A smart guy’s guide to securing WordPress
It doesn’t matter if you’re a Fortune 500 company or someone with a small blog. If you have a website, you’re going to have to deal with website security.
Your WordPress website is running, you’re posting content, and things seem to be working just fine. How can you keep it secure? We offer three recommendations that can have a huge impact in securing your site:
- Use strong passwords,
- Keep WordPress, your plugins, and your theme updated,
- Have backups of your site.
Security requires regular maintenance, like remembering to lock the doors of your house when you leave and making sure the oven is off. Sure, you don’t have to do those things, but the effort is minimal, and the reward is valuable peace of mind.
Strong passwords
Good strong passwords are complex and difficult to remember.
Strong passwords have a mix of upper and lower case letters, numbers, and symbols. They are also by necessity longer than many passwords people choose, requiring eight or more characters.
Using strong passwords isn’t a new practice, but it goes against our personal preferences. After all, it’s not easy for most of us to come up with something that works as a strong password while also being easy to remember.
The algorithms WordPress uses to rate a password as Weak, Medium, or Strong can do this for us.
Beginning in 2015 with version 4.3, WordPress changed how passwords worked. Rather than having you enter a password when a user account was created, it now creates strong passwords for you.
This is great! Now you don’t have to try and think of a secure password. Let the software do it for you – one less thing to worry about!
Yes, you’re going to need to remember it. We get it. There are wonderful tools that help you remember your passwords, however. Two you might try to include 1Password and Keeper.
Keep everything updated
WordPress is open-source code. The beauty of open-source software like WordPress is that anyone can contribute to it, helping to improve and expand on the foundations. It’s almost organic in that open-source code is constantly improving and maturing.
When someone discovers a bug in the code, developers can quickly write a fix for that bug, which can then go through rapid testing and deployment. Once that happens, WordPress notifies you when an update is available, and updates can be as simple as clicking a button.
When new versions of WordPress are released, updating your WordPress installation is pretty easy:
- When you log into WordPress, and are at the Dashboard, look in the left-hand menu, right under where it says, “Dashboard.”
- You should see “Home” and “Updates.”
- Click on “Updates.”
If WordPress needs an update, or your themes and plugins have updates, you will see the details here and can update things one at a time or in groups.
Backups
It’s always a good idea to have a current backup of your website. You never know when an update might go sideways, or something else unexpected happens. With a backup, you can be up and running again with very little downtime.
Most web hosts give you the option to either make a backup through something like cPanel. With others, you might have to manually copy files and your database yourself.
There are a number of free and paid tools that let you schedule backups or have them run automatically.
Our recommendations include BackupBuddy and VaultPress. These are both paid plugins that handle the backups for you within WordPress. There are also free options, but the peace of mind you get from having your site backed up might be worth the cost of the software.
Other security tips
When it comes to the security of your website, there are always more things you can do to keep your site safe.
Many of them you can do with your WordPress website without all that much effort – things like setting up brute force protection, using a CDN, enabling two-factor authentication, etc.
None of these things really matter if you’re not doing the basic steps described above: keep WordPress updated, use a strong password, and have some kind of backup plan for your site.
Take care of those simple things first, and you can get back to enjoying your website.
Namecheap offers a variety of hosting deals for all of your website needs. Set up a new site with Namecheap, or we can help you migrate your website from another hosting provider for free. And be sure to check out EasyWP, the fast and reliable Managed WordPress Hosting solution from Namecheap.
Thank you very much for this tips. you are the best
I recommend a couple plugins that help stop brute force password breaking attempts: wp-fail2ban (which integrates with fail2ban on a Linux host system) and login-security-solution.
anyone know of any good WordPress virus protection plug-ins?
Good sound advice. Something people tend to overlook.
Well explained.we need to first look up our basic wordpress setting.one more tip i advised never use admin as your username.