My friends, if you are confident that your WordPress websites are hacker-immune, I’m happy for you. But, are you sure? Really? Sure?
Even if your website is strong, don’t let your guard down because once your site is online, there is always something or someone lurking and looking to steal your information. Precaution is always a good thing.
This blog will help make your website as strong as Arnold Schwarzenegger. Simply put, they are just some workout WordPress security tips, but effective enough to protect your website from hacker attacks.
Top Security Tips To Keep A WordPress Website Unbreakable
Keep Everything Up to Date
Don’t let the fear of breaking your site creep into your mind. Keeping your website’s core, themes and plugins updated is not something you don’t do because you don’t like to. It’s necessary and it’s a must. Don’t put updates off.
Whenever there is a security problem, there will be updates rolled out to fix that problem. If you ignore updates, well, hackers won’t ignore you. Your site might be broken, but that would be a minor problem in comparison to being broken into by hackers. Think about the trade-off, and update your website.
Suggested WordPress Plugins
If you are managing many websites at once in a WordPress multisite system, using InfiniteWP Client is a good choice to have everything updated with just one click.
If you are a developer working for different clients and are in charge of maintaining your client’s unique websites, WP Updates Notifier is my nomination. This plugin will email you whenever there is update for any website.
Always Do Backups
It depends on your website’s characteristics whether you should do backups on a daily, weekly or monthly basis. However I think a daily backup is the safest if your website’s content and data change daily.
For huge database systems or complex websites, you must build a detailed backup plan or use a backup service to ensure all data will be kept without conflict or missing pieces. If it’s not complete (which means it should cover your entire website with theme tweaks and plugins settings) and automatic, it’s not a good backup.
Suggested WordPress Plugins
A very popular backup solution for WordPress is Backup Buddy. However this high quality comes with an equal payment. You will have to pay from $80 for 2 sites. Another premium choice is VaultPress by WordPress.
If you prefer free tool, I’d suggest WordPress Backup to Dropbox. Your website will be backed up on a regular basis and the file will be dropped in your Dropbox. However with a large site, you’d better prepare enough space in your Dropbox! Other option is WordPress Duplicator a tool which helps you migrate, copy or clone a site from one location to another.
For multisite WordPress users I would suggest BackWPUp. It’s as simple as WordPress Backup to Dropbox but it saves you from having to set up multiple backup systems for multiple sites.
Manage Your Users Well
All your efforts enhancing security can go to waste if other admin users do not follow security best practices. So, make sure that you control them well. Only give admin rights to people who really need it. And remember to train them with security tips.
One more important thing, delete old users if you have user transition so your information won’t be leaked out.
Suggested WordPress Plugins
A great tool for controlling user roles and capacities is User Role Editor. This tool can be used for both single and multisite. Roles are created with checkboxes so you can tick on any role you want to add for a specific user, and then hit Update. That’s done.
Keep Strong Passwords
Not only admins but also every user in your website should use a strong password. You may know that already. And agree. But make sure that other members within your website practice this tip too. You can enforce password requirements on users to force them use a strong password, such as requiring a minimum of 8 characters or using symbols, numbers and upper case in passwords when registering a new account.
Be Careful With Error Message
I’ve seen so many cases when I log in with incorrect account information, the site tells me “Your password is not correct” or “Your account is not correct”. Wow, it’s so nice of you for telling me that – so now I only have to re-enter my username OR password.
Don’t give away too much information in your error messages. Generic message like “Incorrect username or password” will be better to use and makes it hard to guess what is wrong. You think this is silly? No, it’s not at all.
Control Uploading Files From Users
Allowing your users to upload files poses a security threat to your website, even though it may be just an avatar picture. You can protect against malicious files by preventing users from executing files they upload. To ensure correct file extensions, you can try changing the file’s permission to chmod 0666, for example (read more the detailed guide by WordPress here).
The best way to prevent harm from uploaded files is to prevent direct upload of files altogether. This method will store files uploaded to your website in a folder which is outside your web root or store them be in your database as a blob.
For websites which allow users to upload images directly from the Internet, make sure you use secure transport methods such as SFTP or SSH.
Use SSL When Needed
SSL is the protocol “https” which you usually see when logging in to your bank account, or even Facebook. It is there to provide your site with secure protection when passing personal information between a website and the web server/database.
Use SSL for your website so hackers can’t track your website users’ personal information. Anything that shouldn’t go public must be safe within your website.
Use Website Security Tools
One last important thing to do after you finish practicing all those tips above, is to test how secure your site really is. To get this done, there are many tools, both free and premium.
For scanning your WordPress website, I would recommend Acunetix WP Security. It’s totally free and able to check throughout your site for vulnerabilities and then suggest corrective actions. Or, you can try WP Scan to detect security problems.
If you have budget, put your money in Sucuri; not only for scanning for bad issues, you can have a cleaning service, and more. Just spend one minute looking at their pricing plan for details.
Now we’ve come to the end. These security practices will never fade away and you must repeat them as they are your daily workout. Oh, you might want to check these Top 10 Ridiculous Security Mistakes to Avoid too (with an infographic).
Happy, healthy WordPressing! Share these tips with your friends and exercise together!