At Templatic, almost everything we do is centered around a single objective — helping you to build a business using WordPress. Whether it’s a local business directory, a vacation rental website, a WooCommerce store or your own personal author website — Templatic themes are all about building your business.
As a child, did you ever build a sandcastle on the beach? Do you remember how great it felt to build something from scratch? The sense of accomplishment and pride that came with seeing a project through to completion? Chances are you feel the same way about the business you’re building, right?
But maybe you also had the experience of the tide coming in and destroying your castle. Or worse yet, maybe some kid, bigger and older that you, came along a stomped on your castle. Destroying an hour of hard work in just a few seconds.
The reality is, your WordPress website is facing a similar risk. There are hackers out there who are interested in nothing more than destroying your hard work and wreaking havoc on your business. But how do you protect your website?
In this post, we’re going to take a look at some of the things you can do to mitigate your risk. No website is ever 100% secure. But if you can make the job of hacking your website difficult enough, there is a good chance the hackers will move on to an easier target.
Why Securing Your WordPress Website is Important
If you’ve invested a decent amount of time into building your business, it only makes sense that you should want to protect it.
Not only are you protecting against the loss of time, you probably also protecting yourself against the potential of loss revenue and depending on your business, potentially the loss of sensitive customer data as well.
Imagine spending 100 hours entering data for local businesses and then working hard to generate paid listing revenue. What if a hacker gained access to your site and started altering or deleting listings? What if they defaced the listings of your paying customers?
With scenarios like this, it doesn’t take long to see why you should to take security seriously. Despite the fact that most attacks are automated and non-targeted, it’s still very possible that someone might decide to target your website specifically.
Ways to Secure Your WordPress Website
The most important thing to remember when it comes to securing your WordPress website and protecting your business is that there is no “one-size-fits-all” solution.
Robert Abela at WP White Security had this to say about the fallacy of WordPress security being easy:
WordPress is very easy to use. And because of this “easy to use” mantra, many WordPress website owners think that security is the same. Install some sort of all-in-one WordPress security plugin and the job is done. Security should not be rocket science though it is not that simple either.
The point here is that security is an ongoing process that needs to be looked at from a variety of different angles. While we can’t cover every angle in this post, we can give you a few high-impact places to get started and hopefully reduce the number of potential attack vectors in the process.
Backup Your WordPress Installation
Regular backups should be considered the cornerstone of any half-decent security posture. If your business is running on WordPress, there is absolutely no reason why you shouldn’t be creating regular backups of your content. In the event that your website is hacked, one of the first things you want to do is restore a clean version of your site, patch any vulnerabilities and get back to business. If you haven’t established a regular backup routine, you should do so today.
There are a wide variety of backup options available that include both free and premium plugins. A few that you might want to take a closer look at include:
- Vault Press from Automattic offers plans that start as low as $5/month and include a 30-day backup archive.
- UpdraftPlus is a free plugin that provides the ability to backup and restore your files as well as allowing you to store your files in a variety of location including Dropbox, AmazonS3, Google Drive and Rackspace Cloud.
- BackupBuddy is probably one of the better known paid plugin options. It allows you to backup your entire site or just the database on demand or a pre-defined schedule. As with Updraft, there are a wide variety of storage location options available.
WordPress Security Plugins
There are several WordPress security plugins on the market which offer both free and premium versions. The Most important thing to remember is that just because you’ve installed and activated a security plugin does not mean your site is safe and secure. More secure? Yes, most definitely. Using a security plugin goes a long way towards hardening your WordPress security but you should never assume that you’re 100% protected from an attack — which is an impossibility.
Realistically, you can divide WordPress security plugins into 2 categories:
- WordPress Security Hardening Plugins
- WordPress Firewall Plugins (often built into hardening plugins)
When we say “hardening security”, some of the tasks we’re referring to include:
- Forcing users to employ strong usernames and passwords
- Renaming the database table prefixes
- Changing the URL of your WordPress login
- Monitoring for excessive 404 errors and banning the appropriate IP address
- Locking out users with too many failed login attempts
- Protecting against brute force attacks
- Watching for and reporting any changes in the WordPress core files
As you can probably tell from the above list, none of those items make hacking your WordPress site impossible. They do make it more challenging and even inconvenient for a hacker who happens to be lazy or who is using automation to scan for a specific vulnerability.
A few of the more common WordPress security plugins on the market include:
- iThemes Security – As one of the better known WordPress security plugins, iThemes Security offers a free and a Pro version which are both highly capable when it comes to improving your overall security posture.
- Wordfence – Another plugin that offers a free and premium version with both offering a significant list of features including scheduled scans.
- All In One WP Security & Firewall – Is a free yet well-supported plugin with over 300K active installs. If you’re looking for a free solution that utilizes many of the same hardening techniques that the paid plugins offer, this is a great place to start.
Monitoring For Suspicious Activity
If you are using WordPress as a platform on which to run your business, it’s important to remain vigilant. We already mentioned that the idea of “set it and forget it security” is a fallacy. If you’re going to keep your WordPress site secure on an ongoing basis, you’ll need to be proactive.
Part of being proactive means being aware of what is happening on your site. This is particularly important if you’re running a directory based website. You might have multiple users registered or ever users with a variety of different privilege levels.
Do you know what actions each user is taking? If your answer is no (which it probably is), you should consider maintaining a security audit log which can keep you up to date with any suspicious activity on your website including:
- The first time a new user logs into WordPress.
- Any time a user changes the role or password of another user.
- Plugin changes (activation, deactivation, upgrades or uninstalls).
- When a user creates or modifies a custom field, page or post.
WP Security Audit Log is a free and premium plugin available in the WordPress repository. All of the basic security logging functions are available with the free version of the plugin and there are multiple upgrades available depending on your requirements.
WordPress Security is an Ongoing Process
We’ve covered several different aspect of WordPress security in this post but we’ve avoided getting into detailed specifics and for good reason. WordPress is a constantly evolving platform and the idea that you can take a few simple actions and “voila!” You have a secure website, couldn’t be further from the truth.
Maintaining a strong and consistent security posture requires that you remain vigilant against an ever-changing list of threats. Being proactive is key and doing something — whether it’s installing a security plugin, using strong passwords or logging user activity — is always better than doing nothing.
Of all the suggestions we’ve covered, if there was one thing that you should implement immediately, it’s creating regular backups of your website.
If your website has ever been hacked, it would be great if you can share your experiences in the comments below.