How to keep your website as safe as possible
“The best way to keep your website safe is to not have one…” – That’s what a friend says when we are talking website security.
And you see, he is right. It is really hard to make your website impenetrable.
But there are definitely ways to improve on your security.
10 ways to keep your WordPress website as safe as possible
- Use a good hosting provider
First things first: get a good provider! A good provider will have good security on their servers and will try and keep your website safe from the get-go. They will have processes in place that if one website gets hacked they will quarantaine it to make cross-contamination less likely. This is a starting point but an important one.
- Get SSL
Make sure your website is secured when you log in. SSL is a security certificate that helps insure that data handled by your website is not going anywhere else than the place it should go. So not towards hackers and such. SSL is obliged in a lot of countries if you ask for email addresses, names, phone numbers and the likes from clients and definitely needed if customers can pay you through the website. But guess what: your login is data too! So getting a SSL certificate is a good idea no matter what your website does!
Most providers can help you get a SSL certificate.
- Change the login url
Next step is to have a login url that is not the generic one. Normally you login in on www.websitename.com/wp-admin or /wp-login. Since hackers know this url they try it all the time. By changing it the changes of them finding the url is a lot smaller and therefor making hacking attempts less likely.
This is one I used to do with a security plugin (more on that later) but since changing plugins has been on my list to redo for my clients. You can use a plugin to do so like WPS hide login or you can do it yourself like this.
- Good password (and login name)
When typing in your name and password, make sure they are good ones! If you use ‘Admin’ as your name and ‘Welcome01’ as your password I can almost guarantee you that you will get hacked. Hackers use automated processes to find your name and password and these are on the top of their lists. Get yourself a real login name and a difficult password. Use a password vault like LastPass to remember it (I can’t remember any of my passwords) and any other passwords you have, so you can have different, difficult passwords for every login you have. And change them regularly!
- Admin vs editor
Do you really need to be an administrator for what you are about to do? For most work on your website being an editor is more than enough. And if your login information would get hacked they would have editor rights, not administrator rights, which means they can do a lot less damage. I used to give all my clients administrator rights but are contemplating stopping that to make chances of getting hacked smaller.
- Get rid of any standard pages
If you buy a website from a developer this is already done for you (if they are any good) but if you build your website yourself you will see that a WordPress installation comes with a few standard pages so you can see what it will look like. Please delete those pages, comments, posts, etcetera since they make your website look brand new and therefor a great target for hackers.
- Use good plugins – and not too many
If you are looking for a plugin to do something for you, you are sure to find it. And probably several of them. That is the great thing about plugins for WordPress. It is also one of the biggest security risks for WordPress. A lot of these plugins are either built in a way that leaves ‘holes’ in your website security or are not kept up-to-date, which means those ‘holes’ might appear later on, because coding changed. If you install a plugin make sure it has been tested with the version of WordPress you are on, that it has been updated in the last few months and try and see if you can trust the owner of the plugin.
Oh and while we are on the subject. 1 bad plugin is bad, 10 is worse because it increases your chances… so don’t get too many plugins on your website you need to check and keep up to date.
Your WordPress installation, your theme, your plugins. Each of them will get regular updates because coding changed, they found a vulnarability or they want to add a feature. By keeping your website updated it is less likely your website has a known vulnarability that hackers can use.
There are a lot of great plugins out that that help you improve the security of your website. They look for suspicious activity, block IP addresses that keep trying passwords really quickly and do a lot of other things to keep your site safe. Some of them also change the url of your login page or check for viruses on your website. I used iThemes security (paid) for a long time but I use Wordfence (free and paid options) these days. Another good option is Securi (paid). I also have a system that checks a lot of stats for all my client websites and security is one of them.
This might not really be a security feature but I do think it is REALLY important. Always keep a few backups of your website so that if anything would happen to your site it can be rectified without needing to rebuild the whole website.
Please know that doing most of these (instead of all) will already radically lower your chances of getting hacked but not even doing all of them can stop it from happening completely.
To help my clients I actually offer services to keep their websites security. This means backing up their website, adding extra security measures and updating. If you want to know more, send me a message.