When it comes to running your WordPress website, security should be your top priority. With so many websites running on the platform, they are a prime target for hackers who want to spread malware, hold your site for ransom, or simply disrupt your business. Although you’ve probably taken some steps to secure your site, keeping it safe is an ongoing responsibility, and you need to keep certain aspects of your backend updated and locked down to prevent a breach.
Thankfully, many of the most effective security measures are actually quite simple. Plan to spend a few hours on these tasks and give yourself peace of mind that your WordPress site is safe from cybercriminals.
1. Change the Password
It sounds almost too simple, but a surprising number of WordPress site owners still use “admin” as a username and an easy to guess password, like “123456.” If you are still using the default username and the same password you launched your site with, change them immediately. While you are at it, limit the number of login attempts allowed before a lock out. When a hacker can try to get in to your site an infinite number of times, they will keep trying until they’re successful. If you have an easy-to-guess username and password? That won’t take long. Change your log in to something difficult to guess (a nonsensical string of at least eight numbers, letters, and characters) and change the password every so often to keep hackers guessing.
2. Install Antivirus Protection
Another seemingly obvious task, but many site owners, especially those working on Apple devices, aren’t using virus protection to keep harmful viruses, malware, and spyware from infecting their machine, and by extension, their WordPress site. You need to install robust protection from a reputable company like Trend Micro and keep it updated to prevent infections that will take down your whole site.
3. Secure the Login URL and Admin Directory
When you launch your site, by default the admin login page is “yoursite.com/wp-admin.” This page can easily be located via the site directory, making it easier for hackers to get to the page and attempt to gain access by brute force – which if you haven’t updated your username and password to something more secure, will be easy for them to do.
Therefore, you need to create a more secure custom login, which will hide the page from anyone who isn’t authorized to access the site backend. At the same time, secure the admin-wp directory behind another password. This way, if a hacker does somehow gain access to your admin page, they will still need to find a way into the admin directory to make any changes. Just be sure to use a different username/password combination than the admin login page.
4. Delete and Update
Keeping track of your WordPress themes and plugins and making sure that you’re using the most up-to-date versions is vital to maintaining your site security. It’s also important to delete those plugins that you’re no longer using. Every time you install a new theme plugin on your site, you’re creating a potential point of entry for hackers. When you don’t address security vulnerabilities through updates, you’re only creating more opportunities for hackers to access the site. You can schedule auto updates in the plugin code by adding code to wp-config.php:
add_filter( ‘auto_update_plugin’, ‘__return_true’ ) to auto update plugins, and add_filter( ‘auto_update_theme’, ‘__return_true’ ) for themes. By doing so, your plugins will update automatically every time a new version is released.
Also, don’t forget to update WordPress itself when new versions are released, to ensure you aren’t leaving security holes open for a hacker to slip through.
5. Backup the Site
Perhaps the most important piece of security advice for any WordPress site owner is to run backups regularly. No matter how secure your site is and how many precautions you take, there’s always a chance that something can go wrong, and unless you want to start over and rebuild your site from scratch, backups are necessary. Use a tool that will automatically backup your site on a predetermined schedule, keeping it in a safe mode that you can use for restoration when necessary.
Many of these important tasks can be automate, but never assume that everything is being updated or backed up as expected. Stay on top of those tasks and feel confident that your website is protected and you aren’t at risk of falling victim to a costly and time-consuming cyber attack.