It is known that over 25% of all websites on the internet are using WordPress (info here). I heard recently that it’s likely that 50% of all websites will be on WordPress in the not too distant future. When I attended WordCamp Sunshine Coast a few weeks ago I was blown away by the ways WordPress is now also being used at Enterprise Level by the likes of Human Made and other major Global WordPress Agencies.

WordPress is the Most Powerful and Easy to Use Content Management System (CMS)

It is without question that WordPress is the most popular and easy to use (and powerful) CMS today. Saying that, I’d totally forget about using Joomla, and if your site is still using Joomla you’re probably sick of its awfully painful to use admin interface, very concerned your site is going to get hacked and are probably VERY eager to get your site re-created in WordPress anyway.  I’d personally not worry about Drupal or DNN (DotNetNuke) either, however, they are good platforms and some Developers prefer them. Not us though. We’re massive fans of WordPress and the Open Source WordPress Community.

Website Security is Important

So how does this tie in with me providing you with take-away information on WordPress Website Security? Let me explain: Because WordPress is so popular hackers are building little scripts called BotNets that run around the internet finding websites that are vulnerable to attack. Different ones are written to target many different CMS’s but because WordPress is so popular a lot of them are written for WordPress. These Botnets are automated scripts/’robots’ if you will. Some humans also try and hack Websites and that, too, is nasty, nasty, NASTY stuff. We’ve all heard of many large sites that have been hacked over the years… especially in the last few.

WordPress Security Tips

Cyber-Crime is a MAJOR issue and it can affect both large websites and very small websites. Ok, so I’ll cut to the chase. After all, you’ve come to this blog article wanting to know what you can do to protect your WordPress website . Ok, here is the long and the short of it. By no means is this a COMPLETE list of things you can do and it does not talk about creating .htpasswd, Succuri and/or WordFence Firewalls (for the web guys and gals who read this);  I’ll talk about that in another article soon or ask one of you to write a guest post (just email me or post a comment below expressing your interest if you would like to). The major issue I see all too often is that people who are DIY creating their own website(s) are launching their site with next-to-no or NO security protection AT ALL. Within days or a few weeks of launching their site, it gets attacked, hacked and they’ve lost the lot. I’ve also seen instances where some people had no backup.

Things to do to make your WordPress Website Secure:

  • Install the WordFence Plugin into your website ASAP. You can get it from here. Read its documentation to learn how to configure it so it does not put strain on your Hosting Server and then CONFIGURE IT! Make sure you keep this Plugin up to date at all times, too.
  • Make sure you are hosting your website with a quality Website Hosting Provider who takes security seriously and undertakes regular security updates at their end.
  • When you create your Logins for your site MAKE SURE your Admin name is not ‘Admin’. And make JOLLY sure your password is not ‘password’.
  • Make ALL your passwords to your website hard to remember. <– Actually scrap that. Make them IMPOSSIBLE to remember. Here is an example of a good password: justb$%332WJEs&#SuA . Make it long and make it a mix of upper and lower case letters, numbers and special characters.
  • Try and avoid logging into your website as the Admin unless you really need to. If there is a Phishing Sniper Virus on your computer they’ve got your Admin logins as soon as you use them. Instead, create yourself an Editor level account and use that when logging in to do things like: publish content, write and add blog articles, add pics, tweak text, etc. If you have a team who login to your site make sure you give them NON-Admin logins too.
  • Backup, Backup, Backup!!! I can NOT stress this enough! If the worst should ever happen at least if you backup often (and I mean regularly), at least you will have a relatively up to date backup to restore. Which means you may only lose a few of your recent blog articles or changes to your site; NOT a months worth or a years worth! If you can’t do this yourself, you REALLY need to outsource backups to a Website Care Plan provider. We do this work for our clients and yes we you can commission us to do this work for you, too.
  • Pay for an Akismet license and configure this Plugin within your site. This fights spam.
  • Save ALL your website logins some place VERY safe. Don’t save them on your Harddrive. If your Harddrive gets a nasty virus that starts uploading all the data off your computer, or a hacker manages to encrypt all your harddrive data and you’re then asked to pay a ransom to back/get it unencrypted, they will get your logins. This is happening to people right now here in Australia and you can imagine the pain and anguish they are going through with all the business details, data and everything else locked/encrypted so they can not access nor use it. Use LastPass or 1Password to store your logins.
  • Make sure you are running up to date anti-virus software that is HIGH-QUALITY on any and all computers you use to login to your site. Again, if you do not do this a virus could grab your logins and send it back to whomever the virus has been told to send it to.
  • Keep your WordPress Core, Themes and Plugins up to date. Again, this is something you really should be paying a Care Plan provider to do unless you really know what you are doing. If a Plugin undergoes a MAJOR update by its Developer, when YOU do the update on your site, it could break the functionality of your ENTIRE site. You need to know what you are doing and learn and study Plugin Developer ‘Change Logs’. If that word sounds boffin to you and scary… I strongly recommend finding a good WordPress Website Security Maintenance Care Plan provider to work for you. We just happen to be one of them, so feel free to enquire.

Short of disconnecting from the internet never to use it again, these pointers will help fight a successful WordPress website hack. Be aware that BotNet attacks happen all the time and we see them often… but our sites are protected. Note too that just because they are protected today does not mean they are tomorrow. This is an ongoing fight and we must stay vigilant and on the ball.

I’ll wrap this up by saying that I feel there is this misconception that WordPress is free, that it’s easy, that anyone can do it and that security is not a concern. Security of your website and any website no matter what platform it is built on should be a MAJOR, MAJOR concern. I hope the above bullet points are already implemented within your WordPress website, if not (or if you want us to check), send me an email via our enquiry form or call me on 1300 887 427. If you have a WordPress website and no security maintenance care plan to speak of, feel free to also contact me and I can provide you with some options.

Jay Daniells

About the Author: Jay Daniells

Jay Daniells has been doing advanced Search Engine Optimisation (SEO) work for clients since 2010. He is an SEO specialist. He first started doing SEO work in 2005. He has also been creating websites full-time since 2003. Amongst things Jay is also a graphic designer, digital marketing consultant and creative person. His focus is helping businesses, community groups, clubs, charities, organisations and other entities achieve their goals. He is the owner of Green Valley Digital.