It seems that almost every week we read about something bad caused by hackers in the news. It used to be that sites were being taken down by DDoS attacks, but things have escalated. Hackers are no longer just slowing down the web, they are using it to access private networks and steal our personal information, email addresses, passwords, and credit card numbers. And for many people, those hacks can be very bad. Just imagine what would happen if a bad guy got access to your email. They could reset your bank account passwords, they could access your financial accounts, they could steal your money and identity.
But we are not most people. Just by reading this post, you will be far more knowledgeable and prepared than the average Joe when it comes to securing WordPress and online security for both your own website and the rest of your digital life.
Securing WordPress Begins with a Secure Server
The core of your WordPress security lies with your server. If you have a shared hosting account, your hosting provider will take care of most of that hard work for you. Each time a new server is rolled out, they use a server image that has best practices for security and keep a strong network firewall in place so only people that should have server access can get into the server.
If you use a Virtual Private Server (VPS) or have your own dedicated server, much of that security will fall back to you. If you are not a skilled server administrator, be sure to read up on current industry best practices or hire a server admin to take care of that setup for you.
Add Security Plugins for Common WordPress Hacks
WordPress is an open source software, so anyone can read the source code for the software behind your website. This is a good thing because the open source nature allows for developers to build the massive library of available themes and plugins to enhance our site functionality. The bad part is that the bad guys have access to that code too.
There are lots of common methods hackers use to try to break into your site to steal information, insert malicious code, or load up your site with spam links to other sites. I have made it about eight years without ever once being hacked, but I have helped a handful of folks get the crap out of their site. Lucky for us, there are a few companies who have put in a ton of effort to give us free (premium version available) WordPress security plugins to keep the bad guys out.
I use Wordfence on every single WordPress site I run, and it does an amazing job securing WordPress on all of my sites. Features stop brute force attackers, scan for outdated plugins and malware, and even checks outgoing links against Google’s malware website list.
The free version of Wordfence is plenty of security for typical sites, including all of mine. The paid version ads premium support, priority scanning, advance spam filters, and cell phone logins. Once you install and configure Wordfence, it just takes care of everything for you so you don’t have to think about it.
You can download Wordfence through the built in add new plugin feature or download it here.
iThemes Security comes from the company behind popular plugins like BackupBuddy, and is another full featured security plugin that handles the difficult parts for you.
What sets iThemes apart from the others is their approach to the user interface. While Wordfence is more of a list of features to turn on and configure, iThemes is built more like a to-do list. It gives you steps to take to secure your site by priority. A pro version has extra features on top. The downside of iThemes is that there are some reports of conflicts with other plugins.
You can download iThemes Security through WordPress or download it here.
Sucuri is another full featured WordPress security plugin, but it doesn’t get quite as much hype these days as its bigger competitors. That doesn’t mean it isn’t worth mentioning, however.
Sucuri does active site monitoring against published blacklists for malware and online bad guys. It comes with scanning, security features, and the ability to add on a firewall. The pro version features a wide array of abilities including DDoS mitigation and live person support.
Like the others, you can download through the WP dashboard or download it here.
Cloudflare – Bonus Security
Want to add an extra layer of security, that happens to come with a site speed boost and CDN, for free? Check out Cloudflare. I use Cloudflare on the majority of my own sites for its site speed features, but the security features should not be overlooked. Did I mention it is free?
Cloudflare automatically filters out bad site requests and hacking attempts before they hit your server, so it is an extra layer of protection before your security plugin gets to work.
Cloudflare takes a few extra steps to setup. Rather than have your DNS go right through your domain registrar or hosting company, Cloudflare requires you re-route your DNS through the Cloudflare system. Once you’ve done that, you have easy-to-use buttons to turn features on and off.
Signup and get started at Cloudflare.com, but before you do check with your hosting provider as they may have a simple signup process in place already.
Use SSL – If Needed
If you accept customer payment information your site for product sales, adding SSL is another great addition. SSL stands for secure socket layer, and adds special encryption to traffic between your site and your user.
SSL is not free and is a bit more advanced to setup than typical websites, so it isn’t for everyone. As an alternative, you can use an outside payment provider like PayPal where credit card information is not directly entered into your site, so you never have to worry about encrypting customer payment data from your own site.
If you are curious if a site has SSL enabled, just look at the top of the screen in the browser bar. If the http:// is replaced with https://, you know the site is using SSL.
Have Super Strong Passwords
Last, but certainly not least, is passwords. Always use strong passwords. Let me say that again for those who are skimming and might have missed it. ALWAYS USE STRONG PASSWORDS. Here are some rules to know if your passwords are secure.
- Never use the same password on multiple sites. Ever.
- Never use dictionary words as your password.
- Don’t make your password something easy to guess like sex, god, 12345, or password.
- Use randomized, alpha-numeric passwords that include both capital letters and lowercase letters, and maybe even a special character or two.
Do you think those two rules are too hard to follow? It’s okay, I did when I was unenlightened too. But now I use Lastpass and all of that is taken care of for me. Lastpass is a free tool that comes with a browser plugin for Chrome, Firefox, Safari, Opera, and even Internet Explorer. For $12 per year, you can use it on mobile as well, but you can always use their web version for free even from your phone.
Getting started takes a little work, but it will protect you, your money, and your websites far more than using a standard, weak password across all of your accounts. Seriously, stop doing that today.
You can get Lastpass here to start for free.
Get Secure, Stay Secure
Security threats are always evolving, so it is important to evolve with them. Features that would have kept you secure years, months, weeks, or even days ago might not work today or tomorrow, so securing WordPress by installing security features and keeping your site and plugins updated will always keep you on the cutting edge.
If you need help securing WordPress or doing anything mentioned in the article, other than the Lastpass bit which I can’t do for you, you can hire me to take care of it for you from my WordPress maintenance page or just bring me on for a one-off project.
If you have general questions on getting started, you can ask in the comments below. I answer every single one and don’t charge a cent for advice in the comments.