The Importance Of WordPress Security
WordPress is a fantastic tool. In fact, it powers a gigantic percentage of the sites on the internet today. However, becoming a giant isn’t without setbacks.
Because WordPress is so popular, it also means that it’s a popular choice for digital attacks. That’s why it’s imperative to practice good security when setting up your WordPress site. Otherwise, you could risk your site’s wellbeing.
Tips From Pair’s Security Experts
What security measures should a WordPress site owner be practicing? We asked our Security team for their recommendations. We’ll go over their recommendations in more detail below, but here’s a sneak peek:
- Use the Pair Malware Scanning Tool
- Use Strong Passwords
- Keep WordPress Up-to-Date
- Remove Unwanted Plugins and Themes
- Install a Security Plugin
- Change Your WordPress Username
- Move Your WordPress Login Page
- Create Backups
Would you rather watch a video about this information? Check out our webinar.
Use the Pair Malware Scanning Tool
The Pair Malware scanning tool scans your hosting account for any suspicious files. This extra layer of security helps protect your website from the inside. Instead of hidden malware slowly infecting your site, the malware scanning tool helps shine a light directly on it so you can root it out ASAP.
Want the extra protection of the Malware Scanning tool without the extra work of removing the malware? You can opt for one of our paid malware packages. They scan all your files daily and, if malware is discovered, take care of the malware cleanup for you. It doesn’t get any simpler than that.
Use Strong Passwords
Strong password use is the first step to securing your digital assets. With password-cracking software evolving, a “John1990” password is no longer sufficient.
So how do you create strong passwords (but also not forget them)? Our security expert has some tips.
- Make your password eight characters or longer
- Use a combination of upper and lower case, numbers, and symbols
- Stay away from special dates (like your birthday or anniversary)
- Stay away from personal information (like your kid’s or pet’s name)
- Stop password recycling. Use unique passwords for everything.
In a perfect world, this would be simple. But how are you supposed to remember all your unique passwords? Well, this is where a password manager comes in. Password managers, like Keeper, 1Password, and LastPass, are a fantastic way to keep your passwords safely stored. Plus, many password managers come with additional security features, as well.
You may also be wondering why we discourage special dates and personal information. This is mainly to protect you from pointed hacking efforts. Some hackers will research targets before making an attempt to hack into their site. If they can find your birthday or kids names, they’ll incorporate them into their attack. The best way to curb this behavior is to stay away from using personal information in your passwords.
WordPress updates are more than just new features (and compatibility issues). Many updates install security patches that protect you from the latest WordPress threats. The same goes for plugin and theme updates.
Letting your WordPress site fall behind on updates is akin to leaving the backdoor to your site open. While it’s true that no one might enter while the door is open, it’s safer to just close the door altogether.
Checking for Updates
How do you tell if you have updates? WordPress will signal that you have updates by displaying an arrow circle at the top the WordPress admin homepage.
If you see this icon, click on it to transport you straight to the update page. From there, you can update your WordPress site, themes, and plugins.
If you’re afraid this will break your site, you may want to set up a testing site first. Our Managed WordPress hosting comes with a staging site feature that makes this easy. Check out how to set one up here: Setting Up a Staging Site.
In WordPress 5.5, auto-updates were introduced. This handy feature is built directly into WordPress, so you don’t need to set up any fancy configuration or plugin.
If you don’t want to consistently revisit your WordPress admin interface, setting up auto-updates might be the tool for you. auto-update feature is great if you don’t want to consistently check your website for updates. However, keep in mind that updates may tweak how your site looks as plugin structures change. But, if you’re okay with a bit of variation, auto-updates are incredibly helpful.
You can turn on auto-updates for each plugin and theme, meaning you can pick and choose which items should automatically update and which ones shouldn’t.
To enable auto-updates on plugins, go to the Plugins page and click the Enable Auto-Updates button next to the plugin.
For the themes, go to your Themes page (Appearance > Themes), then hover over your theme and click Theme Details. On the Theme Details page, click the Enable Auto Updates button.
Remove Unwanted Plugins And Themes
How many plugins and themes on your WordPress site are you actually using? Many install plugins/themes to see how they function, but never take them off. They may be deactivated, but that won’t keep a hacker from using it to break into your site.
If you want to keep your site secure, remove any unwanted plugins or themes from your WordPress site. Not only do the extra plugins/themes bog down your site, but they also add more potential sources for security breaches.
Plus, if you’re not paying attention to the deactivated plugins, you may not notice if a developer stops maintaining them. Plugins and themes that are no longer maintained can end up being taken over by malware and inject your site with malicious code.
Use A Security Plugin
Give your WordPress security an edge with a security plugin. “A security plugin for today’s standards with WordPress I think is pretty much a must.” says Jaime, Pair’s Security and Abuse Lead. “With our WordPress hosted websites, we include WordFence with the accounts already pre-installed.
“But there are other plugins out there. Securi offers a security plugin. Jetpack has a security plugin built-in… iThemes Security is another big one people use a lot. They all pretty much do the same thing.
“One of the reasons,” she continues, “I particularly like Wordfence is because they have a built-in firewall that doesn’t require any special configurations with your web server… It just works. WordFence also has an option that it will automatically email you when there’s any updates for your plugins or themes available. It’ll also notify you of any suspicious activity on your account. It monitors all of the core WordPress files. So if any of the core WordPress files were to be modified, WordFence will automatically notify you and then give you the option to restore the core file back to its original state.”
Like the sound of WordFence? The best part is that all of these features Jaime mentions are available on the WordFence free version, which comes pre-installed on every Pair Networks WordPress installation.
And you don’t have to worry if you don’t fully understand what the security plugin is telling you. Pair is here to help!
“If you’re using a security plugin, ” Jaime says, “and you get a notification and you’re not sure what to do with it, send it on over to firstname.lastname@example.org. We’re always available. We’ll answer any questions that you have in regards to that. And we can just look to make sure that nothing is going with the site. We do the intrusion detection at no cost if you do happen to be exploited, so always reach out to us first.”
Change Your WordPress Username
WordPress makes things easy by giving us a default “admin” or “wp_admin” username to log in for the first time. However, this default is often the same across accounts, making it the first thing hackers try.
So make your log in harder to hack by changing your WordPress username. For help with changing your username, check out this article.
Move Your Login Page Url
Just like the WordPress username is known, so is the default login URLs: website.com/wp-admin.php and website.com/wp-login.php.
And just like the usernames, you can change your login page URL so that it’s harder for hackers to break into your account. They can’t crack your login credentials if they can’t find the login page, right?
Changing your login page URL is easy with plugins like WPS Hide Login.
In the event of a breach, backups can save the day. You can use them to roll back your site to before the issue, plus they’re handy to have around if something goes wrong while you’re doing site testing. For all the reasons why backups are a good thing (and ways to take backups), see our blog: Why You Should Take Regular Website Backups
However, for security – Jaime recommends keeping a remote backup of your website somewhere in case of the worst-case scenario. “When you create a backup, you always want to store it remotely – somewhere else other than your Pair Networks web server.” Jaime says. She says she personally stores hers on USB drives. “Then you have a backup that’s going to be free and clear if you get a virus on your personal computer or your website gets exploited, then you have a clean backup somewhere that’s not going to be accessible. But if you keep the backup on your Pair Networks hosting account and you get exploited, chances are your backups are going to get exploited as well.”
We’re Here To Help
Have questions about these tips or need help implementing them on your own WordPress installation? Contact our 24/7 support team. They’re available any day of the week, every day of the year to help customers like you get the most out of your web hosting.