The majority of the websites found on the Internet are powered by WordPress. Recent estimates suggest that around 35% of all sites online run on WordPress, and that’s certainly impressive. But WordPress sites that are left unattended are vulnerable to hackers. That’s why it’s so important to understand WordPress website security.
If your business runs a site powered by WordPress, you need to go the extra mile to ensure that it’s secure for your staff and customers. Cyber threats have never been more numerous and sophisticated, but a smart strategy that includes constant maintenance, updates, and backups will give you the protection you need.
Even with many years of experience and monitoring we have experienced security issues and attacks on our hosted websites over the years.
In this blog, I’m going to take a look at six WordPress website security tips and best practices to secure your website through 2020 and beyond.
1. Make someone responsible for website security
Who is ultimately responsible for your website security? If you can’t answer this question, you have a problem. Some businesses lack the personnel, or have never deemed it necessary to put someone in charge of web security – but in 2020 it is absolutely essential to have a team member who is planning and making security-related decisions about your website.
This could mean changing the job description of a more general member of IT staff, of someone who regularly manages website content, or working with external specialists to provide advice and guidance.
2. Update WordPress as a priority
If there is one thing that every WordPress website owner needs to make sure they’re doing as a priority, it’s keeping their version of WordPress completely up-to-date. WordPress regularly updates its software in order to fix known issues and vulnerabilities. Users with the latest software aren’t vulnerable to these problems.
The numbers confirm the importance of updating the software. Nearly 40% of WordPress hacks are due to the core software not being up-to-date. Updating WordPress is quick and easy, so there really is no excuse to delay doing it when it’s key to your website security.
3. Update out-of-date themes and plugins
Updating WordPress is only a part of necessary website maintenance. WordPress sites use themes and plugins, and it’s common for them to be targeted by cyber criminals. The most important point is that you should ensure that all of the themes and plugins you use are updated regularly – and you should avoid using older software that is no longer supported. Failing to stay up-to-date can put your site at risk.
It’s a great idea to put some research into the plugins you are considering before installing them. If tools are no longer supported by developers, they can do more harm than good. There is safety in choosing tools that have hundreds of high ratings and an active community of users contributing to the development. Conversely, installing any plugin without doing the research can lead you to install something with significant vulnerabilities that can be exploited.
Web development companies like Westronpoint often provide ongoing maintenance packages that manage all of your security and updates for you.
4. Carry out penetration testing
Another smart move is to have your website and security defences tested on a regular basis by third party experts. This is a great way to get a fair and independent assessment of the current state of your systems, and whether there are any issues that need attention.
A business that specialises in pen testing will be able to carry out a full test of your website, as well as provide you with follow-up information about how to fix the issues it finds and mitigate your risk of cyber-attack. A website penetration test will look for vulnerabilities such as misconfiguration, authentication and data encryption weaknesses, injection flaws, and input validation errors.
5. Take control of your login credentials
WordPress website owners often have accounts for a number of things: site administration, hosting, FTP access, and more. Don’t fall into the trap of using the same usernames and passwords across these accounts – if a cybercriminal compromises one account, they often attempt to reuse the same credentials to get access to other systems.
Trying to remember all of these individual usernames and passwords can be a daunting task, so tools like LastPass can be useful. LastPass is password managing software which allows you to generate and store secure passwords.
It’s also smart for admin users to have separate accounts for administration and for day-to-day site management like adding content or approving comments.
6. Upgrade your web hosting service
Your defences might be robust, but the wrong web hosting can make your site vulnerable. Cheaper hosting packages often host your site on a server with many others – and if these sites get compromised then your site is at risk too.
If you’re looking for optimal security, choose dedicated web hosting. IONOS, for example, offers powerful cloud hosting specifically built for WordPress websites. This may be a more expensive option, but it means that there won’t be any potential ‘backdoors’ into your site from co-hosted sites. Shared hosting has a number of other issues as well such as poor backups and badly maintained log records. Dedicated web hosting isn’t for every business, but it does increase website security.
Additional website security steps that you can take
The points above are the first steps in making your site more secure, but there is much more that can be done to maximise your security position. Some of the most important include:
- Regularly back up your site – It’s important to have a backup in place so that you are able to recover your site if you suffer a cyberattack. If anything goes wrong with your site, you can get it back up and running quickly. There are a number of free and paid backup plugins available.
- Install a security plugin – Another useful tool to boost WordPress website security is a security plugin. Depending on what you choose, the plugin can carry out a number of useful tasks: monitoring failed login attempts, malware scanning, and more. WordFence is a reputable plugin with impressive features.
- Enable a web application firewall – Firewalls still play an important role in overall web security. Web application firewalls are able to block suspicious traffic before it can even get to your site.
- Move your site to HTTPS – You should make sure that your site uses HTTPS rather than HTTP – HTTPS sites have a padlock displayed next to the URL in your browser. This is important for both SEO and for security. To move to HTTPS, you’ll need to use the SSL protocol – it encrypts the data sent between your website and users and requires that you purchase and apply an ‘SSL Certificate’.
Web development agencies should always ensure that your site is armed and secure before launch. It’s a good idea to have a retainer agreement for maintenance, so that all of the points we’ve discussed are automatically covered and you don’t have to worry! Whether you work with a developer or hand the role over to your own team, always make your website security a top priority.