Have you ever asked yourself, “Website security for WordPress? Do I need that?” While you might think no one would hack a small business website randomly, you’d be surprised.
According to the 2023 data from the Australian Signals Directorate, cyberattacks are rising. They increased 23% from 2022 to 2023. A whopping 94,000 cybercrimes were reported to the governing bodies in Australia last year (and that’s just the ones people noticed).
If you’re on WordPress.org, you’ll know it’s a bloody good spot for giving your website a platform. WordPress does it all, whether you’re running a business, chatting about your niche hobby on a blog, or anything in between.
One thing about WordPress.org, though – you’ll need to add your security. While this might feel like a hassle for some, it’s a big benefit. You can find a solution for your business and choose something more airtight than you might get on a plan that includes basic security.
While you can’t ever guarantee 100% safety, there are a whole raft of options available to you. We’ve rounded up our top ways to keep things as secure as possible. Ready to dive in and make it harder for the hackers to break in? Let’s crack on then:
Usernames, passwords and logins:
Let’s start with the basics. You’ll need a username and password for logging into your WordPress dashboard, right? So, make it complicated (for hackers, not for you). Confused? Here’s how you do it:
- Don’t go for the obvious username of ‘admin’. It’s far too easy to guess. The same goes for your company name; it’s one of those things hackers will try early on. Whether you use your full name like ‘johnjamesdoe’ or make up a fun codename that you can remember easily, opt for anything but the easy to guess ones.
- You’ll want to step it up a notch when it comes to passwords. We’re talking about 20 characters plus a hectic mix of letters (upper and lower case), numbers, and symbols. How am I going to remember that? You won’t need to if you have passwords stored on something like LastPass. Google Chrome is also great at keeping your passwords secure.
- Another layer of security you can add is two-factor authentication. That’s a fancy way of saying that when you put your username and password in, WordPress will email a secret code to the email address associated with your account. You’ll then need to enter that as part of the login process. Depending on your plugin, sending an SMS or using a free authenticator app is also available. Yes, Google has a free one too. We suggest forcing all backend users to use it.
- Once you’re on your dashboard, you can install a plugin to limit login attempts. We like Solid WP Security, for example. While an employee might have the odd moment where they fumble it three times, it’ll prevent some of those “guessing game” hackers.
- Assess how many people you give access to your site and remove those who no longer work with you or need a certain level of permission. When adding new users, aim for fewer permissions to lower the risk.
Keep your plugins up to date
If you’re on a self-hosted WordPress website (including anything on WordPress.org), you’ll get access to many applications.
They’re called plugins, and there are several you can use to ramp up security, including WordFence, Sucuri, and Solid WP Security.
Developers, the nifty bunch who make those plugins, often update their software. It’s a little like having a digital booster shot. Their updates make the apps work better. Those changes help the plugin adapt to new challenges and maintain the level of security it offers.
With that in mind, WordPress.org doesn’t update your plugins for you. That’s one of the little security measures you’ll need on top of a good security plugin. Ensure you’re checking in for new versions and keep things up to date. If you don’t feel like doing that yourself (or aren’t sure how), you can always get your web host to manage them. (Surprise, we can do that for ya).
Keep your computer secure too
Digital security doesn’t just exist on your website, either. You gotta keep your computer secure, too, mate. If your computer isn’t safe and you end up with a virus while browsing the web, you’re opening yourself up to attacks.
Working around this risk is as easy as installing an antivirus. Make sure it is up to date and run scans now and again to ensure everything is in good shape.
There are plenty of anti-virus software options you can choose from. Some top players include Avast, Norton Security if you use a PC or ClamXav for Mac.
You may also want to consider using a Virtual Private Network (VPN) for your internet usage. VPNs make your connection to any given server secure and hide your IP (internet protocol) in the process.
Install Cloudflare or Sucuri
Are you still with us? Want more? You can further enhance your security with Cloudflare and Sucuri, which have free and paid versions.
