How to Secure WordPress: 8 Simple Ways to Stay Safe & Protected
Most of us probably don’t check our own WordPress sites every day. For some of us, it could be weeks or months between visits.
If our website gets hacked or crashes, it might be a long time before we notice. Even worse, it might be one of our customers who finally tells us that there’s something wrong!
The Downside of Poor Security
We all know that security is important, but what happens if you don’t secure your WordPress website?
- You could end up being banned from Google and your traffic will dry up overnight. Getting unbanned is difficult & time-consuming.
- Your visitors may receive security warnings when trying to access your website which certainly won’t help your reputation.
- Your data, or your client’s data, could get stolen.
- Your site could be filled with difficult-to-remove malware.
- Your brand could be harmed if your site is full of spam and scams.
- Payment processors like Stripe or PayPal may blacklist you.
- Your hosting provider may suspend your account.
Getting Banned By Google
Google and Bing crawl websites regularly, looking for changes. If they find malware or spam on your website, you will be banned and your website will disappear from search results. Your traffic will dry up overnight.
Getting unbanned can be tricky and time-consuming. It involves contacting Google, pleading your case, proving that you’re no longer a threat, and hoping that they’ll give you a second chance. Here’s an article from Google with more information.
8 Easy Steps to Secure WordPress
Here are eight easy tips to massively boost the security of your WordPress website. You can totally do these and be confident about your website’s security!
1. Keep Your Website Up To Date
Think of your website like it’s a computer or a phone; it needs regular updates in order to stay safe and run properly.
Here’s an article on how to do updates without killing your WordPress website. It has a few key takeaways:
- Update your website monthly. Set a reminder or make it a part of your routine.
- Don’t use automatic updates, they can take down your website when you’re not looking.
- Make automatic backups to protect you from updates gone wrong.
2. Use a Strong Password
When you first create an account in WordPress, it will suggest a long string of random characters as your password. Passwords like these really are the best ones to use.
The advice about using a letter, a number, and a special character leads to passwords like “Password123!” which aren’t very secure at all.
Here’s an article from AT&T and another from Google that both have great tips on creating great passwords and passphrases.
Select Users from your WordPress admin screen and then Edit under your account. Scroll down to the Account Management section and click the Set New Password button. The password suggested to you there is a strong password. You can use it or replace it with a good passphrase.
3. Install a Security Plugin
Installing a security plugin like Wordfence or Sucuri is an excellent way to add a layer of security to your website.
These plugins act as a firewall that locks out attackers. They also look for unexpected changes to your website’s code and add additional security like two-factor authentication (2FA) for administrator accounts.
4. Consider Cloudflare
Cloudflare protects by analyzing traffic before it gets to your website and blocking bad actors before reaching you.
Cloudflare is a great addition to your on-site security plugins like Wordfence or Sucuri. No security is perfect, so having both options provides a double layer of defense.
If your hosting provider offers Cloudflare to you, I recommend taking it. Setting up Cloudflare can be tricky, so you should take them up on it if they can do this for you.
5. Backup Your Website
This isn’t a security issue per se, but having a backup from a time before any troubles started can significantly simplify your efforts to get rid of spam and malware.
Here is a guide on making automatic WordPress backups and storing them off-site on Google Drive. I recommend that you keep a month’s worth of backups stored there.
If you have a clean backup of your website, then you can:
- Wipe your current website & database, completely getting rid of all malware and spam.
- Install WordPress from scratch with a fresh, new database.
- Restore your clean backup to this new environment.
Here is a guide on restoring your old website to a new installation of WordPress.
6. Remove Old Themes
If you’ve tried out a few different themes over time, it’s time to get rid of the ones you aren’t using anymore. Even though they aren’t in use, they can still be exploited by hackers to access your website.
In your WordPress admin screen, go to Appearance -> Themes and remove any old themes you no longer need.
One thing to look out for is if your current theme is a child theme. Click on your active theme and look for a message that says, “This is a child theme of X.” Whatever theme is named here must also be kept on the website, don’t delete it. In the image above, we would keep the GeneratePress theme because our current theme is a child of it.
7. Remove Unnecessary Plugins
Like old themes, you should also remove unused plugins. Security folks call this reducing your “attack surface.” The basic theory is that hackers can’t hack what isn’t there.
If you’re not sure if a plugin is in use or not, you can first deactivate it and see if your website still looks good and works correctly. Don’t worry about breaking things; you can always Activate the plugin again and restore what was lost.
8. Remove Unused User Accounts
Have a look at the accounts on your website. Find ones that are no longer in use and consider deleting them. Nasty people can’t hack an account that isn’t there.