how to secure WordPress

why secure WordPress

Hacked or infected sites can cause massive problems for businesses, both in terms of reputation and income.

Security breaches may cause losses of website and user information (including passwords), violations of data protection laws, and dramatically-diminished user trust. Some hacking can even result in your site spreading malware to users’ devices.

In addition, security is a key SEO ranking factor with Google prioritising secure websites in its search results. Google also blacklists more than 10,000 websites everyday because of malware and security concerns.

Whilst it’s impossible to have a perfectly secure website, there are plenty of things you can do to reduce security risks. Follow our advice below to protect your WordPress site against hacking and malware infection. If you need any further support, you can always get in touch with your WordPress agency.

secure WordPress hosting

In a nutshell, web hosting is the provision of storage/infrastructure for websites. Hosting providers have remote computers called servers which hold your website files and allow browsers to access and display them.

All good hosting providers will include security as part of their packages. This protects your website files against hacking and malware while they are being stored on the host’s server.

There are three main types of hosting packages, and the level of security varies with each.

Shared hosting is generally the most popular type of hosting and is ideal for small sites. This is where one large server is used for hosting several different sites. Shared hosting is usually the most affordable hosting option. But it’s the least secure, as hackers may use other sites on the same server to attack your website.

With virtual private server hosting, each website has its own designated storage space within the server, although it still shares the actual server with other websites. It’s a mid-point option between shared and dedicated hosting.

Dedicated server hosting is where your website has a whole server to itself. This is ideal for large sites and is the most secure option.

Whichever option you choose, a WordPress hosting provider with robust security will:

• Clarify which security features are included with your hosting
• Manage and maintain the server security and software
• Provide reliable backups and/or file recovery processes
• Be happy to discuss security concerns and answer questions

It’s worth checking what security measures your hosting provider has in place, and asking how they keep their servers patched and monitor security issues. If you’re uncertain of your hosting provider’s security credentials, consider changing supplier.

WordPress security plugins

Another key way to secure your WordPress website is with a security plugin. There are two great ones that we recommend – Wordfence and Sucuri.

Both plugins are free (with paid premium options). They both include website security hardening, a firewall to block malicious traffic, and a scanner that checks for malware.

Once installed, make sure to start with a full security scan of your website. How long the scan will take depends on the size of your website, your server speed and various other factors. If any suspicious code, malware or other potential security problems are found, make sure to follow the plugin’s instructions to fix the issues and secure your site.

It’s a good idea to keep an eye on the security section of your WordPress dashboard. Your plugin should perform regular scans and provide notifications to highlight any security problems.

updating WordPress

Automated bots are constantly active across the internet searching for software weaknesses. Any ‘holes’, for example in your WordPress core, plugins or themes, can be used to hack your site. In fact, the vast majority of WordPress sites that experience security breaches have outdated software.

That’s why it’s vital to install software updates – to patch any security vulnerabilities as they are discovered.

For small WordPress core releases, updates take place automatically by default. However, major WordPress version updates need to be made manually by going to ‘Updates’ in the back-end of your site, and clicking ‘Update Now’.

When updates are available, these will also be highlighted on your main WordPress dashboard. Always backup your site before installing, as major updates run the risk of breaking your site.

Plugins and themes should also be updated regularly. You’ll receive notification of any updates on your WordPress dashboard, and can again go to ‘Updates’ in the left hand menu to install the new software.

Alternatively, you can install the Automatic Plugin Updates plugin, which enables you to activate automatic updates for your plugins.

enabling HTTPS on WordPress

Hypertext Transfer Protocol Secure (HTTPS) is a secure method of website communication. Having an HTTPS website means that communications between your site and users’ browsers are secure and protected against hacking or other interference.

Having HTTPS is important for SEO with Google prioritising secure sites in its search results. It can also improve user trust as a padlock sign is displayed next to your URL, showing site visitors that you care about security.

Most recent WordPress sites are HTTPS by default, but if yours is still HTTP, then it’s a simple process to upgrade. To transfer your site to HTTPS, you need an SSL (Secure Sockets Layer) certificate, which you can get free from Let’s Encrypt.

You will then need to ask your hosting provider to install the certificate for your site. Finally, add a plugin such as Really Simple SSL to activate HTTPS.

user login security

Another vital way to protect your WordPress site is with secure user logins.

WordPress allows you to add different user types to your site, depending on how much editorial control you want each to have.

Administrators have the most capabilities to make site changes – including being able to add plugins, update code and change content. For this reason, if an Administrator profile is hacked, it’s of greatest security concern. To maximise security, the Administrator role should be for the website-owner and only one or two other essential users.

It’s also absolutely essential to use strong passwords. This applies across all users, but especially for Administrators. Strong passwords should:

• Include a random combination of letters, numbers and special characters
• Not include names or dictionary words
• Not be too short – aim for at least 12 characters
• Ideally be totally different for different logins

You can keep on top of your user login security by regularly changing passwords and updating user profiles/permissions in the ‘Users’ section of your WordPress dashboard.

backing-up on WordPress

Finally, and possibly most importantly, it’s vital to back up your WordPress site regularly.

By backing-up, you’re creating an identical copy of your site’s files and database. This can then be used to reinstate your website if you ever encounter a security problem.

The more regularly you backup, the less data you’ll lose if you need to revert to a backup version. For maximum security, make daily or weekly backups and keep multiple copies of each in different locations (such as on your computer, server, and hard drive).

This will ensure you can always get a recent version of your site online again quickly.

Exactly how to backup your site depends on your hosting type – so speak to your hosting provider first. They may include regular backups as part of their service.

Alternatively, you can ask your WordPress support agency to provide backups, or install a backup plugin, such as UpdraftPlus.

For more expert tips, read our ultimate WordPress optimisation guide, in which we explain everything you need to know about how to improve and maintain your WordPress website.

Or, for on-demand WordPress support from an agency with more than two decades of experience, please get in touch.