How to Secure Your WordPress Website
Website security is becoming more and more important everyday. There are some simple steps anyone can take to defend against hackers and minimize vulnerabilities. It’s important to keep WordPress secure to protect your website from harm for a number of reasons. You can increase uptime, keep your data safe and make sure your site is in good working order.
Securing your website may seem like an afterthought, when it should be one your main priorities as the admin of a website. I know I didn’t pay much attention to security until one of my sites got hacked and I had to hire someone to help fix it. If I had taken the proper precautions I could’ve saved some time and money.
There’s nothing too advanced here. The tips we are providing here don’t require any advanced knowledge. This way you can increase your security without having to code or modify any core files. These tips are meant to help regular WordPress users protect their websites. Following are some security measures that deal with hosting, users and the code.
Use SFTP instead of FTP
Nowaday’s FTP just isn’t secure enough. If you aren’t using SFTP to transfer your sites files from an FTP client like Filezilla, you should switch as soon as possible. FTP uses plain text to send your username and password. This means the information isn’t heavily encrypted. Anybody who is watching your network can get your credentials and access your site. SFTP is exactly the same thing as using FTP, with strong encryption, so you have more protection from attackers trying to access your information. If you aren’t sure how to use SFTP contact your hosting provider and they should be able to help you.
Switch to SSL/HTTPS
This goes along with using SFTP and not FTP. If your site is using HTTP still, all the information is being sent without encryption. All your purchases, comments, login attempts and other activity is available for anyone on the network to see. Any data like user passwords or customer credit card numbers is up for grabs from attackers.
This is why there has been a large campaign by content providers like Yahoo and Google to switch over to HTTPS. Just like SFTP, HTTPS encrypts all the data send and received to protect it. It isn’t quite as easy to switch to HTTPS as it is to go from FTP to SFTP. To use HTTP you will have to get an SSL certificate, which can be a chore.
If you are using a server like GoDaddy or Bluehost you will most likely have to purchase this option. It doesn’t always cost an arm and a leg. You can very affordable options.
Secure Hosting
Choosing the right hosting provider package is essential to protecting your site. The server is the home base of your website. Your hosting service provider will have lots of security tips and options to help keep your WordPress website secure. This includes Secure Hosting. While many opt to get shared hosting, it’s really the bottom of the barrel. On shared hosting, if one of the sites you are sharing server space with gets hacked, your site may be compromised.
If you invest in a secure server space you will be safer. This is one of the easiest and best security measures you can take. Make sure you choose a host that has a good reputation and 99.9% uptime. You can get VPS hosting or dedicated hosting as well. Anything better than shared hosting will be safer. Good web hosts share some similar charactetristics, including:
- A solid reputation for being reliable
- Provide strong customer support
- Provide reliable back up and restore options for data
- Provide properly configured servers
- Provide current versions of software like PHP, Apache, Linux, MySQL etc.
Choose wisely when picking your server. Do as much research as possible and weigh all the pros and cons. It’s crucial to choose a solid host and an adequate hosting plan. This is one of the most important security measures you can take. Checkout Bluehost, they have some affordable plans that work seamlessly with WordPress.
Regularly Back Up Your Website
If you’ve ever suffered from a data loss disaster, than you understand how important it is to back up your data. I always like to remember the phrase, “Never trust a computer you can’t throw out a window,” to remind me how crucial a good backup system is. If you don’t have multiple backup protocols in place, start planning them right away. Keeping regular backups of your website is important to avoid losing data.
These days, there’s always the threat losing or compromising data. If something terrible happens you can always restore your site from the backup. Your backups should all be tested regularly, current and saved in a secure place.
It’s crucial to back up your files as well as your database. Having a plan to be able to reconstruct your site from scratch at any time is a must. If you can do that, then you are doing well as far as back ups are concerned. There are many useful backup plugins for WordPress created by reputable developers.
Update Your Software
It’s also critical to keep current versions of all the software used on your site. There’s no excuse not to use the latest version of WordPress. With one-click installs and auto updates, it’s extremely easy to stay current. Update your plugins as well. It doesn’t matter if they are active or not, use the latest versions.
It’s also wise to keep up to date with all the latest WordPress news. You can find out about the latest vulnerabilities, attacks and other breaking news regarding security. This will give you a good idea of what kinds of things to watch out for.
Use Trusted Sources
This is something that is way too easy not to do. Any tool you use should be from a trusted source. Don’t use “pirated” versions of themes and plugins. You might save a few bucks but you are opening yourself up to a world of trouble. It’s way easy for someone to add some code to a theme or plugin that gives them a backdoor to your data.
Many times software pirates may put malicious code in the files to take advantage of those who use them. Everything may seem fine on the outside, but you could be giving away sensitive information or worse. Don’t give people access to your website by using pirated software, or downloading from sources you don’t trust. Always get your plugins and themes from a source you know and trust.
Turn Debugging Mode Off
Debugging in WordPress is an important part of any project. During the development of a WordPress website, plugins or a theme – many developers use WP_DEBUG to locate any PHP errors. Displaying errors on the front end with WP_DEBUG_DISPLAY is a useful way to spot problems in the code. So is creating an error log with WP_DEBUG_LOG.
While you are beginning development on a theme, plugin or site all of the above methods are perfectly acceptable. But, when your site is in production you need to be careful. If a malicious user can view errors and logs, they can exploit that information to attack your system. To stop the WP_DEBUG function once your website is in production either remove it from your wp-config.php file or set it to false.
define( ‘WP_DEBUG’, false );
If you aren’t comfortable editing the wp-config.php file, you can always use a plugin to do it for you. Check out some of these free debugging plugins if you are interested.
Use Strong Passwords
Anytime you are creating a password for the web it should be strong. A lot of people learn this lesson the hard way. Using a strong passwords is a no brainer. It’s not only important to use strong passwords, and to update them often.
One of the most common ways to get hacked is through a brute force attack. Most of the time these attacks are focused on your WordPress login page. Using a very strong password is an easy way to make things harder on those who want to get access to your site. Use strong passwords for things like your email, WordPress login, databsase connections, SFTP or anything other accounts related to your website that require passwords.
Don’t Alter Core Files
Never hack any of the WordPress core files. If you do this you are asking for trouble unless you really know what you are doing. The same goes for themes and plugins as well, don’t modify any of core files. Hacking core files in WordPress isn’t recommended nor is it necessary. In older versions of WordPress the only way to make certain changes was to alter the core files. Now you don’t need to do this. If you want to change something use the following methods:
- Use a child theme to modify or customize your theme
- Make changes in the functions.php file
- Use a plugin to modify or customize functionality
Don’t do Anything
You can always take the easy way out and not do anything. Just make sure you use WordPress recommended best practices and you should be okay. This includes things we’ve gone over like getting themes and plugins from trusted sources and having a secure server. Keep in mind that you will need to consider how the site functions when taking security measures. Generally, having a secure server and using common sense is a good start. It will always depend on what the site is for and how you use it.
Final Word
I hope these tips help you keep your WordPress website safe. We went over some basic security tips in this article to help you get started. Another thing you can do to increase the security of your website without getting too advanced is to use security plugins. There are many well written plugins to choose from. It’s best to do some research and find out which might benefit you.
Preparation is one of the most important aspects when it comes to securing your WordPress website. Losing your data can be a disastrous event it only takes a small vunerability for someone to access your sensitive data. Remember to use a trusted server, keep up with current versions of software, set up regular backups and be careful when using plugins or themes. Let us know any of your favorite security measures and plugins in the comments below.
Leave a Reply
Want to join the discussion? Feel free to contribute!