Hackers are a constant threat and lots of people have lost their sites to because they don’t know enough about basic WordPress security practices. That’s right – hackers can tamper with your hard work and take your hard-won page views back down to zero or delete your whole site. Obviously, no one wants this to happen. So I’m going to share a little tutorial on how to keep your site secure with a few simple changes.
Here’s something you probably don’t know. Your site has been attempted by a hacker TODAY. Probably 20 or 30 times today. Most people don’t know this, but when you have proper security software on board, it shows you the actual numbers of attacks – it’s a LOT more than you would suspect!
Note that some of these WordPress security changes may cost some money. This post contains affiliate links, so I may make a bit of spare change for sharing them with you. But relax – it’s good karma to help out other bloggers and site owners. Someday they may return the favor. PS: Read to the end – I have an special offer for the non-techy people!
Choose your Host Carefully
Your first line of defense is a good host. I strongly recommend Siteground. STRONGLY recommend. Here’s why
- Terrific customer service. I can usually get a live person on chat within 30 seconds. Most of the time, they can fix stuff on the spot if a plugin has crashed my site. Time is critical if your site has been hacked!
- Free SSL. FREE! I had to pay for it on my last host.
- Free backups – we’ll talk more about that in a minute, but they offer GOOD backups.
- Weekly security scans for cheap. I think I paid maybe $20 for the year to have my sites scanned weekly. It’s not all you need, but it gives you a little extra peace of mind.
Here’s a whole article about my previous “cheapo” host and why I made the switch to Siteground and I’m so happy I did. It actually saved me a good bit of money and made my site more secure.
Choose a Premium Theme
No, you do NOT want a free theme!! You think you do, but I promise you, you DON’T. You know that old saying, you get what you pay for. Yup. A free theme is not going to be well coded and good code is EVERYTHING in a theme. It will not only be properly responsive on mobile (my last cheapo theme was not mobile-responsive – ugh!) and it will be properly coded for security. And the developers will send out updates to paying customers from time to time. With a free theme, you get what you get and its thrown together by someone who isn’t going to make money on it. Why would you want that? Save money somewhere else, but invest in a quality theme!
I buy my themes through Bluchic. Both my sites use their Isabelle theme but they have about 10 different styles. They are beautiful, they are wonderfully mobile response, and they are properly coded. And they’re easy to update. If you buy a Bluchic theme using my LINK, I’ll even install it for you for FREE in your own brand colors. Now that’s a great deal.
Username and Password – Do it RIGHT!
This is where a lot of my clients go wrong. Really wrong. When you set up a new site, the first thing you do is set up your user name and password. Here is what your username SHOULDN’T BE:
- Admin (never, NEVER use this!)
- The name of your site (nope, definitely not)
- Your name or anyone’s name (too easy to guess)
- Your Email (still too easy)
Hackers are trying to get into your site every single day, I promise you. Lots of ’em. All they need are two things – your username and your password. That’s all. So why would you give away half the equation before they even start? Instead, pick a phrase or something funky that you can easily remember – I-c00k-f00d (those are zeros), #sm@rtbl0ggr, something like that.
And your password – make it HARD. Don’t use your kids names, or your dog’s name, or anything recognizable. Here’s a little trick I like to use. We type passwords in a lot, right? So make them something motivational – Immm#Awes0meX365 or something that gets you pumped up! Then it’s easy for you to remember, but hard to hack. PS: I also like password keeper apps like 1Password or LastPass to store your zillion passwords for everything.
If you’ve got one of these bad user names – don’t despair. It’s an easy fix.
- You can change your username by going to your dashboard, clicking “Users,” and
then “Add New.”
- Give yourself a new more secure username and set it as Administrator. Be sure to set a good password for it.
- Now delete the old one, but SLOWLY. It will come up and ask you who to assign your posts to. Add your new username and voila! All your previous posts will transfer to the new username.
- While you’re in there, review any other users on your site and determine if you still want them to have access. It’s not a good idea to just leave usernames hanging around if you aren’t using them.
Next find a good WordPress security plugin that best suits your needs. These plugins are designed to prevent certain addresses from accessing your account and will also alert you of bot activity and multiple login attempts. Some can even block whole countries that are known for a lot of hacker activity.
IF YOU HAVE A BIG SITE WITH LOTS OF MATERIAL ON IT
Spend the money for a premium security package. Securi Scanner and Wordfence Premium Security are both good and pretty simple to install, although I think WordFence is a memory hog. Check around a bit and do your research to find the best fit for you. Plan on spending at least a couple hundred bucks.
IF YOU ARE A NEW BLOGGER OR JUST HAVE A TINY SITE
You can probably get by with one of the free or low-cost security plugins. I’ve used All in One Security and that’s pretty good, or I use Premium JetPack and their built-in security features, plus the weekly scans from my Host. So far, that’s worked pretty good.
The other half of the equation is to have good backups. I have a whole post about this called “I Thought My Site was Backed Up“. The one time I did get hacked, I was horrified to discover that my previous “cheapo” host only kept 24 hours worth of backups, even though I’d paid extra for the feature. By the time you find out you’ve been hacked, figure out what to do about it and open a ticket with your host, that 24 hour clock is DONE. Siteground (remember them?) keeps 30 days of backups! I also have another set of automatic backups through JetPack Premium. This girl is BIG on backups after nearly losing my whole site to a hacker!
Having a backup saved is so important in the event that your computer or blog is infected with malware. If you have a full
backup, you can restore anything that is lost. UpdraftPlus is a good choice too for backups. It’s designed to do a complete backup of your
site, backup the database, and run scheduled backups that run daily.
UPDATE, UPDATE, UPDATE
Last, but not least, keep your WordPress blog up to date. Every time you get one of those pesky update notices – DO IT. Keep your theme updated, your WordPress version and your plugins. They are usually updating them to fix a security issue.
Here’s a smart tip for updating your plugins. Do them one at a time. Yes, just ONE at a time. How many at a time? ONE!
Why? If you grab six plugins and update them all at once, sometimes the code doesn’t play nicely. I’ve had several different times when a plugin CRASHED my site. Fortunately, since I do them separately, I can tell my host it was THIS plugin and they can go right in and remove it. But if I don’t know, they’ll just have to start removing stuff until the find the right one – ugh!
[click_to_tweet tweet=”When updating plugins, only do ONE at a time. Why? If one of them crashes your site, you’ll know WHICH one broke it. Otherwise, you won’t know which one to remove. ” quote=”When updating plugins, only do ONE at a time. Why? If one of them crashes your site, you’ll know WHICH one broke it. Otherwise, you won’t know which one to remove. ” theme=”style4″]
Remove all spam comments too. I use the Akismet free plugin to catch most of them, but if some get through, I remove them IMMEDIATELY. You don’t want those bad links and junk on your site.
Remove unused plugins too. Sometimes they are abandoned by the developer and they can develop bugs or backdoors for hackers. If it hasn’t been updated in a few months, you don’t want it on your site.