WordPress security is an integral part of website maintenance. As part of maintaining your website, you need to make sure your website is secure and has good protection from hackers.
If your website gets hacked, you risk downtime, a damaged search engine position, and you might have to pay an expert to fix it. It’s much better to keep your website secure from the outset so that this doesn’t happen.
Remember that WordPress is very secure
Let's start with a positive!
WordPress gets a lot of bad press in terms of security. Due to its popularity, a WordPress website tends to be targeted more than other platforms. This means that you need to be extra careful to keep your website secure.
What most people don’t realise is that WordPress itself is a VERY secure platform. It’s secure behind the scenes and does things like forcing you to have a strong password.
WordPress sites only become vulnerable if you introduce loopholes elsewhere, for example by adding badly coded themes or plugins, or using a sub-standard hosting company.
Done right, a WordPress website can be very secure. So that’s the good news!
Security doesn’t have to be a lot of work
The other good news is that keeping your website secure doesn’t have to be a lot of work.
Security is vitally important, but if you set up and maintain your website properly using the techniques in this course then your website will be kept secure as a natural side-effect of these techniques. It’s not a dedicated area that you need to learn about separately from other elements of website maintenance.
Do I need a security plugin?
When people think of WordPress security, their first question is often “Which security plugin should I use?”
I believe that by creating and maintaining your website in a responsible way, you can make it very secure without needing an actual security plugin.
Before we answer the question “Do you need a security plugin?’, I’ll teach you the most important steps to keeping your website secure. You can then decide whether or not to add a security plugin on top of this.
How to keep your website secure
Don’t have a user called ‘admin’
Most brute force hacking attempts target a user called ‘admin’. This is because ‘admin’ used to be the default user account on all WordPress websites, and a huge number of WordPress sites still have a user called ‘admin’. Hackers know this and exploit it.
This means that you can thwart a huge proportion of hacking attempts simply by making sure there is no user on your site called ‘admin.
This is how to make sure there’s no ‘admin’ user on your site:
- Log into the WordPress admin.
- Click on the ‘Users’ page and check whether there’s a username called ‘admin’. There might be lots of users, so click the ‘Administrators’ filter to narrow it down. The admin user will normally be an administrator.
- If there is an ‘admin’ username, delete this user account. If you’re currently logged in as ‘admin’, you’ll need to create a new administrator-level account via Users > Add New and log in with the new account before you can delete the ‘admin’ account.
- When you delete it, you’ll be asked whether you want to assign all the admin user’s posts to another user. It’s usually sensible to do this to make sure none of your content is lost.
Have as few administrators as possible
When you add extra people who can edit your website, think carefully about whether they really need to be administrators. A lot of WordPress users add all their colleagues as administrators, without considering whether they actually need full access to the website.
Each administrator that you add makes the website less secure because if their account is compromised for whatever reason, the hacker will get full access. As an administrator, they can do whatever they like to the website. If you add people as a lower user level then less damage will be done if their account gets hacked.
To help you choose the right level for each user, here’s a quick summary of the user levels in WordPress:
- Administrator - full access to the website including the ability to edit all content and settings, add and edit themes and plugins, modify the code, etc. These are powerful privileges - use with caution!
- Editor - can publish and manage posts, including posts created by other users.
- Author - can publish and manage their own posts only.
- Contributor - can write and manage their own posts, but can’t actually publish them.
- Subscriber - can manage their profile but can’t make any changes to the actual content on the website.
You can check how many administrators you have on your website by clicking the Users list in the admin. Look at the number next to the ‘Administrators’ link. Click on the link and think about which is the most appropriate level for each user. Downgrade any users who don’t need to be administrators by clicking on their name and changing their level from the dropdown.
Use a good WordPress hosting company
Your choice of hosting company is one of the most important factors in keeping your website secure. A good hosting company should continuously update the software on their servers and implement other security measures such as firewalls and regular antivirus scans.
Some managed WordPress hosts also provide free hack fixes if your website ever gets hacked.
