Did you know that WordPress powers more than 35% of websites on the internet? That makes it the most popular content management system by far. The downside of being the biggest player is that it makes you a huge target for hackers and scammers.
Now don’t misunderstand; WordPress is not inherently unsafe. It’s a fantastic platform, as evidenced by its popularity. But like with any technology, you have to be proactive when it comes to security. You can’t just fire it up and let it run.
So, here are seven of our top WordPress security tips.
1. Use a Strong Password
Let’s get started with one of the most obvious security tips – use a strong password.
For most, using a strong and secure password may seem obvious, but you’d be amazed at how often it is overlooked.
If you’re using a simple password such as ‘password’ or ‘abcdefg,’ it’s time to change it immediately! Sure, it may be simple to remember, but that means its also super easy to guess.
With plain and easy passwords like this, you’re just begging to be hacked.
Instead, use a complex password that is unique to your site (not a password you use elsewhere). Our minimum recommendations for a strong password are:
- At least 8 characters – more is even better.
- A mix of uppercase and lowercase letters.
- Include numbers and at least one special character, e.g., @ #! ?
2. Choose a Solid Hosting Company
One of the most important decisions you’ll make when it comes to security is where to host your site. The differences between web hosts are huge – in cost, performance, and security.
Monthly hosting fees can run for as little as a couple of dollars per month, to thousands of dollars for an enterprise-grade plan. And you definitely get what you pay for. For a few dollars a month, you get a “parking spot” for your site on a server that is shared with hundreds of other sites. Regarding security, you’ll get the basics, but you’ll need to put in some real effort to secure your site.
For the more expensive plans, you get your own dedicated server that is customized for your specific needs and comes with rock-solid, built-in security.
We get it, cheap hosting is hard to resist. And there are plenty of scenarios in which a cheap plan makes perfect sense. If you’re running a basic blogging site with a limited number of visits or a small business site that’s basically a static online billboard for your business, definitely go with a cheap plan (you’ll still need to make sure it’s secure, but a lot of off-the-shelf products can help with that).
But if you are running a high-traffic site with a lot of moving parts, and especially if it’s eCommerce, you’ll definitely need a high-end web hosting plan. You’ll pay more, but you’ll get top-notch security with a lot of extras: automatic backups, plugin and theme updates, performance optimization, and premium support. Of all the WordPress security tips, your choice in web hosts is crucial.
3. Don’t Choose a Nulled Theme
There are plenty of free themes out there, many of which look pretty good. However, premium WordPress themes appear more professional and are way more customizable.
Even more importantly, premium themes are built by talented developers with security in mind. Free themes are often “abandoned” in that the developers quit providing support and security updates. With a premium theme, you’ll get updates and support when needed.
There are a lot of websites that offer nulled or cracked themes for free or at a steep discount. These are hacked versions of premium themes.
A nulled theme is bad idea for a number of reasons:
- They are illegal.
- They often have a “back door” built-in, giving hackers easy access to your site.
- You can’t update WordPress.
- They are not supported and don’t have documentation.
- They may contain hidden viruses that can add spam links to your website.
Bottom line: stay away from nulled themes.
4. Install a WordPress Security Plugin
Another easy way to look after your website is to install a WordPress security plugin.
Unless you are a security pro, you’re going to need a security plugin to help harden your site against hackers.
Heck, even if you are a pro, a security plugin makes a lot of sense. It does all the hard work for you – constantly scans your website for malware and monitors your website at all hours to make sure your site is safe and secure.
There are a lot of WordPress security plugins available. Sucuri.net has a great plugin that provides activity auditing, file monitoring, malware scanning, security improvements, notifications, and a website firewall to protect your WordPress website. Wordfence is another super popular security plugin.
If you need a little help, here’s a quick primer on installing WordPress plugins.
5. Limit Login Attempts
By default, WordPress allows users an unlimited number of login attempts. While this may be useful if you’re the forgetful type when it comes to your password, it also welcomes relentless attacks.
By limiting the number of login attempts, users can only attempt their password for a certain number of times until they’re temporarily locked out.
This protects your website against brute force attacks as the scammer gets blocked before they can get into your account.
Limit your login attempts easily by downloading a WordPress login limit attempts plugin. Once you’ve installed the plugin you can adjust the number of login attempts allowed by heading to ‘settings’, then ‘login limit attempts’.
6. Update Your WordPress Version
Another important way to keep your WordPress security updated is to make sure the platform is up to date. With every new release, developers make changes that often include improvements and updates to security features.
Always update to the latest version of WordPress to ensure you’re receiving the best security offered by the platform and to protect yourself against hackers.
While WordPress automatically installs minor updates, for the bigger ones, you’ll need to head to the WordPress admin dashboard to update manually.
Likewise, you should practice the habit of regularly updating your plugins and themes for the same reason.
You can find out more in this post about how to easily manage WordPress updates.
7. Install an SSL Certificate
An SSL certificate, also known as a Secure Lockets Layer, is super important for websites, especially those engaging in eCommerce. It’s a protocol that ensures your information is kept safe from prying eyes as it travels the Internet. One way to tell if a site is secured with an SSL certificate is whether you see http (not secure ) or https (secure) before the URL.
Even if you don’t sell anything online, it is still important to have an SSL certificate. For example, it builds trust with your visitors. When your users see the red open lock, they are not likely to feel good about visiting your site. Also, your ranking in Google’s search results is positively influenced by having an SSL certificate.
If you’d like to find out more, take a look at this article explaining how you can get a Free SSL Certificate.
Implementing These WordPress Security Tips
Implementing these WordPress security tips is crucial for the wellbeing and safety of your website. After all, if you don’t stay on top of your security, it’s just a matter of time before hackers will be paying you a visit. And once you’ve got your site secured, keeping it that way doesn’t take a lot of effort if you have the right tools and stay on top of it.