19 essential steps to secure your wordpress website · 19 essential steps to secure your wordpress...
TRANSCRIPT
19 Essential Steps toSecure your WordPress
Website
by Vera Evans
19 Essential Steps to Secure your WordPress Website
Being a WordPress website owner, you may or may not be aware of the
necessity to take some essential steps to secure your website against
unwanted intrusions. In this post, I am giving you the 19 best security tips
that I have found in my research to assist you in keeping your site as secure
as possible. These tips are for those business owners or blog owners who
have their own website being hosted with a hosting company.
It is important to realise that website security is not a one-off event. Rather,
it is an ongoing practice to ensure that your website can do its job of
attracting your customers.
1. Choose the best hosting service possible.
You will need to do your research to know what you need so that you are
able to choose the best option for you. For example, if you are expecting to
attract a lot of traffic to your website, like over 50,000 hits per day, you may
want to avoid shared hosting and look at dedicated hosting or a service with
cloud hosting.
2. Pick a good, unique username.
DO NOT use admin, test or your website name! Part of this includes using a
good strong password as well. Use this link to check how well your password
performs https://howsecureismypassword.net/
3. Install the Wordfence plugin.
This is hands down the best security plugin out there. The free version deals
really well with such things as limiting login attempts, blocking unregistered
users from trying to login and blocking random bot attacks. The settings are
quite comprehensive and allow for customization as well. If you feel you need
extra security, you can always opt in for the premium paid version. Check out
all the necessary documentation here:
https://docs.wordfence.com/en/Wordfence_Official_Documentatio
19 Essential Steps to Secure your WordPress Website
19 Essential Steps to Secure your WordPress Website
4. Find out if a website username is hidden or not.
Type in a website domain and follow it with /?author=1 and hit enter eg
www.yourdomain.com/?author=1 This reveals the username to log into the
site if not properly secured. If the site is properly secured, the user is referred
to a Page that says No Results.
5. Limit login in attempts to your website.
5 is a good number. Enough to still let you in if you make a mistake yet not
enough to allow someone else to gain access. The Wordfence plugin has
settings that allows you to do this. It also allows you to select how long the
user has to try those 5 login attempts and then allows you to choose the time
frame that they are locked out for. (See image below).
6. If you are comfortable going into your website backend, hidethe core WordPress file wp-config.php.
This is the main file to make your website function. It is typically stored in
your WordPress installation directly. By moving it up to the public_html/
folder, it makes it inaccessible to hackers.
19 Essential Steps to Secure your WordPress Website
19 Essential Steps to Secure your WordPress Website
7. Select a good and reliable backup plugin.
The best plugin will depend on the size of your website. For smallish
websites, free plugins like Duplicator or Updraft Plus are good choices.
Updraft Plus is also a good choice for larger websites. You can store your
backup files locally or in a location of your choice (see image for Updraft Plus
choices). The settings in Updraft Plus means you can schedule backups at
regular intervals automatically. A good practice is before making any changes
to your site, always make a backup first.
8. Make sure the latest version of WordPress has been updated.
Before you do this, backup your site! Updating the WordPress version
prevents hackers using out of date versions to gain access. Hackers can find
this information just by viewing source code. It is best to remove the version
of the WordPress file. The Wordfence plugin will remove this for you, you only
have to tick the box to achieve this.
19 Essential Steps to Secure your WordPress Website
19 Essential Steps to Secure your WordPress Website
9. Consider your computer’s security to your website.
Run an anti-malware software program regularly on your computer to make
sure it is safe.
10. Check if your website files are opening for public view
Go to your domain name and type it into the url followed by /wp-includes
If you are redirected to your homepage that is good.
Should you see a list of files on your web page that means you are not
safe.
Add 2 lines of code to your .htaccess file to prevent folder browsing. Add
it right at the beginning of the file.
# Prevent folder browsing options
Options All-Indexes
11. If you have multiple authors, regularly review what users aredoing.
Doing this allows you to see if there is any suspicious activity. Make sure you
set up new users properly with only the permissions they need to access your
site. Remember to backup your site before adding a new user. Then, Pay
attention to:
Who is logged in
When they logged in (at odd times)
What they add/delete/edit (ie what are they changing?)
You can use the plugin WP Security Audit Log to record activity if you are
concerned about the activity you see.
19 Essential Steps to Secure your WordPress Website
19 Essential Steps to Secure your WordPress Website
12. Password protect your most vulnerable website files.
You can do this In your hosts cpanel by going to Password protect your
Directories. DO NOT PASSWORD PROTECT YOUR MAIN ROOT
DIRECTORY! However, It is ok to password protect the wp-admin folder
with a username and password. Again, make sure you use a strong
password. https://howsecureismypassword.net/
13. Choose your theme or plugin from a reputable source.
Do this by reading the reviews and doing your research.
14. Take note of when themes and plugins were last updated asthere is increased risk if they are out of date.
This means you can see if changes were made to any files that were not part
of the update. It also means if they are out of date (see item 14).
15. Make sure you always keep your themes and plugins up todate
Out-dated plugins and themes are often exploited by hackers to gain access
to websites. Ensuring yours are up to date will prevent hackers from using
this tactic to gain access to your site.
16. Uninstall any themes and plugins you are not using.
These take up space on your website and can contribute to slowing down
your website.
17. Ensure you keep your WordPress version up to date as well.
Usually if the WordPress version is out of date it means it was updated
because there was some kind of vulnerability detected in the current version.
Keeping your WordPress version up-to-date ensures you are covered in this
instance.
19 Essential Steps to Secure your WordPress Website
19 Essential Steps to Secure your WordPress Website
18. Back your website up regularly.
Having regular backups gives you peace of mind. Store the backups in
several locations so that if one location falls over, you still have a backup
plan to save your website.
19. Be active in your website security.
Gone are the days where you put up a website and you forget about it. Your
website is a living tool, that adapts and changes to your marketing needs.
Being active in your security is a key component to keeping your website
secure and attracting your clients to your business.
While this is not a fully comprehensive list, it is a great start in keeping you
safe. If you have any trouble with any of the steps you can contact us and we
can implement them for you. We have great value maintenance plans on
offer to make this easy for so that you can be assured your site is safe.
Do You Need Your WebsiteSecured?
Let ET Digital Designs help you by making your WordPress website
as safe and secure as it can possibly be, so that you have peace of
mind!
Learn more
19 Essential Steps to Secure your WordPress Website