5 Security Tips for WordPress Beginners
Why Worry About Security?
Security is an important part to consider when setting up a website. You’ve probably heard about a high profile security breach or attack in the recent past, but it’s easy to fall into the trap of thinking that cybercrime only happens to big companies with big assets.
But any site can become a victim of cybercrime and it’s important to take steps to reduce your site’s vulnerability. We’ve compiled five security tips for all you beginners out there who want to create a site and keep it secure, too.
#1 Keep Site Up-to-Date
Keeping your site up-to-date ensures that the site has the most current security patches. Updates to WordPress often contain security patches that defend your site against the most recent cybercriminal methods. If you skip even one update, your site could be vulnerable.
“Well, barely anyone is visiting my site yet, so no hacker would try to do anything to it.”
Wrong. Hackers use software that will skip through the internet and find vulnerable sites to attack. It’s all automated, which makes it easy for hackers and unfortunate for us.
Hacked sites can result in a number of problems, none of which are pleasant. On the more serious end of the scale, personal information could be stolen from the site and result in identity theft. Other less serious offenses include site repurposing, such as changing links to different content, generating new, unauthorized content, or adding your site to a botnet. If your site is found and out of date, you could be in for trouble.
The same goes for plugins. Always update your plugins and consider getting rid of plugins that haven’t put out updates in a long time. Many plugins are created by parties outside of WordPress so they may stop updating their plugin, which could introduce a vulnerability into your site because it’s out-of-date.
So keep your site up-to-date. If you know you’re prone to forget such things, make sure you get a web host that will automatically update your WordPress installation as soon as it comes out (if you don’t have a web host yet, check us out). That way, your site is always kept up-to-date and you don’t have to worry about it.
#2 Only Download Plugins from Trusted Sources
There are over 50,000 plugins in the WordPress Plugin Directory, but there are still more plugins floating around on the web, outside of WordPress. While some of the plugins out there may be legitimate, there are also shady plugins that you should stay away from. These shady plugins may work great, but they may also have one or two nondescript lines of code that are designed to open your site up to hackers.
These shady plugins may have started out as legitimate plugins, but somewhere along the way were hacked themselves. Once hacked, the code is changed and the trap set for unsuspecting website owners.
So, in order to keep your site safe, you should only download plugins from sources you really, truly trust.
#3 Choose a Managed Web Host
Choosing a managed web host can help keep your site secure. The host should have the most recent versions of PHP and MySQL available for you, as well as some sort of security tool or plugin to go with your WordPress installation. A managed host is the key to making sure that your server and its software stay up-to-date.
Outdated versions of PHP and MySQL are similar to outdated WordPress installations and themes: they are vulnerable. So, in order to keep your site secure, make sure your host offers these things.
It’s also handy if the host supplies some sort of security feature from the get-go. For example, all our WordPress site installations on our WP Optimized hosting accounts come installed with WordFence, a WordPress security plugin. Once configured, the plugin will set up a firewall, scan for vulnerabilities and threats, and more!
If you can, make sure the host’s support is knowledgeable about WordPress. In the unfortunate case that a hack does happen, you may need their help to resolve the issue. Make sure you get a support team that knows what they’re doing.
#4 Use a Tough Password
This may seem like a no-brainer, but it’s important enough to mention. Simple passwords can seem harmless. How likely is a hacker to guess the name of your cat or the make of your first car?
Actually, it’s very likely. Password guessing software is improving all the time. It may seem unlikely for the software to guess the exact name of your cat, but the reality is that the software doesn’t have to. It will just keep plugging in combinations until it happens upon Bluebell and your site unlocks.
So, the best way to prevent this is to have complex passwords. Don’t be overwhelmed – you don’t have to memorize a 24 random character password. You can use a phrase or sentence. Make sure it’s not a common phrase, or the password software will guess it right away. Try to make it an uncommon phrase, but something you’ll remember.
And keep in mind, the longer the password is, the more secure it is. Be sure to sprinkle in some numbers and special characters, too. One way to do this is to work the number into the sentence and use punctuation.
For a really hard password to crack, you can also substitute numbers with similar looking letters or symbols, such as 3 instead of E or $ instead of S.
Like so: WordPr3$$Ha$B33nMyPa$$ionFor7Y3ar$!
If that seems overwhelming, you can rely on a password manager to help you remember.
To change your password for the WordPress admin interface:
- Log in to your WordPress admin interface
- In the left sidebar, click Users
- Click the name of the user you use to log in (if you’re using the default, it will likely be something like “wp_admin”)
- On the next page, scroll down to bottom and next to New Password, click Generate Password.
This will create a new, random password. You can use the random password if you want, but you can also enter your own password in place of the random password. WordPress also gives you a handy feature that will tell you how strong your password is. Once you have changed the password to your liking, click Update Profile. You will now have to use the new password to log in to the WordPress admin interface.
#5 Backups, Backups, Backups
Our last tip for you is to take backups regularly. In the unfortunate event that you do get hacked, you can use backups to revert to a version of the site that hasn’t been tampered with. You may be able to wipe out all that bad code by rolling back to a version before the hacker got in.
If your web host is awesome, they’ll have an automatic backup feature you can use (we have features like this if you’re still in the market). That way, you can set it up and then forget about it until you need to roll back to a previous version.
If your web host does not have automatic backups built-in, make sure you have some way of taking them. Take backups on a consistent basis, whether you take the backups manually or use a plugin. If something happens and you need to roll back your site, you don’t want the last backup you took to be super out-of-date with your current build. If this does happen, you’ll have to put in a lot of extra work to get your site back to where it was before.
Keep WordPress Safe
Now you’re ready to go forth and make a secure WordPress site. Remember to keep your WordPress installation and plugins up-to-date and only use plugins from sources your trust. We also recommend a managed web host that offers a WordPress optimized package, so that you have access to the features to help keep your site at its most secure. As always, use a strong password. If you have a vulnerable password, no amount of preparation can protect your site. And lastly, make sure you have backups of your site. Not only is it helpful in a pinch, but it can save you a lot of time and effort if a hacker does break in.
The first step into WordPress is exciting, but make sure you have the tools you need to keep your site safe.