WordPress Website Security, What You Need To Know
WordPress website security is a bit like health insurance – you never really worry about it until you absolutely, positively need it and it’s just too darn late to get it.
You may think, “Nah, that’s never going to happen to ME.”
Well, better think again!
Every day, hosting servers get fried, hackers break into accounts, websites mysteriously disappear, and whole businesses are completely lost.
Something like 30,000 sites get hacked every day according to Sophos Labs.
Scared yet? You should be.
That is, unless you’ve already got the proper website protection and security in place. If you don’t, then this article could make a huge difference to your online future.
There is no time like right now to get your website completely secure and protected from unwanted attacks, hackers, and other unexpected disasters.
Now I wish I could say that if you implement everything I share in this article that you’ll be totally safe from something to your website, but that would be a lie.
BUT implementing what I share, will definitely decrease the odds of something happening.
In this article, I’m going to be specifically talking about websites and blogs set up using the WordPress platform.
There are a lot of great tools available for WordPress that make it easier than ever to automate your website backups and protection.
Keep reading for tips on backing up your website, using plugins to protect against spam, scouring your site files for signs of hacking, and actions to take when your sites ARE hacked.
And don’t procrastinate!
I want to urge you very strongly to not only read it right now, but to take immediate action and protect your site TODAY.
If you don’t, you may regret it, and probably sooner rather than later.
So let’s get started!
Why you MUST protect your WordPress website
Are you aware that your website is hosted on a computer?
Yes, the term “server” is just a fancy term for a PC sitting in an office building or warehouse somewhere.
Most people don’t realize that the internet is not quite as ‘virtual’ as it seems.
It may feel like it’s out there in cyberspace, but your website is actually a bunch of files on a computer sitting somewhere in a completely physical building.
You already know that computers can have technical difficulties, as you’ve probably suffered through multiple episodes of trouble with your own computer.
And so your hosting server, which is also a computer, can run into trouble too. It can get overloaded and go bust, or it can get hacked.
Sometimes it blurps and needs to be rebooted. Any of these things can shut it down for a short or even a long period of time.
Many people assume that it is the responsibility of their hosting company to keep their website safe.
That is unfortunately usually not the case and I’m sure if you go right now and scour the hosting agreement you signed, you will see that the responsibility of protecting your website and your business rests entirely with you.
I’m going to get into the how of it very shortly, but let’s start by talking about the why.
Why should you protect your website against hackers & other unexpected issues?
The obvious answer is that you don’t want to lose all the hard work you’ve put into building your website and your business.
Trust me, this happens for real.
A few years ago in a mastermind, I belonged to, I witnessed first-hand how being unprepared for problems and having holes in your security set-up can have devastating consequences.
A few women in my network lost weeks of work and whole websites when their hosting server unexpectedly went down for just 24 hours!
There were technical problems that the host couldn’t fix right away.
At first, some were very angry that their host let this kind of thing happen, but then, they slowly came to realize that they really should have had their own security measures in place.
Here are just a few of the ways your WordPress website can become compromised:
- Website hosting issues
- Hackers add code or take down your site
- Malicious employee or contractor messes with your site
- An upgrade creates errors and takes down your site
- The website mysteriously disappears without reason (True story – this happened to a client of mine!)
I would say any one of those possibilities is a good reason for taking action.
Don’t use price as the only factor in choosing your web host. Your key business asset deserves the best. Get in touch if you want to know what I recommend.
Is WordPress Weak & Vulnerable to Attacks?
Some people argue that WordPress isn’t the best platform for security because it is open source (free), which means that hackers can easily access the software to find holes in its security.
I disagree completely with this reasoning.
Yes, WordPress is free and hackers have easy access to it, but who are we kidding?
Hackers love a challenge and they can just as easily download pirated copies of ANY website design software they want. The fact that WordPress is a free, open platform actually makes it more secure.
The reason can be summed up by the following:
Thousands of people are involved in doing things like updating the software, creating plugins and making easy-to-use templates. It’s a huge community effort.
This means that as soon as there is a problem, someone finds it almost immediately. And when they do, the creators of WordPress work hard and fast to solve the issue, and each time, they also release a brand new security update.
Just compare that dedication to other companies whose updates are much less frequent, and whose community is much, much smaller, and you’ll see the advantage and value of WordPress.
