously all those things would only have been available through multiple plugins and manual work.
You can see in the image above what you see when you visit the plugin settings screen. It actually gives you color coded messages that tell you what is and isn’t secured within your website (and links to fix them).
Caveat Emptor WordPress User
These security plugins aren’t perfect, they don’t do everything. Some things are still done best manually, and sometimes using these plugins can conflict with other themes or plugins and cause things not to work (like forms, e-commerce shopping carts, download plugins, caching plugins). If you install one – be sure to read through the known issues and forums for that plugin and see if there are known issues with anything you have installed. Also, after you install – be sure to go through and test every single thing in your website to make sure it works (shopping cart, forms, downloads, image galleries, widgets, pages, posts, categories, tags, etc.). Always remember that if for some reason you lock yourself out of your own website (with a setting you tried), you can usually get back in by manually deleting the security plugin in FTP (and trying agagin).
Do you need help with WordPress security? Click here to learn more about our malware removal and WordPress security services.