Security is a hot topic in everything we do these days and security for your new website is no different. There are lots of tools available to help you stop attacks but implementing these 5 simple WordPress security steps is a great place to start.
Have A Strong Password And User ID
Password theft accounts for 20% of hacked websites. Second only to plugin code vulnerabilities. Depending on your hosting provider, a new WordPress installation may have a default user ID of ‘Admin’. This is a well-known thing amongst hackers who will try to guess your password using the admin user ID if it hasn’t been changed.
If this is the case for you I highly recommend setting yourself up as a new user. You can find the option on the ‘Users’ tab in your WordPress Dashboard. Make sure you give your new ID ‘Administrator’ status on the drop-down list of privileges. WordPress will suggest a strong password which you can use or you can type your own. If using your own, please make sure to make it as strong as possible by adding in capital letters, numbers and special characters where possible.
Once your new ID is set up you can delete the default ‘Admin’ user from the system. If you have created any content while signed in as ‘Admin’ you can assign that to your new user ID as well so your work isn’t lost.
A dedicated security plugin will let you set extra steps. Things like limiting login attempts, creating logs of people trying to log in to your website and adding a whitelist and blacklist of IP addresses that are allowed or blocked from accessing your website. We will go into these in more detail another day, this post is just about quick easy steps you can take to make it harder for hackers to get into your website.
Set up A Dedicated Log In Page
Another commonly known issue with hackers is the default login page that WordPress uses for website administrators to log into their dashboard. It will be your website URL with ‘/wp-admin/’ on the end.
The easiest way to change your default login page is by using a plugin such as WPS Hide Login. Having a not so standard login page also has the benefit of deterring a lot of automated programs from trying to access your site through the standard page.
Two-Factor Authentication
Two-factor authentication is popular in the banking industry as it adds an extra layer of security. Facebook and Google have also added two-factor authentication in recent years to improve the security of their websites.
There are a few plugins you can download to add 2FA to your website such as ‘Two Factor‘ and ‘Rublon‘. If you are the only user on your website then ‘MiniOrange‘ has a forever free plan for 1 user. Using ‘Two Factor’ as an example, once the plugin is downloaded and activated you can enable 2FA in your WordPress user profile under ‘Users’ in your Dashboard.
There are a couple of options available to confirm it is you. As well as a text code you can use Google Authenticator which uses a QR code for improved security. You will need to download the Google Authenticator app for your smartphone and scan a 2D barcode to link the app and your website. Once set up you will receive an SMS code to log in to your website after inputting your user ID and password.
Keep Up To Date
One, sometimes criminally underestimated way of keeping your website secure, is making sure that your plugins, themes, translations and WordPress core code are all kept up to date.
If your website has any updates you will see a notification in your bar at the top of the admin dashboard.
Updates add new functionality to both WordPress and your plugins but updates also patch security holes once they are found.
Security flaws happen in old code. Old code sometimes is bloated and new updates also have an added benefit of tightening your website code making it run faster and more efficient.
If you have a maintenance plan with your developer such as our affordable option, they will take care of keeping everything up to date for you. If you are doing this yourself keep an eye on the update notification in the notifications bar at the top near the Dashboard icon. Always make sure you have a backup before updating because compatibility issues can arise from time to time.
Use Plugins Sparingly
Plugins are great and one of the main reasons that WordPress is as popular today as it’s ever been powering over a third of websites globally. They add functionality that is sometimes impossible on other types of CMS but too many plugins may not be advantageous for a couple of reasons.
Every plugin that you download will add code to your WordPress theme. With more code to read the page will take longer to render for your users.
Plugins can also cause compatibility issues with one another. There are so many plugins available that testing of every permutation is impossible. Although rare, you may run into some technical issues with plugins refusing to talk to each other or the settings needed for one will block another from working.
Don’t be afraid of loading plugins that you need, some are absolutely recommended and improve your website functionality. Ask yourself though, do you really need a plugin for something or can it be done another, perhaps, more efficient way?
Conclusion
These are just some quick tips for new website owners. There is a lot more you can do to protect your website from malicious attacks. You can hide important core files in your WordPress Editor stopping hackers from editing them if they get into your account. Installing a firewall or security plugin such as ‘Cerber‘ or ‘Wordfence‘ is highly recommended. Even the small steps we have mentioned today will help protect your website from attacks until more robust measures can be put in place. In the words of a popular supermarket commercial, every little helps!