Common Problems That Can Take Down Your WordPress Website
It’s time to dig into the gory details of what can happen to your website. Here are the most common problems that can either take your site down completely or cause problems that you’d rather avoid.
You’ve been hacked!
Getting your website hacked is definitely the most feared of all potential website issues. You don’t want someone inside your site messing around and breaking things. It’s a lot like having someone break into your house, take stuff, break stuff or just completely destroy the place.
A hacker can do any number of things to your website, including the following:
- Add unwanted links that you can’t see.
- Add unwanted links that you can see.
- Add viruses that attack your visitors’ computers.
- Delete your site completely (and even replace it with a nice “You’ve been hacked by XXX” message complete with a skull and crossbones image).
- Delete website files.
- Take control of your site and lock you out.
Issues with your Hosting Company
As you have learned, every website is hosted on a computer.
And we all know that a computer, as a piece of man-made technology, can sometimes go bad.
Please don’t make the mistake of totally relying on your hosting company to protect your site and expect that they’ll never have any technical issues.
The vulnerable part of your hosting company is the server where they host your website. It could crash, get hacked, or even be required to shut down.
My old hosting company recently had to deal with the latter. They were required by the city to shut off their servers for about eight hours. As you can imagine, that was a huge inconvenience and a potential loss of revenue for many website owners.
But at least, the hosting company knew it was coming, and once they were able to turn their servers back on, things went back to normal.
However, if a company has an unexpected server problem, the damage could get much more unpredictable — and longer-lasting.
You could end up losing valuable data or even your whole website if you don’t have a recent backup.
It’s not uncommon for a server to catch fire, either.
This could happen for various reasons, but as far as you’re concerned, it’s once again an unexpected issue that can lead to total disaster if you’re unprepared.
If you’re prepared, however, it may be just an inconvenience. You’re in charge of which it will be, starting right now.
Other potential hosting issues include poor customer service.
Your needs may outgrow their capabilities, or they may not provide the kind of quality you expect.
It’s a good idea to have your backups ready and handy so that you can make a quick switch of hosts, should the need arise.
Related: 4 Signs Your Need a New Webhost
Someone or Something Messes Up Your WordPress Site
It could be you, or it could be your webmaster, but it’s also quite possible that your website could get inadvertently messed up while you’re adding a plugin, upgrading a theme, or updating to the latest version of WordPress.
If you’re not prepared, you could lose your whole website.
Important Note: You should always back up your site before doing any kind of updates and if you’re ready to not have to worry about your backups then signing up for my Geek in Your Pocket service is an ideal solution.
Disgruntled or Clumsy Team Member
This may not be an obvious issue, but it can be a real threat.
Whether you work with a virtual assistant, or you have an employee in your office who works on your website, you hopefully know that it’s important to limit their capabilities within WordPress to match their responsibilities (and the level of trust you have in them).
For instance, there is no reason one of your regular contributing authors should have admin rights and be able to change your site’s theme or install new plugins.
Top WordPress Security Plugins To Use On Your Website
A distinct advantage of WordPress is that it has a whole community of very loyal developers who create new plugins (add-ons) all the time.
Even better, WordPress creators, developers, and users (for the most part) are very diligent regarding security. Yes, hackers are fast and smart, but the community as a whole does its very best to stay ahead of the game.
There are several security plugins you can use to stop hackers and other threats to your website. I don’t have the space to cover them all, but the ones I’ve listed will go a long way towards keeping your website safe — provided you install and use them!
My WordPress Plugin Recommendations for keeping your website maintained
WordPress Plugin for Backups
This robust free plugin with the option to upgrade will do a full backup of your site. You can schedule it to do daily, weekly or monthly backups and have those back ups emailed to you or saved to an external drive. This is currently my favorite plugin.
WordPress Plugin to Fight Spam
Cleantalk – This plugin has quickly become my favorite service for managing spammy comments and especially the spam that often comes through your contact form. It’s a quick set up and once you get their license you’re good to go. I recommend signing up for their paid plan, it’s inexpensive and well worth every penny. In fact, it is what I use on my own website and install on my client sites as well.
WordPress Plugins for Login Protection
Brute force attacks on your site attempt to guess your login information by simply trying to log in over and over again. This is done by an automated robot, so it can be very persistent. Of course, your first line of protection is having login information that isn’t easily guessed (admin not named “admin” and a strong password). After that, you’ll want to use one of these plugins to temporarily lock out the pesky robot’s computer.
