Quick and easy steps to secure a WordPress website
With all the new lately about WordPress website hacks and vulnerabilities, making sure yours is a secure WordPress website should be high on your list of to-dos. Here we show you how to secure a WordPress website in a few simple steps.
Best of all, it doesn’t take a massive amount of time and effort to implement some of these strategies. And, once your happy everything is as secure as it can be, ongoing management shouldn’t be too much of a chore.
Please note that no matter how hard you try, there are no guarantees but following these steps makes your site far more secure, allowing you to relax somewhat.
Step 1: Backups
Before you undertake any of the suggested steps below, make a backup. Your hosting provider might provide an off-site backup service, but even so, it’s not tricky to do this yourself.
With Updraft Plus, you can set the software to schedule backups. For example, have the website and database files backed up once per week (or day – there are many options) and have them automatically stored to an off-site location.
Assuming the website isn’t huge, it’s a good idea to use Dropbox. You can create a free Dropbox account with up to 5GB of data and set Updraft Plus to use that. It’s also possible to save only a small number of backups. I usually set a schedule of once per week, keeping four backups. This means I have four backups spanning the previous month.
If your site is compromised in any way, you can ‘roll back’ to a backup in Updraft Plus from one of your saved backups. This is pretty simple and fully automated.
If your site is somehow inaccessible, it’s even possible to remove the entire site directly from your host, install a brand new WordPress site and then the Updraft Plugin once more. Sync it up to your existing Dropbox, refresh the Updraft database and then restore.
If this sounds complicated, you can get a developer to help you out, but the main thing is you can get your site back up and running!
WP Clone is a free app for WordPress. Once installed, it allows you to create a snapshot of your entire website, including database, and download it locally in a single zip file.
This is also useful if you want to make a copy of the site somewhere else. For example, I always install new WordPress plugins on a local development server (on my laptop) before the live server. I can use WP Clone every now and then to take a copy of the live server and install it on my development server so the two don’t become too out of sync. This also serves as a local backup of the entire site.
Step 2: Update plugins
It should be a given that you are regularly logging into your system and updating your plugins. However, I know this isn’t always the case.
It’s important that you make a backup before committing to any updates as you don’t know if the update has ‘bugs’ and yu might need to roll back. Also, if your plugins have become too out of date, the updated version might conflict with other plugins or even your core WordPress install – it’s safe to assume that if you haven’t updated your plugins, your WordPress version is also in dire need of updating.
Step 3: Update WordPress
Updating the core WordPress installation is a crucial step to secure a WordPress website. I deliberated if this should be done before the plugins in step 2, but if one plugin causes problems that are easier to deal with than if your core WordPress installation conflicts with many plugins.
Again, make sure you have a backup, although you are likely to be doing this at the same time as your plugins, so that’s already done.
Step 4: Install a security/firewall plugin
Is use Wordfence to act as a layer of security on my WordPress websites. It acts as a firewall, blocking malicious traffic and keeping you notified of changes and new updates. Wordfence recommends setting it to ‘Extended Protection’ too.
Once you’ve installed Wordfence, ask it to do a full scan of your website and check that everything comes out ‘clean’.
Wordfecnce offer a premium version and also a service to help clean your website if you suspect it’s been hacked.
Step 5: Remove unused plugins and themes
You only need to have the theme you are using to be installed within WordPress, so go over to you theme manager and check to see what other themes are installed. Often, the default 2016, 2017 and so on are in there. Remove them, they can easily be re-added if needed.
Then look through your plugins. Are they all required? If not, deactivate and remove them. Also, if you have any plugins that haven’t provided an update for a long while (6 months or more) and/or if they don’t report to be compatible with the latest WordPress you have installed, then consider removing them unless you have a pressing need to keep them.
Step 6: Change your admin username and password
By default, when you install WordPress you will be given a username of ‘admin’ or something similar and a very tricky password.
People tend to do the wrong thing here. They leave the username as admin and change the password to something easy. What you should be doing is altering the admin username to something unique – your own name perhaps – and keeping the strong password. It’s also good practice to alter your password periodically, with another strong password. There are password managers like Keeper Security to help with all those passwords.
Step 7: Hide your WordPress version
Not a critical step to secure a WordPress website, but hiding the version number of your WordPress installation means that hackers can’t see if your site is running on the latest or not. This means that they are more likely to move on, looking for the next guy who hasn’t removed the version number and hasn’t updated. See how it’s done here.
Step 8: Check you hosting
Your web host will, hopefully, have its own robust security measures in place, but it can’t help if you use a simple password that hackers can guess. If anybody can gain access to your hosting – your cPanel for example – your site will be compromised from within. So, check your password and make sure it’s
Hopefully, this has provided some useful advice to secure a WordPress website. If you plan to regualrly check into your website – at least once per week – to check on updates, backups and so on, this will put you in good stead. If you are unsure about anything I’ve written and would like some help, drop me a line or leave a comment. I provide a Management Service and for a small monthly fee would be able to take care of this work for you.