This episode is about one of the most important things to focus on as an online business owner: your WordPress site security. These seven WordPress security tips are going to make brute force attacks and software hacks infinitely less likely to occur, and they all take less than a half hour to implement. You won’t regret it.
- I recommend using WordFence to scan your website for changes in code and report any malicious activity.
- I also suggest that you find your themes and plugins on WPMU-Dev to ensure high quality and consistent updates.
- Lastly, I love Updraft Plus to constantly backup my websites to offsite locations to keep all of my work safe from hacks or server failures.
Transcript: 7 Steps to Secure Your WordPress Site with Derek Gehl
Welcome to the Project Ignite podcast, this is your host, Derek Gehl, and in this episode I wanted to share with you 7 WordPress security tips which will hopefully become your WordPress security checklist. The fact is, WordPress is a behemoth now. It’s the largest website building platform in the world, and has far surpassed its competitors. With its popularity, it’s become a target for hackers and the most common WordPress security issues are easily prevented.
Does that mean WordPress isn’t secure? Not at all. It’s still very, very secure, but the fact is, you need to take some steps to make sure your website is locked down and secure as well. I talk to people all the time that are all running WordPress websites and on occasion someone gets hacked. 9 times out of 10, if they had been doing the 7 things I’m about to share with you when they were hacked, it would not have been an issue.
The old saying “an ounce of prevention is worth the pound of cure” is so, so true. If you do these 7 things, the likelihood of you becoming a victim of a hack is very, very slim. I liken this to Macs and Microsoft. I’m a Mac user, and there are lots of people out there that will stand up and say, “Macs are far less vulnerable to viruses,” and I’m sure the techies out there could argue one way or the other, but the fact is, 90% of the systems in the world run Microsoft. So when hackers are out there creating tools to exploit these vulnerabilities, they’re going to go after the biggest fish. That’s Microsoft.
WordPress is a big target, too. That doesn’t mean it’s any more or less secure than its equivalents out there, but there are simply more people trying to break into it. Most of the hacks that happen aren’t one guy at a computer. It’s software, bots, out there looking for vulnerabilities. So here are 7 things you can do to lock up your WordPress website.
If you do this, you’re going to dramatically reduce the chance that you’re going to be a victim of a hack. The fact is, if you spend an hour implementing this stuff, this can save you a ton of time later. So here’s the 7 things–it’s gonna be quick, you’d better have your pen out. Or if you don’t, because you’re out wandering around listening to this podcast, you can come back and write it down later. Or, I’ll include all of the links I reference in the shownotes. Listen, learn, check out the website later.
So, first and easiest WordPress security tip, when you’re setting your website up, the default username is Admin. The first thing you need to do is create another admin user under a different name, and then go back and delete the first Admin user. The first thing someone is going to try is to guess the Admin’s password using software. If that user doesn’t exist, then this is a non-issue, end of story. So if you have “Admin” set up as your username for the admin for the website, go in and change it.
The next WordPress security tips is: Use strong passwords.
It blows my mind how often people are using passwords that are their kids names, or their birthdays! Stuff that is either easy to guess or if someone is doing a brute force attack, running a dictionary against it, they have a chance of getting. Your passwords should be twelve characters or more. They should be a combination of numbers, letters, uppercase and lowercase, and symbols. Something that the likelihood of ever being able to autogenerate and guess that password is null. Alright? Strong passwords are key.
Here’s the other place that a lot of people fall down. It may be your website, so you think, I have a strong password, I’ve deleted the Admin, but you might have other users on that website. A designer, or a blogger–someone that helps you manage the website with admin privileges… They have their own passwords. You need to have a password policy to make sure that no one is using a stupid easy to decode password. This also comes down to number three here.
Manage your users properly. Make sure they’ve got strong passwords, but also–and I’m guilty of this–somebody comes in, hired to work on the website, I give them admin privileges, and then I log in three months later and see that the account is still sitting there. So if you’re giving someone access to your website, make sure you disable their account after they’re finished working.
So, let’s recap. First, delete the Admin account. End of story. Second, strong passwords. If you want help generating strong passwords, just Google it. You’ll find a ton of websites setup to generate super strong passwords. Number three, manage your users properly. Make sure they’re using strong passwords!
WordPress security tips four. When someone is trying to hack a WordPress account they’re going to go straight to the WP login page. If you move that page somewhere else on the website, and they’re using software looking for that page alone, they’re not going to find it. There’s lots of plugins out there that you can use to change the location of your login page. From /wp-admin, to somewhere totally random. /abc. /17654. But only you and your team will know where that is. Get rid of the wp-admin. If you go into the plugins directory on WordPress and search “change WP-Admin”, you’ll find there’s lots of plugins to help you do that.