WordPress Plugins for Other Security Issues
- CleanTalk Security – If you are using CleanTalk Spam Protection, it also makes sense to use their Security plugin. If I need to install a security plugin this is the one I turn to first.
- Shield Security – This plugin provides a great walk-through for all the things to protect your site, gives you reports, and much more. Even better you can upgrade for only $12 US per year! (at the time of writing)
- iThemes Security – iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials.
A Word About WordFence
Wordfence is similar to iThemes and helps to lock down your website making it hard for attacks and hackers. It will also alert you when you are experiencing a DDOS attack or excessive login attempts from folks trying to get into your site. This is a very popular plugin AND the content on their website is top notice. My only warning is I find it does seem to conflict with other plugins a fair amount AND it can slow your performance.
WordPress Plugin Tips
When you’re thinking of adding a new plugin to your website, these tips can help in protecting your website.
Stick With WordPress.org
When searching for and downloading plugins you are safest if you stick with WordPress.org. If you get plugins from any other sources or websites be sure you are getting them from a trusted source. Plugins can create vulnerabilities in your WordPress installation and unknowingly allow problems in.
Keep Them Updated
Good plugin creators will keep their plugins up to date. You will get a notice within your WordPress installation that you need to update your individual plugins. Do this right away!
Protecting your WordPress website is an ongoing process.
The worst thing you can do is look at this list, feel overwhelmed and do nothing. Just pick one thing to get started, get that all set, and move on to the next.
Or if you just don’t have time to do this yourself, outsource it. We offer our clients Protection plans just for this reason.
WordPress Security is Important.
Hackers or server crashes won’t wait until you make time to get this done. Take a bit of time and get yourself set up with some of these great plugins right away.
How to Backup Your WordPress Website
Okay! I think I’ve convinced you that it’s extremely important to back up your WordPress website, correct?
Not only that, but I also hope I’ve convinced you that it’s absolutely, positively non-negotiable.
Before I show you some methods for backing up your website, I think it’s important to talk about the different pieces that make your WordPress website run. When backing up your website, you must ensure you get all these pieces in place, or you won’t have a complete backup.
Your WordPress Website is made up of:
- WordPress Files: Includes all the PHP and CSS files that make your WordPress installation work. It also includes anything you’ve added such as your themes, your plugins, images, and any other files you may have uploaded.
- Database: A database is where your pages and posts are stored.
- Other Files: If you’ve uploaded anything outside of WordPress (via FTP, cPanel File Manager, etc) then these will be files that are separate from your actual WordPress site.
So let’s get to the bones of it and discuss exactly how you back up your WordPress website.
Option 1: cPanel Backup
This step requires that you have cPanel in your hosting account. Most people who have WordPress installed will have used cPanel to do so. cPanel allows for an easy script installation process using either the Simple Scripts or the Fantastico program. If you don’t have cPanel, check with your hosting company to see if they have a manual backup option you can perform within their system.
To do a cPanel backup, follow these steps:
- Login to cPanel through your hosting.
- Scroll to “Files” > “Backup Wizard.”
- Click “Backup.”
The system will then start a backup of your entire website and all files. This may take some time depending on how many files you have.
cPanel will usually email you when your backup is ready. Then all you need to do is log back into your cPanel and download your backup.
I recommend you save your three most recent backups. What if your website is corrupted for a while and your only backup contains those same bad files. It’s a smart idea to store your backups on a portable hard drive (so you can easily move it to another PC or take it with if you when evacuating away from the next hurricane).
One of the problems with doing manual backups is that you’re likely to forget. So while I absolutely recommend you do manual backups on whatever schedule you can work out, I would not recommend relying on it as your only backup method.
Option 2: A WordPress Plugin Backup
There are some plugins out there that allow you to back up your entire website. One such plugin is UpDraft Plus.
You can do a full backup of your whole WordPress installation and all website files.
Here’s how to do it:
- Download, and install UpDraft Plus
- Click on “Updraft Plus” in the left-side menu.
- Work through the initial setup – This video from WPCrafter has a great walk-through.
- Do a full backup and download it to your computer (for remote storage of your host server).
