Many small businesses are setting up their websites, often to support an e-commerce platform. Many home users set up their personal websites as they remained at home during lockdown. It is common cause that malware and direct attacks have increased greatly recently, both on business and personal websites. Having solid website security is no longer an option.
For speed, and because of unfamiliarity with the technical requirements, companies and individuals sometimes use a website generator like WordPress on a hosted platform to help them create a website. Often, certainly initially, using the default WordPress Security settings. They need to be changed to increase WordPress website security.
Why Is Security Important?
Websites, particularly financial and e-commerce websites hold information about individuals and their financial data. Hackers want to steal it so they can sell it on or use it themselves. Ransomware is a threat to online businesses. If they are offline for long enough the business will fail.
Most people don’t realize the widespread nature of fake and compromised websites. Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.
You need to pay attention to your WordPress security, whether you are a business or a home user.
Here are some suggestions to consider.
How to make a WordPress Site Secure
Keep Up to Date
Regular software updates are issued by WordPress, and not just as bug fixes. In addition to performance improvements, they include security updates to guard against the latest known threats.
Keeping up to date is one of the best ways of ensuring that you have the best WordPress security.
Secure the WordPress website
Beyond WordPress itself, there is a key step to make your WordPress website secure, SSL certification and an https prefix.
SSL Certification and the https padlock
Most recent major browsers, including Edge, Chrome and Firefox, have adopted a policy of warning users if they try to visit what they consider an insecure site. In some cases, users can choose to override the warning and carry on to the site, but in some cases that option is blocked.
The solution is to ensure that your site has up-to-date SSL certification. It ensures that traffic between users and your website is encrypted, so that, even if it is intercepted it is unusable. It also triggers the https prefix to the website and the padlock on the browser bar.
Having secured the WordPress website, there are steps within WordPress itself that must be taken.
Securing your WordPress “Admin” credentials
Back in the day, WordPress websites came with the default admin credentials of admin/admin. Not very secure. That has now changed, and you must select the credentials when you install WordPress. However, some third-party one-click installation packages still default to admin. WordPress doesn’t allow you to change the admin username. In that case the options are to:
- Create a new admin user and delete the old “admin” user
- Install and use the Username Changer plugin
- Use phpMyAdmin to make the change
Install WordPress Backup and Security Plugins
With the best will in the world, you will be attacked or hacked at some point. It is essential to, first, have available and complete backups of your WordPress website, and second to install tracking and monitoring facilities to see what is going on with your WordPress website to have early warning of any suspicious activity.
WordPress Backup Plugins
There are several plugins available from the WordPress site, free and chargeable. Make sure you install one that allows you to make offsite backups, perhaps to Cloud storage like DropBox. One that automates regular backups is probably best.
WordPress Security Plugins
Once again, there are several plugins that enhance the standard WordPress security environment. Many commentators state that the free Sucuri plugin is the best since it fully integrates with the WordPress admin environment.
If you are unhappy about using a third-party plugin, study the “Hardening” options available in the Settings menu, and perhaps choose to pay for the Web Application Firewall.
Disable File Editing
An attractive feature of WordPress is the ability to tweak theme and plugin files directly from the admin area. Obviously, in the wrong hands, this is a major security risk. Turn it off.
These are a few simple suggestions to improve WordPress security. These are more advanced options, particularly with specialized plugins and further options in the Hardening section of the Settings menu.
HostSailor has been a provider of WordPress hosting services for some time, and we are well-versed in setting up WordPress websites with the best security possible. If you have any queries or concerns, or just want an informal chat, please don’t hesitate to contact us.