7 WordPress Security Essentials

by | Security

Website safe
Have you ever logged into your website on a Monday morning to see it has been taken over by hackers over the weekend and your homepage is a dancing robot threatening the worst type of violence to some NATO hostages? I have.

Have you ever spent 8 hours cleaning malicious code from your website only to have the whole scenario above repeated again twenty minutes later because of the insidious backdoor scripts that have been hidden all over your site, with another day passing before you found the culprits? I’ve been there!

Have you ever had your clients ring you to let you know your website has been hacked and they were worried you’d joined the dark side? Yep, happened to me too!

Have you ever contacted your hosting service to get them to remove malicious code from your site only to be told it’s your problem to sort out and by the way, if it’s not fixed in 24 hours they’ll shut your site down? Uh huh.

How about all your data being wiped out only to discover that you don’t have an offsite backup, your hosting service doesn’t have an intact backup copy and your only backup was stored on the hosting server with all your website files (which remember, are missing in action)? Luckily this hasn’t happened to me but I know many people who have faced the heartbreak of losing all their valuable content – this is their business after all!

1. Backups

Keep an up-to-date backup of your files AND database off site. That is, don’t rely on your backup plugin to choose the most sensible place for your precious backup files. If your server is compromised, likely your backup file is history too. Make sure you have a backup schedule that keeps up with your most recent changes and store it on your Dropbox, Amazon S3 account or on your local drive (although that can fail too so opt for the first two options if possible.)

2. Security Scans

Regularly scan both your hosting server and your local computer for malicious files and scripts.

3. Updates

According to sources, 83% of WordPress sites that have been hacked are not updated. Always keep your WordPress installation – core, themes and plugins – updated to the latest version. WordPress updates its core files automatically, but themes and plugins will need to be updated manually. The reason for this is that themes and plugins, by their nature, are mostly written by third parties and they have been known to break other themes and/or plugins. If you update a plugin and notice something is awry with your site, then you can deactivate that theme or plugin and your site should be operational again.

If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack and is one of the primary reasons you should always keep WordPress up to date – WordPress.org

4. Child Themes

We just covered the importance of updating all required components of your WordPress site, however there is one step you need to take before updating anything on your installation. That is to install a Child Theme. Whether you use a plugin to create your child theme or a knowledgable developer, the importance of a child theme to your site and your sanity cannot be understated. The child theme protects your core theme and other core files from being overwritten by any required theme updates. If you don’t have a child theme in place and you apply required updates to a theme that has been customised, you will lose your customisations. Many themes now have inbuilt css and code inputs that are automatically protected when that theme’s files are updated, however if your customisations include additional code to functions.php file or other php files in your theme, then these will be lost. Having a child theme in place protects your customisations, pure and simple and is recommended for this reason.

5. Network Security

Make sure your local computer has a solid firewall in place and don’t transmit critical data from unsecured networks such as cafés and libraries.

6. Login Credentials

Always aim for strong passwords, preferably with a mix of alpha, numeric and special characters.  Wordpress will indicate whether the password you’ve chosen for accessing the dashboard is considered strong or weak. Also, don’t use ‘admin’ or other easy-to-guess words for your login username as that’s half of your login credentials. Couple that with a weak password and you’re asking for trouble!

7. Security Plugin

Install a decent security plugin – there are several great ones out there. Look for one that has protection against brute force attacks, login management, firewall, user management, IP management, hack protection and lockdown. Be careful when configuring your security plugin as you can easily lock yourself out of your own dashboard if you’re not sure what you’re doing.
You might be asking yourself – why have a WordPress website if it’s so much trouble? It’s really not if you’re prepared to exercise some care and feeding of your precious website – I mean, you wouldn’t leave your kids or pet for days on end without checking that they have what they need to thrive! For a start, it’s cost-effective, solid and relatively easy to run. It’s scalable and extensible and you are only limited by your imagination. And best of all – you own the platform and content.

However, if you feel that you need assistance in keeping your site running at it’s best, whether due to time or, dare I say, techno-phobic restraints, then check out our WordPress Maintenance services where it’s done-for-you. We even have a Free option to get you started.