Posted by Richard in Website Design

13 Steps to a Secure WordPress Website

Cyber security is always a hot topic. Whether you are a big brand or run a slightly smaller outfit, beefing up the security of your website is vital. Whilst having a WordPress website makes many aspects of managing your own content easy, there is still work to be done to ensure it’s as secure as it should be. As WordPress experts, we’ve seen it all, from hugely predictable usernames and passwords (who knew people still used ‘admin’ or ‘password123’) to the download of dodgy plugins. Ensuring a secure WordPress site isn’t after all just a matter of protecting your business but guaranteeing the security of the data both you and your customers hold dear.

Cyber security is a bigger concern than ever for the business world. In recent years, we’ve seen the hardiest brands fall victim to hacker attack. With your WordPress site, maintaining a good level of security and keeping malware, ransomware, phishing and accidental inside attacks at bay is more than just installing a plugin. The past two years have seen the likes of TalkTalk, Tesco Bank, Centene, Ashley Madison, LinkedIn and even the United States government’s very own Inland Revenue Service taught a lesson or two on the security front. According to the Cyber Security Breaches Survey 2017, almost half of UK businesses were the victim of a cyber security breach in the last 12 months. But how can you ensure your WordPress website is fully protected against cybercrime, attacks and other vulnerabilities?

Our WordPress experts have put their heads together to provide you with the 13 steps you can take to secure your WordPress website for good.

1. Know your terrain

Knowing exactly what you’re facing on the cyber security front is the first and most important step, the findings of which may surprise you. Whilst there’s plenty of talk about creating a mobile-friendly WordPress website ahead of Google’s mobile-first index, attention should also be paid to the threats that could render your business website pretty useless.

As we welcome 2018, one thing’s for sure, the cyber security threats we face are only going to get bigger and more brutal. Last year after all proved that cyber criminals are developing more creative and sophisticated strategies, targeting not just your software but your employees in an effort to get to all that juicy business data. Phishing and social engineering were identified as the biggest cyber security threats of 2017, with 65% of professionals in agreement. Knowing your terrain, and being aware of the cyber security trends and tactics that affect the business community is a vital part of improving site security and educating your employees.

2. Enlist the help of a WordPress expert

Your WordPress site shouldn’t just look good, it should function perfectly. As well as ensuring speed – WordPress web designs bogged down with too many features often mean slow loading but you can speed up your WordPress site – the WordPress expert you enlist to develop your site should focus on enhancing its security. As a premium WordPress design and development company we craft bespoke, high quality WordPress sites that perform on all levels.

We don’t have a great track record for nothing; in addition to creating designs that are in-tune with your brand, we spend hours running bug and security tests to ensure your WordPress platform is ironclad too.

3. Get back to basics

We touched on the username and password fails we’ve encountered briefly in the introduction, but weak passwords are no joke. Creating a strong password is simple stuff, yet so many people still overlook this WordPress site security basic.

Never miss a post

Subscribe to our newsletter and keep up to date the latest news and events.

Hackers still use the brute force tactic to penetrate websites, and do so with great success. Make sure your WordPress website doesn’t fall at the first hurdle by swapping weak passwords for stronger alternatives. The same theory applies to your username.

You can use tools like Strong Password Generator to come up with a password that even you’ll struggle to remember – don’t worry there’s a tool for that too. Password storage and protection systems provide a great, and more importantly, secure way of storing passwords and stop you from making rookie mistakes like writing down passwords, putting them in a Word document or storing them in your browser. It’s also recommended that you change your password on a monthly basis and use different passwords for all accounts. It’s not just your strong passwords you have to think about, your employees have passwords too. Force Strong Passwords is a great little tool for making poor passwords a policy that is not accepted within your organisation.

4. Fine tune your hosting

If your hosting doesn’t hack it then how can your website deliver the experience you want it to? Hosting is also integral to the security of your website, which makes finding a quality provider with tough security standards essential. A good host will not only safeguard you against cyber-attack but resolve any vulnerability issues in lightning speed too.

Making sure the hosting company you choose has experienced staff, uses tools to identify malware and compromises, has expertise running WordPress, and provides the latest support for the most up-to-date versions of MySQL and PHP is important. Selecting a hosting provider that offers 24-hour support is another must, after all cyber security issues can crop up at any time.

5. Move the location of your login area

You don’t have to stick with the default /wp-admin or /wp-login slugs. Login areas can be loaded with different slugs, a tactic that is useful if you want to throw off potential cyber criminals. After all, how can they guess your username and password if they can’t find your login area in the first place! The Lockdown WP Admin plugin offers a quick and easy way to alter the location of your login area.

Another handy plugin that is certain to cause much confusion for those looking to infiltrate your WordPress website is Remove WordPress Version. As the name of the plugin suggests, this open source software completely does away with the WordPress version number in the code of your site. Version numbers can be used to locate loop holes and other vulnerabilities that allow entry into your system.

