How to Make Your WordPress Site Secure
In the wake of PC Tech Mag’s article about the XML vulnerability that affects WordPress versions 3.5 – 3.9 and Drupal versions 6.x – 7.x, the need for online security is higher than ever. It’s easy to be complacent about the security of your website and file it away as one of those ‘I’ll do it next week’ items but it’s relatively quick and easy to make your website more robust and save yourself the stress of rebuilding things from scratch, should the worst happen.
Online security is really earning a great deal of attention lately, with Yoast and Sucuri announcing a partnership that they hope will create a safer web. Their aim is to make a ‘bigger impact to the online threats website owners face on a daily basis’. For more information about the partnership and the benefits it will bring, Sucuri have posted an informative blog post that should answer any questions you have.
Although the majority of your security will be handled by your agency, there are still plenty of things you can do, as the end user, to help you make your website as secure as possible. We’ve come up with a list of things you can do yourself to help improve the security of your website.
Start with the basics and ensure that all of your passwords are strong and secure. Use a combination of upper and lower case letters and numbers to create a random password that isn’t easily guessed – avoid birthdays, business names or anything linked to you or your business. If you’re having trouble coming up with something unique there are plenty of strong password generators out there that can help – LastPass is a great one to check out.
Two step authentication is another way to make your logging in process more secure and involves not only a strong password but, also, access to a specific device (like a mobile phone, for example). This is a great way to improve your security as, even if your password is cracked, without your mobile device they’re not getting into your account. WordPress.com has a great article on the benefits of two step authentication, if you’re looking for more information.
Now your password is secure, it’s a great idea to host your website with an agency who are known for being security-conscious, so you know they have everything in place to reduce the risk of a security breach. WPEngine are a particularly secure option and they have a great section on their website that details all of their security processes, from both physically and logically segregated environments, to regular in-house vulnerability scanning.
WordPress developers are always working on making each release more secure than the last, so keep yourself updated with the latest version of WordPress at all times and make sure you never install an update from any website other than http://wordpress.org.
As always, there are plenty of WordPress plugins you can utilise to up your website’s security. A quick Google search will introduce you to reams and reams of options, but our top picks are Sucuri Security, Stealth Login Page and Limit Login Attempts (though do check this plugin is compatible with your version of WordPress).
Backups are imperative to security, so you should ensure you have a working backup of both your files and website, just in case the worst case scenario ever happens. If you have a backup it’s just a mild inconvenience, if you don’t…it doesn’t bear thinking about. With an agency like WP Engine you get an automated daily backup but CodeGuard, XCloner and BackWPup are great options for anybody looking for a way to back up their WordPress site themselves.
Don’t forget to store your backups off site (Dropbox or Google Drive are both good options), as a local backup could be lost if your site security is compromised.
All of the above will help to make your website nice and secure, but if you want to get a bit more in depth there are plenty of other things you can do to keep your system as robust as possible, including the following:
- Secure your file permissions so they are only writable from specific user accounts
- Use SFTP encryption when connecting with your server, to ensure your password is encrypted
- Disable the ability for administrators to edit files in the WordPress Dashboard
- Keep an eye on spam comments and remove them as they come in. Akismet is a great tool for managing spam
It might be impossible to protect your site from every single attack and hacker out there but following the steps in this article is a great way to make your website as secure and dependable as possible.