If you haven’t had your WordPress site hacked yet, believe me you don’t want to. Not only could being offline for just a matter of hours eat into your revenue; search engines could pick up the content changed by the hack (you don’t sell cheap Viagra do you?!), severely affecting your site’s SEO and potentially ruining your reputation. And, if your brand is connected to your domain name and that can’t be changed easily, it could spell the end of your business.
Moreover, given the number of stories we’ve seen recently about vulnerabilities with plugins used on WordPress sites, it’s more important than ever now to put strategies in place to keep your site secure.
A couple of weeks ago we tweeted about a serious vulnerability that had been discovered in the TimThumb plugin, a plugin used on many WordPress sites to resize images, and on Monday, researchers warned that websites that run WordPress and newsletter plugin MailPoet, which has more than 1.7 million downloads, are also susceptible to hacks that give attackers almost complete control of the site.
That’s not to say it’s riskier to use WordPress than any other CMS, though, so don’t panic! There are some surprisingly simple ways to stop your website falling prey to hackers; here are our top five:
1. Always, always, always stay up-to-date!
It’s crucial to make sure that you update the WordPress core and your themes and plugins regularly to greatly reduce the risk of being hacked. Every new release of WordPress, as well as themes and plugins, contain fixes that address real or potential vulnerabilities, so if you don’t keep your website updated with the latest versions, hackers are much more likely to be able to get in.
In fact, they often target older versions of WordPress because they may have known security issues. So check for updates often and don’t ignore those annoying ‘Please update now’ messages!
2. Get creative with usernames and passwords
Incredibly, there are still a surprising amount of businesses that use ‘admin’ as their username and ‘password’ as their password, despite the fact that around 8% of hacked WordPress websites are down to weak passwords.
Don’t fall into this trap. When you create your admin account log in, change your username to something more unique and never use simple passwords like ‘letmein’ or ‘abc123’; they’re an absolute dream for hackers.
Instead, create a password that contains upper case and lower case letters, numbers and symbols and avoid any versions of your name or the name of your site. If you’re drawing a blank, there are loads of websites that can help; just search for “password generator” on Google.
3. Don’t scrimp on hosting
WordPress websites are often hacked as a result of insecure hosting providers, so don’t go for the cheapest one you can find. When choosing a company to host your website, do your research and make sure they’re well-established and have a good track record for security. In our opinion, it’s always worth splashing out a bit extra for security and reliability – it should pay dividends.
4. Make regular back-ups
We really can’t stress enough how important it is to make regular backups of your site – so many people put it off until it’s too late and lose everything they’ve been working on.
Unfortunately, even when you’re using the best security measures available, things can go wrong. But if you’ve got everything securely backed up in a safe place, it takes next no time for an expert to get your site back up and running as if nothing ever happened.
5. Use security plugins
As well as deploying all the tips we’ve already mentioned, it’s definitely worth installing a security plugin to ward off the most devious hackers. Solutions you can currently find on the market include: Better WP Security, Bulletproof Security, Sucuri Scanner and WordFence, among many others.
These will serve to tighten your site’s security and form another barrier against hackers.
There are also loads of other things you can do to improve your site’s security: for example, only use themes or plugins from reputable providers, especially if they’re free; limit the number of failed login attempts from a single IP address; disable file editing by the dashboard; and hide your username from the author archive URL. You can also add another layer of security to your WordPress admin with an SSL certificate.
Don’t worry if this all sounds a bit overwhelming though. Just putting in place one or two of our suggestions can make your site a lot more secure than it was. Or, if you don’t have time to do that, there’s the option of using an expert service like ours to take care of all your WordPress security and maintenance needs.