Foolproof security tips for WordPress
Website security is often an afterthought for most business owners with everything else you have to manage between advertising, accounting, sales and more. It is however still one of the most vital aspects of running a website and especially eCommerce businesses.
So what contributes to poor WordPress security?
- First time WordPress designers or Business Owners going at it themselves
- Http instead of https
- Poor security practises - reusing passwords across multiple websites, writing down passwords and failing to store them securely.
- Website owners connecting to their admin in public areas / public wi-fi.
- Failing to set up malware/firewalls on servers
- Using poorly secured website servers/web hosts
- Failing to take precautions against BruteForce attacks
- Not maintaining a blacklist
- Debatable - Leaving the WordPress admin URL as the default.
What are the consequences of poor security?
- Website databases including customer information will be at risk
- Website risks being defaced - losing customer security
- Google could scan your website - detect malware and blacklist your URL - Negatively effects SEO
- Users lose trust in your business.
Foolproof Security Tips
- Ensure your website runs on HTTPS not HTTP. This is as simple as setting up an SSL certificate such as Lets Encrypt which web hosts such as Siteground provide for free.
- Use a unique password for your website admin. Ensure it is a strong password and incorporates special characters, capitals and numbers.
- Don't use 'save this password' on non secured computers, especially on laptops. With the chrome browser, everytime you save a password it's stored in the browser and can be easily read in plain text by anyone who knows how to look for it in settings. So lose your laptop or leave it logged in away whilst you go on an errand and anyone in the know can quickly and easily read all of your stored passwords.
- Ensure you have a quality security plugin installed - recommended list at the end of article
- Add offending or suspicious IPS to your Blacklist on said plugin
- Ensure you have limited login attempts feature included - stops users from guessing multiple times at passwords with varying lengths on lockouts.
- Never check secure or vital services on public wifi. This includes your social media especially if you re-use this information or use social login for websites.
- If you must write down passwords to remember them - store them in a secure location such as a safe and obviously change them if they become compromised.
- Never share admin accounts or passwords - if you need someone to look at something on your website backend you can either create an account for them with limited permissions or monitor what they do in person or via screen sharing and immediately change the password after
- Ensure you have a malware scanner that frequently scans your website and has an email address to contact that you actually check something occur
Bonus tip - ensure you frequently run backups should the worst happen.
Recommended Security Plugins
- Wordfence - Available as a free & premium plugin - Also has a hugely valuable newsletter
- All in one WP Security - Probably the best free security plugin - includes protection from brute force, firewall & scanning capabilities
- WP Defender -Keep your site safe from hackers with regular security scans, vulnerability reports, audit logs, safety recommendations, 2-factor authentication, blacklist monitoring, IP lockout, simple security tweaks and core, plugin and theme code checks.
For more security tips & vital WordPress information follow @creativewl on twitter