If you’re just starting out and on a budget, the free version is still worth having. It’ll help prevent spammy comments on blog posts, excessive bot crawling, SQL (code) injections, and denial of service attacks (when you get a rapid amount of fake traffic at once to bring a site down).
Another benefit for your site is that you’ll often notice an increase in page speed. How come? Cloudflare and Sucuri content delivery networks and speed optimiser tools put in the extra effort. Faster loading times help reduce the chances people will navigate away from your site, too. Wins all round.
If you’ve got some extra cash to put into top-notch security, the paid versions offer more solutions and benefits. We love it so much we’ve partnered with Sucuri to offer you Malware Protect. It’ll help secure your site and block crafty little hackers. Plus, like an insurance policy, we’ll take care of the repairs up to 2x a year if your website gets hacked or things go sour.
Install malware scanning
Set up a malware scan plugin to check your site for any infections. Malware is (unfortunately) becoming a much more common issue. If your site is flagged as having malware, browsers like Google Chrome or anti-virus providers (like Norton Antivirus) will warn your website visitor before accessing your site.
Typically, when this happens, something like Chrome would ask, “Are you sure you want to proceed?” Nine times out of ten, people will click “no, go back to safety.” In most cases, the warning will prevent access to the site, and the person trying to visit your website will not come back. Some plugins, like Solid WP Security and Sucuri, already include this.
Don’t advertise the fact you’re on WordPress
This is a simple tip you can sort out right now in just a few minutes. When you have a WordPress site, there’s usually a default footer that says, “WordPress powers this site.” Keep it a secret, trust us.
It’s harder to get hacked if they don’t know what platform you’re on. While WordPress makes up many websites worldwide, please don’t give it away.
You can also ask your developer to make additional tweaks and even change your database name to make your site less WordPress-like. Crafty!
Keep your author name unique
Do you know how we mentioned your username before? It isn’t only crucial for when you’re logging in. If you’re posting blogs, sometimes your website automatically adds your username at the bottom. You can easily switch this to your regular name, add a nickname, or remove it altogether. Here’s how:
Go into your backend, then users > your profile > ‘display publicly as’, and select a name other than your username.
Stay on top of your site backups
Just like ensuring your plugins and themes are up to date, you’ll want to do the same for your site’s content. This way, if something (or someone) does break in and delete or alter your data, you’ll have a spare and up-to-date copy.
When you’ve got a backup, you can quickly get your site to look the same as before any errors, break-ins or issues. Again, having multiple backup options is also a good idea for two-factor authentication.
We do backups every hour for our hosting clients. Just in case, you should also have a regular backup saved to your computer. There’s nothing worse than creating the perfect website only to lose it to something as silly as not backing up. It might sound unlikely, but you’re better safe than sorry here – we promise it’s worth doing.
Why should I care about WordPress website security?
The first thing you need to understand about website security is that it reduces risk, not eliminates it.
All the security in the world will still have some weaknesses, but ensuring you’re doing everything you can reduces the chances of anything happening to your site.
Worldwide, around 30,000 sites are hacked every day—that’s one every three seconds! Small businesses and e-commerce sites are also some of the most common targets. New vulnerabilities will always crop up over time, so diligence is necessary.
As the saying goes, prevention is better than a cure. So do everything you can to keep your data (and the data of your customers) super secure.
Trying to recover from losses stemming from hacking can be huge.
The money you spend on keeping everything locked up tight will be less than what you would need to spend on fixing things up if your site is breached.
Let alone the fact that a security breach can impact your brand reputation too.
Secure your website with premium security solutions
Aside from carbon-neutral hosting, True Green has you covered with security options, too. Opt for Kickstart or Bloom plans, and we’ll give you Solid WP Security Pro for free on your WordPress site.
Or, pick and choose what works for you with our variety of Security Socket Layer (SSL) certificates and the option to add Sucuri with Malware Protect. The choice is yours – we’re here to help if you’re still figuring that out. Chat with our team, or call us to discuss your options.