- Set up scheduled backups by clicking on “Scheduling” from the settings section.
- Choose where you want to send the backup, and save it.
Now you have two easy ways to back up your entire website. I recommend you use both and save at least your last three backups so you have complete protection.
WordPress Security Updates are a NON-NEGOTIABLE!
Running a WordPress website is not a “set it and forget it” deal.
If you want to protect your website from hackers and other potential problems, you need to make sure you keep up with the software updates, and that includes security updates.
As mentioned before, WordPress is undergoing constant development. This is a very good thing as you get the most cutting-edge features, functions, and security. But there is also a downside: You must keep up with the updates to keep your website or blog safe.
Fortunately, keeping up with updates is not really that difficult.
When you log in to your WordPress dashboard it should be pretty obvious if you need to update either WordPress or one of the plugins.
In the graphic above, you’ll see that the number next to the Updates link is the total number of plugin, theme or WordPress core updates available. And, the yellow bar at the top shows that a new version of WordPress has been released.
The Ultimate Website Checklist for ANY WordPress Website Owner
Everything you need to know to maintain your WordPress Website
If the main WordPress update is available it is shown prominently at the top of the dashboard and pretty much begs for you to do the update.
While WordPress updates are pretty rocked solid with few errors, you should always do a full site backup before you click the “Please update now” link.
In the unlikely (but inevitable) event that something goes wrong, you and your hosting service will be thanking your lucky stars that you had a full and timely backup available.
After your full site backup is completed (including downloading to your computer), click on either the “Updates” or “Please update now” link.
Unless you have been instructed to do otherwise by your hosting service, use the “Update Automatically” button to update your site. It is quick, easy, and rock solid.
Important note about updating WordPress Plugins
Just like before you install a new plugin, always read about the changes to the plugin before installing the update. Many times there are changes in the plugin’s behavior that you may not necessarily want.
Important note about updating WordPress Themes
If you have made **any** changes to your theme (tweaking things in style.css or changes to the template files), the changes will be overwritten when the theme is updated. Be ready to re-do the changes after updating. The only way to avoid this is to create a child theme specifically for your changes, but that is kind of an advanced subject outside of the scope of this report. (See the WordPress codex for more information)
Update your site’s plugins using the built-in WordPress automatic update capabilities. Unless it is a Premium plugin, there really shouldn’t be a reason for you to have to do anything complicated (like download the update and then use FTP to get it on your site). For Premium plugins, you will always want to follow their specific instructions.
Additional WordPress Security Measures
We’ve talked about backing up and updating your website in detail. But there are other security measures you can take to protect your website from problems.
Always use an admin name other than “admin”.
When you initially install WordPress you can choose the username for the main admin account. Do not use the default “admin”; choose something original instead. Brute force scripts (hacking scripts) trying to guess your password will assume the username “admin” is in place… Let them make that false assumption and keep them out of your site!
Use a Secure Password
I bet you’ve heard this one before. You shouldn’t use the same password for all your websites and logins. You also shouldn’t have a simple password like your kid’s or pet’s name. Make your passwords long, over 8 characters, and use a combination of uppercase, lowercase, numbers, and symbols for the best protection.
Change Admin Passwords Occasionally
Change all admin-level passwords. I say occasionally because the schedule really depends on your business practices. For instance, if you outsource your WordPress maintenance or administration to different people all using your main admin account, you would be wise to change your password more frequently than if you are the only admin.
But better yet, create a user with the right level of access to each user you have accessing your website. Keep reading for more information about adding users to your site.
Delete Unused Accounts.
If you have any user accounts on your WordPress installation that you are not using anymore, be sure to remove them.
Register Your Domains Elsewhere.
If you need to move your websites because of problems with your host, you’ll be glad to have your domain name registered elsewhere. This will allow you to quickly move domains by simply pointing the name servers at your domain registrar to your new hosting service.
Monitoring Your Site Files.
Sometimes hackers get into your website, make changes and leave without making a big fuss. This might go completely unnoticed by you if you’re not careful! Periodically check your website’s files for signs of intrusion to ensure everything is in order. One easy way is to glance at the file’s modified date.
Taking extra measures to protect your WordPress installation may take some extra time, but if it saves you from an attack, it will be well worth it. Of course, there’s no way to absolutely guarantee that you’ll never be hacked or have other problems.
