WordPress Security Basics to Keep Your Site Safe

“Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information. ”
Kevin Mitnick, Security researcher, notable hacker

Security is a myth, which is why it’s important to keep up with it. Sounds stupid when put that way, doesn’t it? Hear me out. If someone wants to break into your stuff bad enough, they’ll find a way. Whether it’s an unpublished or zero-day exploit in some code on the website, or by social engineering a hack through someone in your organization – they’ll find a way in.

However, for most malicious intenders, they’re just looking for a quick way in so they can spam their knockoff male enhancement scams. If you make your website sufficiently difficult to compromise, they’ll move on to the next target. There’s hundreds of millions of websites out there, 75 million of those are WordPress – lots of targets that aren’t just your site.

The steps to better security

Step 1: keep backups of your website

Regular website backups offer multiple benefits. Backups:

  • provide a restore point in case part of the WordPress update process goes awry;
  • allow for snapshots of the website to be stored in zipped up, compressed files at remote locations;
  • help mitigate the effects of a hacked website by serving as a restore point.

UpdraftPlus WordPress Backup Plugin is a decent solution if your hosting company doesn’t already offer automated, daily backups. The premium version of the plugin will take automatic backups of the site and upload them to remote locations, such as an Amazon AWS, Google Drive, Dropbox, or a Rackspace storage account.

Step 2: practice some basic security

Practice strong password management
This one’s pretty simple: make strong passwords and change them periodically. There’s websites like Secure Password Generator that can make cryptic looking passwords for you, so you don’t have to mash your keyboard to make one up. There’s online password managers like LastPass that’ll store the passwords for each site in case you’re using a web browser that doesn’t already do that.

Be vigilant with WordPress and plugin updates
Periodically log in to your WordPress dashboard (if you don’t already) and apply whatever pending updates there are. We recommend the following steps for that:

  1. Log in to the dashboard and see if there are any “updates” in the Dashboard -> Home -> Updates section.
  2. If so, first take a backup of the website such as with the UpdraftPlus plugin mentioned earlier.
    • If there’s no updates, go enjoy something else.
  3. Then apply the updates by clicking the appropriate buttons on the updates page in the dashboard. That’s it.

Bonus Step: add extra security through hosting or extra plugins

If you host at a company like WP Engine, they have some sweet extra security built in to their infrastructure, and you shouldn’t need any extra security plugins installed. If your current hosting provider doesn’t have WordPress-specific security baked in to their service, you can install additional security plugins to help harden your website against attacks. Wordfence is a popular security plugin with a wealth of free options, and even more premium options to help keep your website protected against malicious activity such as brute-force password attempts, plus additional security options including file scans and some basic firewall utilities.

Want help with any or all of that?

Since we work in the field of web development, a lot of what this post covers is knowledge we take for granted, along with all the nomenclature used. If you have any questions about it or just want someone else to take these items off your plate, we’re happy to help. For instance, we’ve had many clients who try out the WordPress update process and think “shit, what if something breaks?” And that’s okay. I think the same thing whenever I update stuff, too, and I’ve been doing it for years. There’s no wrong in asking for help, and that’s what we’re here to do – help you focus on your business.