Thanks to WordPress' popularity it is a common target for hackers. So how do you minimise the chances of your website being hacked? Follow these tips to keep your website secure.
Walkie-talkies are optional but if they help you feel more in control, I'd say go for it! Otherwise, keep reading...
Usernames & passwords
When setting up users, make each username unique and choose complex passwords. WordPress gives pretty good feedback about passwords and whether they are weak or strong. It can also automatically generate secure passwords. I have seen some websites where the username was "admin" and the password also "admin". This is an open invitation to hackers who use automated brute force attacks to guess username & password combinations. Avoid the default username "admin" in favour of a longer and more unique username, and choose a secure password.
If you have trouble keeping track of your passwords, use a software such as LastPass to store them securely. Also avoid sharing logins - it is better to set up a unique login for each user.
Update WordPress and plugins regularly
While it is easy to build a WordPress website and put it on the internet, the reality is that a WordPress website requires regular maintenance. WordPress is a great content management system, but to build a functional website it requires at least a handful of plugins (e.g. to build contact forms, set up backups, SEO functionality, or eCommerce). Both WordPress itself and the plugins release regular updates. These updates can include feature improvements, bug fixes and security patches.
Updates need to be applied regularly - about once or twice a month. If a vulnerability is discovered for a certain version of WordPress or a plugin, this information will quickly spread amongst hackers so it is important to apply updates, in particular if they include security patches.
If you don't remember to login and update your website regularly, you may wish to consider a maintenance plan - please contact us for more information.
Be picky with your plugins
Plugins are great as they can extend your WordPress website and add functionality ranging from simple contact forms to full blown eCommerce or membership websites. However, not all plugins are coded by reputable developers, or they may not be maintained by the developer any more.
It is best to go with the most popular plugins that have many installs and positive reviews. That way you can be pretty sure the plugin is reputable and well maintained.
Any disabled plugins on your website which you don't actually need are best uninstalled.
Install a Security & Firewall plugin
There is a number of good security plugins available, both free and commercial. We use WordFence, which includes manual & automated malware scans, monitoring of other plugins, a firewall, blocking of brute force attacks, and email alerts if anything suspicious is going on.
If we have built your WordPress website within the last 1-2 years we have probably already set this up for you.
Install a Backup plugin and set up regular backups
This won't prevent you from getting hacked, but it will really reduce the issues if it does happen. There are some great backup plugins such as BackUpWordPress, UpDraft, and Akeeba Backup.
If your website is hosted with us, we usually use Akeeba Backup to run automated weekly backups for your website. Do not disable this plugin if it is installed on your website and the website is hosted with us.
We usually keep backups for a couple of months so that we have access to older, clean versions of the website in case a hack goes undetected for a few weeks. That way we can quickly restore the website (although if the hack is a few weeks old you may lose some of your newer content).
Without backups, the website will often need to be rebuilt from scratch as it is very difficult to clean up a hacked website. This can obviously be costly and time consuming.
Submit your website to Google Search Console
For Search Engine Optimisation purposes, every website should be submitted to Google's Search Console anyway as this helps with indexing the website in search results. The Search Console also offers malware scanning tools and will often pick up automatically on any malware on your website and send an email alert with further details to the website owner. When we build a website we always submit it to the Search Console so if you have had your website built by us, we would be notified of any malware that Google detects.
Following the above tips can really reduce the risk of your website getting hacked, and also prevent major issues if it does happen. If you are concerned about your website security, please contact us for a chat.