However, you’ll find that the more educated and prepared you are, the less likely it is that you’ll have to deal with the fallout later.
Many websites and blog owners have other people logging into their websites. It’s common to let guest bloggers or columnists have their own usernames and password so they can log in and add their own posts, saving the blog owner time and work. It’s also very common to outsource your website or blog updates to a virtual assistant or another freelancer who will have to be able to log in and publish on your website.
Here are a few rules for keeping your WordPress website safe in these situations:
- Do NOT give admin access– You should keep your admin access protected always. The reason is not necessarily that your guests or employees might do anything malicious with the admin access, although that has been known to happen. Instead, you are opening up a security risk in that they may have their passwords broken or hacked, allowing someone else to get in through their account. The more ways to access your account are out there, the more likely it is that a hacker could find one.
- Grant the lowest access level required – Always grant the lowest level of access that someone needs to complete the job.
- Change Passwords – When someone leaves the company, make sure you change your passwords or delete their user account altogether.
Being Prepared When Security Fails
What if your website security fails despite all your best efforts and preparations?
The first thing I can tell you is to be prepared for this eventuality.
Don’t think that just because you’ve taken all the proper precautions, you’re completely protected.
Think of a website attack or major issue as you would think of a house fire. You can take precautions to prevent a fire in your home, but sometimes you just can’t prevent it. So in addition to preventative measures, we also prepare for the worst. We create fire routes, we have fire extinguishers, we keep fire alarms handy and we have a meeting place for loved ones.
Why not do the same for your website?
Create a plan of what you would do if security were to fail. Here are some ways to be prepared for a website hack or a security failure:
Back up, back up, back up!
Yep, I’ve talked about this more than once already, but it’s worthy of another reminder. Back up as often as needed. Keep more than one backup copy — and keep them in separate places.
Have ALL of your login information
If you hired someone to install or design your website, it’s quite possible that there are logins you don’t even have access to. My recommendation to you is that you change that right now. At the end of this report, you’ll find some checklists, including one for critical website information. Take that list and complete the information, print it, and then store it digitally in two places so you have it ready to go when you need it! This step is very important.
Call your host
Ask your hosting company what happens if a server crashes or your website gets hacked. Some people are very surprised to discover that their hosting company provides NO protection against loss in these cases. Find out now, not later.
Have a backup host
Not only do you want to back up your files, but you’ll want to check around for a backup hosting company that you can quickly move to if need be. It might be a good idea to have an account with this second host already so you know how they work, and so you can move quickly if needed. It’s also a good idea to register your domain name somewhere other than with your hosting company.
Hire an Expert – If all of this is just too much for you and you simply don’t want to handle it, find someone who can. Hire someone before you EVER have a problem and build that relationship with them so that when a problem does occur, they’re ready and able to help you, fast.
So there you have it.
This article contains information that could very well save you thousands upon thousands of dollars and/or hours. And that’s no joke.
I hope you’ll take the advice, do your backups, and secure your websites. That way, you won’t discover one morning that you’ve lost years of work in the blink of an eye.
Let’s Wrap This Baby Up!
I remember when I first heard about backing up my website. To be honest, I found it all too confusing, too complicated, and too much trouble. So I didn’t take action and simply hoped for the best.
Meanwhile, I heard people warning me of the risks of not backing up my websites and taking proper security measures, but I figured I didn’t have time and nothing bad would ever happen to me anyway.
Then one day after I had grown a significantly sized business and website, I asked myself: “What if I lost my entire website, TODAY? How would that feel?”
The answer was: “I’d be devastated”.
Honestly, I don’t know what I’d do if the last few years of hard work just disappeared into thin air. It would be very hard to recover.
I was lucky, and I know it. I’ve never had an attack on my site (knock on wood) but I have known many people close to me that weren’t so lucky. And trust me, I no longer leave my security to chance.
Please take this article and this warning seriously, and learn how to back up your sites or hire an expert to do it all for you. You will be so glad you did if you ever have a problem with your website! And even if you don’t. After all, peace of mind can be priceless
Get my free training to learn…
- Learn why backups and a disaster recovery plan are vital for your business
- Understand why you should never give your main passwords to third parties
- Put together a website maintenance schedule that helps you and your employees
- See why it’s important to choose a good web hosting company for your website