WordPress Security- Protect Your Site From The Bad Guys

July 11, 2019

If you have a self-hosted WordPress site, make sure it is secure and protected.

Many self-publishing authors are moving to WordPress because of the enhanced book marketing functionality and even income potential it offers.

Most hosting providers make it very easy to install and setup WordPress. However, your new site may not be secure. Make sure you check your new WordPress site is safe from common security vulnerabilities with these five quick and easy steps.

If you have moved, or are thinking about using WordPress for your website or blog, it is worth taking the time to make sure that your site is protected, secure and safe from hackers and spammers.

Whenever I setup and new WordPress site, the very first thing I do is make sure it is safe and secure by taking the following five steps.

Five quick steps to secure your WordPress site

secure your wordpress site

1. You must change the default username and password

Without a doubt, this is the very first security step to take as a website owner is to change your default username.

WordPress assigns admin for a new installation. Leaving your username as admin is an easy and open invitation for hackers to break into your site.

To make your site secure, change your username to something that is not easy to guess.

Don’t use your name or the name of your blog, because these are far too easy for hackers guess. While it doesn’t need to be long, but it should be at least 8 letters.

At the same time, don’t forget to change and strengthen your password. A strong password is by far the very best protection you can have for your site.

It should be a minimum of 8 characters long and include at least one number, symbol and capital letter.

Make sure you do the same for any other user accounts you have on your site.

WordPress websites are a favourite target of hackers, so make it as difficult as possible for them. If you want even more security, you can opt for double factor authentication.

Akismet for WordPress

2. The very first plugin you install must be Akismet

Comment spammers are rife on WordPress and they can drive you nuts. The best way to block them is with Akismet Anti-spam. It’s a free plugin and is very easy to install.

Once you activate Akismet, you will be safe from 99.999% of comment spam.

Wordfence WordPress security

3. Wordfence is my second absolute must install plugin

When I first installed Wordfence a few years ago, I was staggered at the number of attempted attacks on my site that I had no idea about.

Wordfence is a very effective free WordPress security plugin, but it does take a little while to understand all the setup options.

I found that using the default options works well to start, but a little refining is worthwhile once you are familiar with how it works.

The one option I would recommend is to turn off ‘live traffic‘ as it can be a bit of a resource hog. But you will still be able to see any bad guys on live traffic that are trying to hack your site.

Don’t worry though, almost all of them will be blocked by Wordfence at an IP address. It will limit login attempts and keep you safe from brute force attacks.

You can scan your site for any problems and check the audit logging for any issues. If you haven’t installed Wordfence, do it.

There is a paid version of Wordfence. But after many years of use, I have found that the free version does everything I need to keep the hackers out.

UpdraftPlus secure WordPress backups

4. Updraft Plus, for when things go wrong

You should always have at least weekly full backups of your WordPress site and database. Even if you do have them, are you sure you can do a restore quickly if a disaster arises?

A lot of free backup plugins do not offer a restore function, so they are, in fact, totally useless. Don’t necessarily trust your hosting service either, as most only offer short-term backups of perhaps only seven days.

Secure backups need to be off-site and easy to restore, if and when a problem occurs.

Backup and restore with UpdraftPlus works seamlessly and automatically once setup.

UpdraftPlus has one other huge benefit of being able to save backup files automatically to Google Drive, Dropbox, OneDrive, Amazon S3, email, plus more remote locations. These off-site backups are the most secure means of protecting your site.

Updraft is a free and paid backup plugin that works without a hitch. I have been using it for a long time now, and it has saved me on many occasions, particularly when a simple thing like a plugin or theme update goes horribly wrong.

SSL and https for WordPress sites

5. Add SSL and HTTPS security for your visitors

This is not a quick and easy change. If your site is still HTTP, you should prepare well before you consider this change.

But if you can you should definitely change your site from HTTP to HTTPS. Most browsers now class HTTP as not secure. This is not a great thing for your site visitors to see.

Many hosting providers offer free SSL certificates as part of their hosting plan. Check if your host can supply a free SSL certificate for your site.

For a new site, it’s very easy to set up HTTPS. In fact, it will be automatic when you register a new domain name and hosting.

But for existing WordPress users, you might like to read an earlier article I wrote about moving an existing site to SSL and HTTPS.

Summary

There are many other actions you can take to secure your site.

Blocking access to your wp-admin file and changing your database table prefixes is very effective. But this is work for an experienced WordPress developer.

I am lucky enough to have a great developer, so I have taken this extra precaution on all my sites.

By if you take the first four quick and easy steps I have outlined above, you will be safe in the knowledge that your WordPress site is safe, secure and protected.