There’s nothing more unwelcome than a hack or attack on your WordPress site. Why would a hacker target me – I’m a local plumber in a small city?! We know it’s frustrating and totally painful to be the target of an attack. So much so that we recently appointed Dandy as our full-time WordPress Administrator – responsible for scanning, upgrading, cleaning and securing our clients’ WordPress sites. Yep – full time! I spoke with Dandy and our Web Technical leader, Virson, about the top security tips they would have for small businesses who host their own WordPress site.
Side note: the guys got carried away and wanted to get into pro-tip territory, so I did my best to reign this back to an “essential” list! Here we go:
1. Avoid Default Usernames
Use a username other than “admin, administrator, webmaster, etc.” You don’t want to use these usernames as your login access to your WordPress site. If possible, use usernames that combine capital and lowercase letters and numbers (but don’t use special characters or email addresses as your username). We recommend something like this: SepticPlumbing12, HyBriDh2O, etc.
2. Pick a Strong Password
Choose a password in combination of special characters, lowercase/capital letters, numbers, etc. Please avoid using passwords that include your personal information like your birthdate, etc. The goal is to choose a password that is really hard to guess. It might be good to generate passwords automatically (can be found when doing password change in WP Dashboard) to have a very strong password you can use. And of course, don’t forget to save your chosen password somewhere safe and change it from time to time.
3. Use a Valid Email Address
Always use a valid administrator email address in WP Dashboard -> Settings -> General section. This is very important, as it can be used for email notifications regarding WordPress/plugin upgrades, user password changes, spam (at some point), and email notifications coming from security-oriented plugins.
4. Install and use Wordfence
Now, there are many plugins out there that can provide automatic malware detection/removal as well as web firewall for potential malwares/hackers, BUT we’ve used and can recommend Wordfence. It provides real-time detection and can also block invalid usernames, block IPs that do malware queries, limit the number of login attempts, etc. If you want to spend a little money for their PRO version, you can have daily virus/malware database updates, too, which will make sure that even as new malware/virus threats are created, your security keeps up.
5. Avoid Using Too Many Plugins
It is the best security practice to not use many plugins in your site. WordPress is an awesome CMS platform with many free and open source plugins. However this is also like a double-edged sword because any plugin presents a chance of a security threat and a way in for a hacker. You can go years with lots of plugins and have no trouble – but this is about managing and minimizing your possibility of exposure.
6. Delete Unused Themes
Likewise, avoid having so many themes installed (but are not used) in your site. The reason is the same as #5.
7. Keep Software Updated
Wherever possible, update WordPress, your themes, and your plugins. Having auto-updates of WordPress and themes is a great way to ensure you’re as safe as you can be, but you’ll also need to ensure this doesn’t cause other problems. We’ve seen occasions when upgrading a theme causes another element of the site to break or start looking wonky. So if you are updating, keep up your random checks that the website still works and looks good.
8. Install SSL
Consider purchasing an SSL encryption for your site. Websites that have SSL (address will start with “https” rather than “http” and the browser will show the site as secure) are a lot less likely to get hacked than unsecured websites.
9. Take daily backups
This might sound complicated, but it’s a good practice to take a daily backup of your site. Then if your website gets attacked or hacked, you could “wind back the clock” to last week or another time when your website was clean and restore that version of your site. We’ve seen a bunch of services that make this easy, like ManageWP or iControlWP.
So there you have it! A great checklist of things you can do to ensure your WordPress site is as secure as possible. We acknowledge that this is a lot, and it shouldn’t be taken as a daily list, but rather several factors to consider at setup, possible enhancements down the track, and then a couple of things to be mindful of month-to-month.
Got another essential WordPress security tip for a local business? Please share it in the comments!