Onto WordPress security tips five. This is kind of broad, but it’s important. Choose your plugins and themes wisely. The reason this is so important is because now that WordPress has grown and evolved, when you go to the plugin directory and search something up, it’s a bit misleading. It’ll say, “over 33,000 plugins”. But the fact is, a large majority of those plugins have never been updated, are not current, are neglected. So choose those wisely and make sure that the developer is constantly updating them as well so they’re compatible with the latest version of WordPress, which you should always have as well. So make sure you’re always keeping those up to date. Many of the releases of plugin updates actually contain security updates plugin known security holes and bugs. If you’re not updating, you’re not getting those patches.
Additionally, all plugins and themes are not created equally. So when I’m buying something, I want to know that the developer is consistent and has coding standards. Typically, places like WPMU-Dev are going to provide way higher quality, updated, and tended to plugins than something that’s been put together by some random guy and tossed up into the directory.
Last but not least in this theme, make sure you’re never using a pirated version of a commercial theme or plugin. In some cases, someone unknowingly buys a pirated theme, but what you’re missing there is the automatic update and notifications of updates. So be cautious of that as well. Make sure you’re always updated and choose your plugins wisely.
I have a team member that every week goes through all of our websites and updates and runs each theme and plugin. They also test everything to make sure nothing has been broken. Any good theme developer or plugin developer knows that updates need to be backwards compatible, though.
WordPress security tips number six: Use a security plug in. A WordPress security plugin is on a regular basis scanning your website and looking for irregularities or changes in code, anything that could have been injected into your website to make sure there’s nothing weird going on. Typically when someone hacks a website, they change the core code of the website in one way or another. Things like WordFence will catch that. They’ve got a lot of other features as well, and the good news is that the free version is very powerful. The one thing I like better about the premium version rather than the free version is that the free version you need to go in and run manually, but the premium version does a deeper scan of the files and it can be scheduled to run automatically and report if it finds something odd.
Once again, WordFence, the free one is fine; but if you don’t want to have to worry about it, just set it and forget it, go for premium. It’s kind of like a virus scanner too, like something you’d run on your computer. The company that runs WordFence keeps a big database of malware and malicious stuff to compare your code with, so they’ll recognize it if they find something wrong. It’s pretty easy. The main plugin is free! If you want the premium, pay a few bucks. For peace of mind, why wouldn’t you want to do it?
That brings us to the last tip. It’s kind of the fallback. If everything else goes sideways, and your website gets hacked and wiped out, you want to make sure that you have a backup. I find it absolutely shocking how many WordPress websites exist out there that aren’t being backed up on at least a weekly basis. This is totally unnecessary, because you guessed it–there are tons of backup plugins. They’ll back up your website every week. Here’s what I’ve come across. People say, “I’ve backed it up a few times,” and I’ll say, “well, where are the backups?” And I hear, “they’re on my server.” So they’re using something in WordPress, maybe a duplicator plugin, but then they’re keeping the backups in WordPress in the Admin account. So if your account gets hacked and wiped, you lose all of the backups too.
To do a proper backup, you want a plugin that is backing up your website on a regular basis, but then you want it to be saving those backups somewhere safe. That way, if your WordPress gets hacked, you have the backups stored offsite. My absolute favourite plugin is Updraft Plus. The free version you can schedule it, and the best part is that it will take your entire website, back it up, and on your schedule, it will drop it in your Dropbox account, or in your Google Drive. All automatically. And it’s free! There is a premium version with some add-ons, like more support, and I encourage you to check it out, but the free version is good enough for most websites out there. Again, if everything blows up and your website gets hacked or your server catches fire, you have a backup offsite.
So, our seven things:
- delete your admin account
- have a strong password
- manage your users and their passwords
- change the URL for your WP-admin login page
- choose your plugins and themes wisely, and make sure that you’re updating them on a regular basis
- Implement a security plugin like WordFence
- make sure you’re using an automated backup plugin to backup offsite.
If you’re doing that, and you’re using a reputable host, your chances of being hacked drop considerably.
Unless you’re a big business, the likelihood of being the target of an actual hacker is pretty small. But you are vulnerable to software being used to detect weak spots in your website, and you’re subject to brute force attacks. Once they’re in, they’re in. Securing everything using these strategies will prevent most of that from happening.
Remember, an ounce of prevention is worth the pound of cure. It’s not gonna take you long to implement. All of the links are at ProjectIgnite.com/podcast, along with the transcription. Don’t put this off! This is insurance for your website! The only time we regret not having insurance is when we need it. Lock everything down.
There you go! Once again, hope you took something from this episode. I’m always aiming to give you real applicable stuff that you can take and use. We’ve got great interviews and more training coming down the pipe, so stay tuned for all of that in the near future. If you’ve not done so yet, head over to iTunes and rate or review us. You can also find us on Soundcloud or at ProjectIgnite.com/podcast. So, I hope you enjoyed this episode, and we’ll see you next time on the Project Ignite podcast.