If you follow my recommendation to use a good quality managed WordPress host then this will make a big difference to the security of your website. If you’re not technical, then knowing that your host is responsible for all the server-side security is really important.
Keep your software up to date
A huge proportion of hacks to WordPress sites result from out of date software. Most software is regularly updated to add new features and fix security vulnerabilities as soon as they’re discovered - it’s a risk to stay ahead of the hackers. If you let the software on your website get out of date then you’ll be at much greater risk of hacking.
By the way, if you’re only using software from reputable companies then you can’t use this as an excuse to let things get out of date! In the last couple of years, vulnerabilities have been discovered in some of the biggest WordPress plugins in the world including Jetpack, Yoast SEO and Revolution Slider. Don’t worry if you have these plugins, it’s not a reason to stop using them. But it IS a reason to keep them up to date.
Keep your WordPress website simple
The more themes and plugins you have installed on your site, the more potential security vulnerabilities you’re likely to have. Keep your site as simple as possible by removing anything you don’t need.
And if you don’t need a particular plugin, don’t leave it inactive. Actually delete it from your site.
Before we finish, let’s talk about some common WordPress security myths
Myth #1 - You need a WordPress security plugin
As you will have already gathered, if your WordPress website is set up correctly and up to date then you don’t necessarily need a separate security plugin. Adding a security plugin can add some extra features that some people like to have, but if you follow the other steps in this article then it shouldn’t be necessary.
If you decide to add a security plugin then iThemes Security is pretty good and easy to set up.
Myth #2 - Restricting login attempts will protect against brute force attacks
A brute force attack is when a bot attempts to guess your password by bombarding your site with different password combinations - usually aimed at cracking the password for the user called ‘admin’, as we discussed a minute ago.
A lot of website owners try to protect against brute force attacks by locking out a certain IP address after a certain number of failed login attempts. This can sometimes help, but it’s becoming less popular because the latest bots are cleverer than this. They bombard your site from many different IP addresses to get around login lockdown plugins. And these plugins can cause your problems for your users by logging out people who are authorised to access your site!
Myth #3 - Antivirus plugins remove viruses from your site
The phrase ‘Antivirus plugins’ is a bit misleading because most of them don’t remove viruses at all - they simply scan for them. If you use a good managed web host then they should scan your site for viruses anyway. Running an antivirus plugin through WordPress can slow down your site while a scan is running, as it uses a huge amount of server resources.
How to tell if your site has been hacked
Instead of installing a resource-heavy antivirus plugin, there’s a simple plugin called WordPress File Monitor which can alert you whenever the files on your website change. The idea is that if you receive an alert when you haven’t changed anything, this may be a sign that your website has been hacked. It tells you exactly which files have changed, so you can check it out and fix the problem straight away.
WordPress File Monitor isn’t a foolproof solution because it doesn’t prevent your website from getting hacked in the first place. Also, it doesn’t alert you to other types of hack - for example database changes or server-level hacks. However, many hacks work by changing your website files, so it’s is a great way to tell you when this has happened.
It can be tricky to set up WordPress File Monitor properly in a way that avoids false positives. There are lots of times where you don’t want to be told that your files have changed. For example, when you upload a file to your media library or install or update a plugin.
Too many false positives like this create a “boy who cried wolf” scenario. What I mean is that if WordPress File Monitor sends you daily emails about things that aren’t hacks, then you will naturally start to ignore the emails. This means that you won’t notice if your site IS hacked!
If you decide to install WordPress File Monitor then I recommend reading my article about how to set it up correctly and minimize the number of false positives.
Keep your WordPress website secure
Security is an important part of maintaining any WordPress website. By following the advice in this lecture, you can take some big steps to keeping your site secure without weighing it down with unnecessary plugins.
If you don't want to worry about these things yourself, order a MySimpleSite. Our affordable web design service includes full maintenance, including all the vital WordPress security tips in this article.
We can also host and maintain your existing website for you, and keep it secure.