Ever asked yourself, “website security for WordPress? Do I really need that?” While you might think no one would hack a small business website randomly, you’d be surprised, mate.
According to the 2023 data from the Australian Signals Directorate, cyberattacks are rising. They increased 23% from 2022 to 2023. A whopping 94,000 cybercrimes were reported to the governing bodies in Australia last year (and that’s just the ones people noticed).
If you’re on WordPress.org, you’ll know it’s a bloody good spot for giving your website a platform. WordPress does it all, whether you’re running a business, chatting about your niche hobby on a blog, or anything in between.
One thing about WordPress.org, though – you’ll need to add your own security. While this might feel like a hassle for some, it’s a big benefit. You can find a solution for your business and choose something more airtight than you might get on a plan that includes basic security.
While you can’t ever guarantee 100% safety, there are a whole raft of options available to you. We’ve rounded up our top ways to keep things as secure as possible. Ready to dive in and make it harder for the hackers to break in? Let’s crack on then:
Usernames, passwords and logins:
Let’s start with the basics. You’ll need a username and password for logging into your WordPress dashboard, right? So, make it complicated (for hackers, not for you). Confused? Here’s how you do it:
- Don’t go for the obvious username of ‘admin’. It’s far too easy to guess. The same goes for your company name; it’s one of those things hackers will try early on. Whether you use your full name like ‘johnjamesdoe’ or make up a fun codename that you can remember easily, just opt for anything but the easy to guess ones.
- You’ll want to step it up a notch when it comes to passwords. We’re talking about 20 characters plus a hectic mix of letters (upper and lower case), numbers, and symbols. How am I going to remember that? You won’t need to if you have passwords stored on something like LastPass. Google Chrome is also great at keeping your passwords secure.
- Another layer of security you can add is two factor authentication. That’s a fancy way of saying that when you put your username and password in, WordPress will email a secret code to the email address associated with your account. You’ll then need to enter that as part of the login process. Depending on your plugin, there are also options to send an SMS or use a free authenticator app. Yes, Google has a free one too. We suggest forcing all backend users to use it.
- Another thing you can do, once you’re on your dashboard, is to install a plugin to limit login attempts. We like Solid WP Security, for example. While you might have an employee have the odd moment where they fumble it three times, it’ll prevent some of those “guessing game” hackers.
- Assess how many people you give access to your site and remove those who no longer work with you or need a certain level of permission. When adding new users, aim for fewer permissions to lower the risk.
Keep your plugins up to date
If you’re on a self-hosted WordPress website (which includes anything on WordPress.org) you’ll get access to a huge range of applications.
Developers, the nifty bunch who make those plugins, often update their software. It’s a little like having a digital booster shot. Their updates make the apps work better. Those changes help the plugin adapt to new challenges and maintain the level of security it offers.
With that in mind, WordPress.org doesn’t update your plugins for you. That’s one of the little security measures you’ll need on top of a good security plugin. Ensure you’re checking in for new versions and keep things up to date. If you don’t feel like doing that yourself (or aren’t sure how), you can always get your web host to manage them. (Surprise, we can do that for ya).
Keep your computer secure too
Digital security doesn’t just exist on your website either. Ya gotta keep your computer secure, too, mate. If your computer isn’t secure and you end up with a virus while browsing the web, you’re opening yourself up to attacks.
Working around this risk is as easy as getting an antivirus installed. Make sure you keep it up to date and run scans now and again to ensure everything is ship shape.
You may also want to look into a Virtual Private Network (VPN) for your internet usage. VPNs make your connection to any given server secure and also hide your IP (internet protocol) in the process.
Install Cloudflare or Sucuri
If you’re just starting and on a budget, the free version is still worth having. It’ll help with things like preventing spammy comments on blog posts, excessive bot crawling, SQL (code) injections, and denial of service attacks (when you get a rapid amount of fake traffic at once to bring a site down).
Another benefit for your site is that you’ll often notice an increase in page speed. How come? Well, Cloudflare and Sucuri content delivery networks and speed optimiser tools put in the extra effort. Faster loading times help reduce the chances people will navigate away from your site, too. Wins all round.
If you’ve got some extra cash to put into top notch security, the paid versions offer more solutions and benefits. We love it so much we’ve partnered with Sucuri to offer you Security Plus. It’ll help secure your site and block crafty little hackers. Plus, like an insurance policy, we’ll take care of the repairs up to 2x a year if your website gets hacked or things go sour.
Install malware scanning
Set up a malware scan plugin to check your site for any infections. Malware is (unfortunately) becoming a much more common issue. If your site is flagged as having malware, browsers like Google Chrome or anti-virus providers (like Norton Antivirus) will warn your website visitor before accessing your site.
Typically, when this happens, something like Chrome would ask “are you sure you want to proceed?” Nine times out of ten, people will click “no, go back to safety”. In most cases, the warning will prevent access to the site, and the person trying to visit your website won’t come back. Some plugins include this already like Solid WP Security and Sucuri.
Don’t advertise the fact you’re on WordPress
This is a simple tip you can sort out right now in just a few minutes. When you have a WordPress site, there’s usually a default footer that says “WordPress powers this site.” Keep it a secret, trust us.
It’s harder to get hacked if they don’t know what platform you’re on. While WordPress makes up many websites worldwide, don’t give it away.
You can also ask your developer to make additional tweaks. And even change your database name to make your site less WordPress like. Crafty!
Keep your author name unique
You know how we mentioned your username before? It isn’t only important for when you’re logging in. If you’re posting blogs, sometimes your website automatically adds your username at the bottom. You can easily switch this to your regular name, add a nickname or just remove it altogether. Here’s how:
Go into your backend, then users > your profile > ‘display publicly as’, and select a name other than your username.
Stay on top of your site backups
Just like ensuring your plugins and themes are up to date, you’ll want to do the same for your site’s content too. If something (or someone) does break in and delete or alter your data, you’ll have a spare and up-to-date copy.
When you’ve got a backup, you can easily get your site to look the same as before any errors, break-ins or issues. Again, like two-factor authentication, having multiple backup options is also a good idea.
We do backups every hour for our hosting clients. You should also have a regular backup saved to your computer, just in case. There’s nothing worse than creating the perfect website only to lose it to something as silly as not backing up. It might sound unlikely, but you’re better safe than sorry here – we promise it’s worth doing.
Why should I care about WordPress website security?
The first thing you need to understand about website security is that it’s risk reduction, not risk elimination.
All the security in the world will still have some weaknesses, but ensuring you’re doing everything you can reduces the chances of anything happening to your site.
Worldwide, around 30,000 sites are hacked every day. That’s one every three seconds! Small businesses and e-commerce sites also make up some of the most common targets. New vulnerabilities will always crop up over time, so diligence is necessary.
As the saying goes, prevention is better than a cure. So do everything you can to keep your data (and the data of your customers) super secure.
Trying to recover from losses stemming from hacking can be huge.
The money you put into keeping everything locked up tight will be less than what you would need to put into fixing things up if your site is breached.
Let alone the fact that a security breach can impact your brand reputation, too.
Secure your website with premium security solutions
Aside from carbon neutral hosting, True Green has ya covered with security options, too. Opt for Kickstart or Bloom plans, and we’ll give you Solid WP Security Pro free for your WordPress site.
Or, pick and choose what works for you with our variety of Security Socket Layer (SSL) certificates and the option to add Sucuri with Security Plus. The choice is yours – we’re here to help if you’re still figuring that out. Chat with our team, or call us to discuss your options.