The internet is an essential part of our lives - from socializing, to shopping, working, and pretty much everything else. It’s everywhere and that means that it also comes with its fair share of potential issues. I’m not going to go into all of the issues you might find, but let’s chat about one that’s an ongoing problem for our clients and the web in general - security.
Being a Wordpress web design company, one of the most common problems we constantly have to stay on top of for clients is preventing their Wordpress websites from being hacked. Wordpress, being the web’s most used CMS, is prime target #1 for hackers. Bad actors are always trying to find the newest ways to gain access to someone’s website and use it in nefarious ways. The good news is, there are a few things you can do to keep your site safe and secure. And, doing these will keep out most of the hackers.
How hackers break into a WordPress site
Usually, a hacker gets into a Wordpress website via a poorly coded or outdated plugin or theme. Generally, this can give them access to add code to your site - which means they could make the website do anything. This is why it’s very important to keep your website up to date and to only use software from reputable sources.
Another main way hackers can get into Wordpress is by figuring out an administrator password. We’ve seen this happen when a client will use the same password they use everywhere or they use an easy password. If you’re an administrator and a hacker gets your password, well...you’ve just given them the keys to the castle and they can literally do anything with your site.
What can you do to strengthen security on your website?
Use a strong password
Creating a strong, unique password is one of the most important things you can do to keep your WordPress site safe and secure. It will act as a barrier against attempts to hack your site, although brute force attacks can still work. You also need a unique password for each of your social profiles, email accounts and other important online accounts. Hackers often use one unique password that they can guess for all these accounts, including your WordPress site. An extra layer of protection is to create unique passwords for each site. When you do that, each site will be totally unique to your main WordPress site. Even if you use a similar username and password on multiple sites, the passwords for your sites will be different.
Another way to strengthen a password, is to use 2 factor authentication. We’ll talk about this below in Wordfence - it’s when you are prompted for a few-digit code after you’ve entered your username and password. Generally, this code comes from your phone. So, even if a hacker has your password, they won’t have access to your phone.
Wordfence is a free Wordpress security plugin. It’s awesome and will stop most hack attempts. Unless your website would be super valuable to a hacker, Wordfence will keep you safe. Not only does it have real-time hack prevention, but it comes with lots of other features to keep you secure. Our favorites are file scanning, firewalls, suspicious activity monitoring, and 2 factor authentication.
If security is a big concern for you, definitely go for the premium version. That version gets the most up-to-date hack scanners and features.
Keep everything up to date
Like I mentioned earlier, one of the most common ways hackers gain access to a Wordpress website is through code that has vulnerabilities. While getting someone’s password is possible, it’s much more common for hackers to exploit software holes. Most developers of themes and plugins know of this ever-present battle and do their best to continue supporting and patching any holes and exploits found.
This is why it’s so important to update Wordpress, themes, and plugins so that you’re using the most up to version of the code, which will have patches included that close any security issues that are known.
Wordpress makes updating these things easy - Wordpress itself and plugins have a one-click simple update process where the software handles it for you. When it comes to themes, however, it gets a little more complicated. You should seek out advice from the developer of your theme or whoever made your website on how you should update it.
Recovery and Backups
You'll probably need to revert your site if you're hacked. Luckily, backing up your WordPress site regularly and setting up an automated routine to do this ready is pretty easy to do. We use a plugin called Updraft - it handles everything and lets you do it with ease. The general rule is that if it’s not backed up in 3 different places, it’s not backed up. So, we pair our Updaraft backups with Backblaze and have them sent there for safekeeping.
The first and most important step is to get an SSL certificate. An SSL certificate is a code that encrypts your website and allows the secure transfer of data between your visitors and your server. If your website doesn't have an SSL certificate, then your website will show an insecure padlock icon in the address bar when you go to visit it. However, that only tells visitors that they are visiting an unsecured site. If you're ready to get an SSL certificate, then we recommend that you use Let's Encrypt, which is free and offered as an included service with most hosting companies.
These are the essentials and absolute minimums that we suggest you do to secure your website. There are lots of advanced techniques that our website design company uses that would be better detailed in a different blog post. For the majority of websites, these steps will keep you safe and keep your website online.