5 Ways to Secure Your WordPress Website

It feels like every week there’s another security breach in the news. It can cause panic, especially when we think website security has to be complicated. But protecting your WordPress website doesn’t have to be hard. WordPress security is easier than you think. In this post, we cover 5 ways to secure your WordPress website.

The Cost of Getting Hacked

Before we dive into the WordPress security tips, it’s helpful to remember the cost of getting hacked. Sometimes hearing about it over and over on the news can be overwhelming to the point of paralysis. You need to understand the potential danger, but then you need to act. Your site getting hacked can mean:

• Lost revenue during downtime.
• Paying the cost of getting your site cleaned.
• Lost time to inform customers about the breach.
• Potential blacklisting by Google.
• Loss of customer trust.

But the simple reality is that most hacks can be prevented with basic security measures.

1. Keep Your WordPress Software up to Date

Something as simple as updating your software can protect you. So don’t ignore those WordPress updates—updates are one of the most basic components of WordPress security. For example, the recent Equifax breach could have been prevented if they’d simply updated their software. For the Equifax breach, there was simply no excuse. Here’s a list of the currently known WordPress security vulnerabilities. [pullquote]Hackers know this stuff, so if you’re not running the latest versions of WordPress or any themes or plugins you have installed, you’re vulnerable. [/pullquote] There’s really no excuse for not updating WordPress. Perhaps the most common excuse is a fear that updates will break your site. Most commonly, updates break sites when they haven’t been updated in a long time. So if you just keep current with the updates, you’ll have little trouble. One of the easiest ways to remedy this issue is to enable automatic updates. Then WordPress will update itself. You can configure automatic WordPress updates or you can let our WordPress security plugin, iThemes Security Pro, do it. (Another benefit of iThemes Security Pro is that you can scan for other outdated versions of WordPress on your server—such as a forgotten test site—that might make you vulnerable.)

2. Use Strong Passwords

Another super simple thing you can do for good WordPress security is simply to use strong passwords. [pullquote]That means never reusing your passwords. You should not have the same password on multiple accounts. That’s a good way to get hacked.[/pullquote] iThemes Security Pro can offer some more help with WordPress password security by:

• Allowing you to force users to change their password.
• Forcing users to use strong passwords.
• Making passwords expire so they have to be updated.
• Not accepting compromised passwords.

Another way to make sure you’re using strong passwords is to use a password manager such as LastPass or 1Password. A password manager can make your life easier by generating and remembering random and secure passwords for you. There are also apps and browser extensions that make it safe and easy to autofill your passwords (so you don’t have to remember those long and secure passwords).

3. Use Two-Factor Authentication

Two-factor authentication is a system that requires two items to log in to your account: First is the usual username and password, but the second is a unique code that’s delivered via another format. The secondary code can be delivered via text, email, single-use codes, mobile apps or other formats. WordPress two-factor authentication a huge way to boost your WordPress security and it’s one of the best additions to iThemes Security Pro. The plugin also includes a two-factor onboarding section that explains how to use two-factor authentication and why it’s important. [pullquote]Whenever you can, you should turn on two-factor authentication.[/pullquote] It adds an extra step, but that layer of security protecting your accounts is worth it. Even some hardcore techies are overlooking the value of two-factor authentication, and weak passwords are to blame. Though be aware that two-factor is not foolproof. Using text messages for two-factor authentication has been shown to have Using text messages for two-factor authentication has been shown to have vulnerabilities.

4. Run Malware Scans

[pullquote]Sometimes your server can get infected with malicious software and you don’t even know it.[/pullquote] The answer is to run a malware scan. These scans can help ensure your WordPress site is safe and secure. There are a number of different services you can use, including Sucuri, Google Safe Browsing and Web Inspector. iThemes Security Pro automatically scans your site twice daily using Google Safe Browsing, providing a great WordPress malware scan.

5. Backup

The final way to ensure WordPress security is to backup your website. [pullquote]Backups ensure that if your site is ever compromised, you’ll be able to get it back.[/pullquote] A good WordPress backup plan includes:

• Scheduled backups that occur automatically.
• Scanning those backups for malware (an infected backup is no good).
• Storing your backups offsite.
• Practice restoring your site from a backup (just because you have a backup doesn’t mean you know how to use it).

BackupBuddy, our WordPress backup plugin, has long been our tool for backups—we created it out of necessity after losing our site and having no backup.

The Don’t Get Hacked Checklist: 5 Ways to Secure Your WordPress Website

Here’s a quick WordPress security checklist to make sure you’ve got everything covered:

• 1. I have a plan to keep my sites up to date.
• 2. I have a system in place to require the use of strong passwords.
• 3. I have required the use of two-factor authentication for privileged users.
• 4. I have implemented a malware scan schedule.
• 5. I have a backup plan in place.

More WordPress Security Tools

There are a number of helpful tools that can help keep your sites secure:

• iThemes Security Pro – This WordPress security plugin has all the features to lock your site down.
• iThemes Sync – This tool is an easy way to manage multiple WordPress sites up to date and current in one dashboard.
• BackupBuddy – The original WordPress backup plugin is still the best way to keep your site backed up.
• iThemes Hosting – We just rolled out a new WordPress hosting service that includes free SSL certificates as well as subscriptions to iThemes Security Pro, Sync Pro, and BackupBuddy.

Watch the Video: 5 Ways to Secure Your WordPress Website

Watch the video