How to keep your WordPress website secure

How to keep your WordPress website secure

Whether directly generating sales through an eCommerce store, generating leads to bring you more customers, or serving as an online credential to showcase your expertise, your website is a vital asset for your business.

WordPress is, by far, the most popular way to build a website. It powers around 40% of the websites on the Internet – that means that 2 out of every 5 websites you see are likely to be using WordPress. 

But this popularity does have its downside. WordPress is a very tempting target for hackers and other malicious actors.

Every year, hundreds of thousands of sites get hacked – which sounds pretty grim, right?! But this is not usually due to vulnerabilities found in WordPress, more often its due to out of date software and insecure passwords. Updates and maintenance are critical to the safety of your website.

When you own a WordPress site, security rests on your shoulders. Not having a plan in place to keep your business and customer data safe can damage your company’s reputation and result in a loss of revenue as your customers turn to your competitors instead.

Here are 5 essential security features that your website should have in place now:

Backups

Backups are like an insurance policy for your website – just in case your security plan fails. You should perform regular, scheduled backups of your website files and data and store them securely in a location separate from your website. Backups won’t make your website more secure – but they will give you peace of mind knowing that if anything happens to your site you can easily & quickly restore a recent version.

Passwords

Website security is all about risk reduction. And one of the easiest ways reduce the risks of a malicious actor gaining access to your site is to make sure that you, and any team member that has access to your website, use strong, unique passwords.

You should make sure the password you use on your website is not one you use anywhere else (this is a good practice for any site you have log in access to – from your bank accounts to your social media accounts). And it should meet the following criteria:

  • At least 1 uppercase character
  • At least 1 lowercase character
  • At least 1 digit
  • At least 1 special character
  • At least 10 characters, with no more than two identical characters in a row

Because passwords like this are hard to generate – and to remember – I recommend using a Password Manager like 1Password.

Updates

The WordPress team work tirelessly to keep their software secure – and regularly put out updates of the WordPress core software that includes security patches. To stay ahead of hackers, you need to make sure you apply these updates as soon as possible.

Your website plugins and themes are also regularly updated with security patches and new functionality – and you should make sure that these updates are applied promptly.

If you have plugins or themes on your site that are not being regularly updated by the developers, it is a good idea to find out why. If the plugin or theme is no longer being supported, it may have vulnerabilities that could compromise your website security.

If you have plugins or themes on your site that you are no longer using, you should remove them. Having unused plugins on your WordPress installation, even if they are disabled, can be a security risk.

Limit Access

When you give anyone access to your website, you should never give them your master password.

Every user on your site – whether is a staff member, designer, or digital marketing pro – should have their own login with only the specific access they need to do the job they need to do on your site.

WordPress includes roles for Administrators, Authors, Editors, Contributors, and Subscribers. This means you can tailor the access users have to your site according to what each role has permission to do.

  • Administrator: has access to all the administration features within a single site.
  • Editor: can publish and manage posts including the posts of other users.
  • Author: can publish and manage their own posts.
  • Contributor: can write and manage their own posts but cannot publish them.
  • Subscriber: can only manage their profile.

Make sure when users no longer require access to your website that you remove their login.

Log out of your website

Session Hijacking is growing issue for online security.

When you log into a website a session ID is created and stored as a temporary cookie in your browser. This cookie helps you stay logged in and perform the actions you need to take as an authenticated user.

With session hijacking, malicious actors target your browser and attempt to steal your session cookies. If they are successful they can potential to log into any website and access your personal or business information.

Fortunately there is a relatively simple way to mitigate this risk – get into the habit of logging out of any website when you are finished using it. This is where your password manager comes in handy – making it super easy to log back in next time you need to visit.

An SSL Certificate

You may have noticed that almost all websites on the internet today have a padlock icon in the address bar. This means that the website is using an SSL Certificate to protect your data.

An SSL certificate is a small data file that establishes an encrypted link between a browser (like Firefox or Chrome) and a server (where the website files live). This means that when you enter your information into a form on a website protected with an SSL certificate, no one but you and the website can see or access your information

If you ask for any customer data on your website you should most definitely be using an SSL certificate.

Is your website secure?

If there are any items on this list that you don’t have in place for your website currently, set aside some time to create a security plan for your site and get them set up. If you need any help, please be in touch.

Is Your Website Doing Its Job?

Get a free mini website audit and uncover 3 simple ways to boost performance, style, and results. No tech jargon, just clear, actionable advice!

Claim your FREE mini audit now