6. Update when prompted

It’s so easy to hit snooze on updates but once available, updating there and then will ensure your WordPress site is up to the task of protecting you against the very latest threats. A recent survey revealed that 50% of small to medium sized businesses in the UK could be hacked in an hour or less. Updating when prompted could close that window completely.

The ethos for regular updates doesn’t just apply to major ones. Minor updates and updates to plugins should be processed promptly, otherwise you risk leaving your website wide open to vulnerabilities.

By automating your updates you can rest assured that your WordPress site is secure around the clock. Simply paste the following into your wp-config.php file to automate all minor and major updates:

# Enable all core updates, including minor and major:

define( ‘WP_AUTO_UPDATE_CORE’, true );

7.Safeguard your wp-config.php file

While your accessing your wp-config.php file, there’s one other thing you can do to beef up security further. From here go into your .htaccess file and paste the following:

<files wp-config.php>
order allow,deny
deny from all
</files>

This code will stop intruders from accessing your wp-config.php file and safeguard the WordPress security keys and database connection data within.

8. Wave bye-bye to error reports

PHP error reports can give away more than you think. Every time a plugin or theme sends a report, it can give vital information away about your server path, information that, if in the wrong hands, could help pinpoint your server. Your hosting provider should be able to disable PHP error reports on your behalf to ensure your wider website remains fully secure.

9. Manage cookies with care

You shouldn’t be able to visit any website without seeing a well-placed message about the use of cookies. Managing visitor cookies with WordPress security keys can have more advantages than you think. These security keys can in fact enhance the protection of passwords and boost security. Use the WordPress Salt Key Generator to make unique WordPress security keys for use on your site. The codes generated can then be pasted into your wp-config.wp file to replace existing lines.

10. Setup the correct file permissions

Different files and directories on your website have differing permissions, checking all of these and changing them where necessary is important. Certain permissions, such as the 777 permission used on some directories, can unwittingly provide site access to the wrong people. As a rule, the following permissions should be used on the following files and directories.

  • wp-config.php file – set a 600 permission
  • Files – set a 640 or 644 permission
  • Directories – set a 755 or 750 permission

Your hosting provider can assist with setting the correct permissions for files and directories, so call on them for help.

11. Have a backup plan

The cost of the average cyber breach or attack is on average £20,000, but in the case of more serious cybercrimes, the aftermath can spell untold damage and costs that reach millions. It’s not just the financial implications that can be damaging. A cyber security breach can have a major impact on the reputation of your company, leaving it distrusted by consumers. Without a good disaster recovery plan in place, a damaged reputation can lead to diminishing sales and ultimately the closure of your business. How you backup your website, not just in the event of a breach, but on a regular basis could mean the difference between having a website that bounces back and having one that quite frankly never recovers.

Backing up your WordPress website and the files it contains is easy and can be completed automatically with the right plugins. As well as automating backups, plugins like VaultPress and BackupBuddy make backing your website up to different locations possible at the touch of a button. If something was to go wrong, using a backup plugin you can easily retrieve files so business can resume sharpish.

12. Strike the right balance with plugins

During this piece we’ve recommended a few plugins to help improve the security of your WordPress website but remember downloading plugins from only trusted resources, i.e. WordPress itself, is important. There are tons more security plugins that are worth investing in – iThemes Security and BulletProof Security are among our favourite WordPress security plugins – but decreasing the number of plugins on your WordPress website is another way to minimise vulnerabilities. Only install the plugins that you need to ensure the security of your website is at the top of your list of priorities.

13. Focus on improving security around you

Protecting your WordPress website from cyber-attack shouldn’t just be done digitally. Your local environment presents its own threats, particularly if you work on your site from a coffee shop, use public computers or use your own devices to access public WiFi. We would personally (and professionally) advise against the use of public computers and public WiFi when accessing and managing sensitive business data. If public use can’t be avoided, make sure the device you are using is fully protected with the latest version of anti-virus, a firewall, and regular malware and virus scans.

It’s not just in public where being mindful about security can count, 70% of business owners reported that their employees pose the biggest security risk. Whether employee breaches are the result an ‘inside job’, a badly defined BYOD (Bring Your Own Device) policy or a lack of understanding about cyber security, improving the security of your local environment and the devices within is imperative.

Need help upping the security of your WordPress website? Our WordPress experts are on hand to help. With experience developing superfast, fully secure and truly stunning WordPress websites, our team has the expertise you need to ensure performance on all fronts. Our service doesn’t end there, we offer an extensive range of support packages to ensure your WordPress website remains safe and secure for the long term. Get in touch with us today to get started.

Never miss a post

Subscribe to our newsletter and keep up to date the latest news and events.

Share this

Ready to discuss your project?