You spent a lot of time and money on your new website (it looks great btw). Now let’s talk about keeping that baby secure — because nothing is more difficult to deal with than a hacked site.
1. Consider your users
First things first – make sure you don’t have any users with the username admin. If you do, check out this article on how to change your username either by creating a new one or using a plugin.
Also, consider limiting the number of administrator users to only those who really need it. There are lots of roles — use the one that makes the most sense for what each user will actually be doing with the site.
2. Set strong passwords
Do it. It’s 2019 — you really shouldn’t be using 123456789 or your dog’s name or your kid’s birthday. I like and use this secure password generator but there are tons of other options.
If you’re using a security plugin like Wordfence (more on this below), there may be additional security options related to users and passwords. In Wordfence, go to All Options, Firewall Options and Additional Options. Check to enable the following three for sure:
- Enforce strong passwords (and as a bonus, you can force all members to use strong passwords)
- Prevent users registering ‘admin’ username if it doesn’t exist
- Check password strength on profile update
3. Use a WordPress security plugin
Wordfence is a good security plugin, but there are others. Run a quick search for “security” in the plugin repository to find a few. (Like with any plugin, look for good reviews, lots of installations, that it’s compatible with your version of WordPress and that it’s been updated recently.)
4. Opt for good hosting
Consider a reputable host for your website. Recommendations from friends or trusted colleagues or even just good online reviews can guide you in the right direction.
Also just a note that some hosts, like WPEngine, won’t allow you to run Wordfence because they take care of a lot of that security already.
5. Use a password manager
I was hesitant to jump on the bandwagon, but the number of passwords I have to keep track of now is banana sandwiches. I recently signed up for 1Password (LastPass is another good option) and it’s been great. I’m able to generate and use really strong passwords on all of my accounts without having to remember each and every one.
6. Keep secrets
Or better yet, create a user just for them (with proper permissions, see #1 above), that way you can remove the user when they no longer need access to your site.
7. Perform those updates
One overlooked way to keep your site secure is to make sure your software is up to date. Here’s how to update your plugins, themes and WordPress itself.
If you’re using Wordfence, you can get notified of new versions. Plus, Wordfence will show you if a plugin has been abandoned. (This doesn’t necessarily mean it’s vulnerable, but it could.)
If you’re using a service like ManageWP (which is great for managing more than one website), you’ll see a notification if a plugin has vulnerable code. Here’s a great article about it.
And it’s not just WordPress, themes and plugins, but PHP, too. End of life for a few versions of PHP happened recently and many (myself included) had to update.
8. Run a security scan
Run your website through a security scan like one of the ones below. It will check for malware and other vulnerabilities that you may not be aware of.
9. Configure and take backups
I’ve said it before and I’ll say it again, it’s SO important to have a good, current backup of your site. Here’s how you can take your own backups.
This is by no means a comprehensive list. Implementing SSL, limiting login attempts, changing the login page, hiding your WordPress version and enabling two-factor authentication are just a few other ways to secure your website further. You can also learn more by searching for “hardening WordPress” where you’ll find TONS of great in-depth information.
Good luck! And as always, please let me know if you have any questions.