If you are using a WordPress platform for building your website; web security should be taken care of if you work or own a site.
Why? Because we are all sitting targets.
Whether your site boasts millions of visitors or only a handful, bots and other malicious actors are hammering away. They’re attempting brute force attacks on logins, adding poisonous code to legitimate files and other assorted mayhem.
Not everything can be accounted for but we can definitely follow these simple to make your WordPress website more secure.
It is crucial to understand WordPress User Roles and Capabilities.
If you build sites for clients, it’s important to realize that not everyone needs the same level of access to the back end.
Administrator accounts help provide total control over settings and plugins. But if in the wrong hands they can be dangerous. It is very important to decide who will own the admin rights. Various user roles(Administrator, Editor, Author, Contributor & Subscriber) can be designated which accompanies its own capabilities.
For clients who don’t necessarily need to install plugins or touch other sensitive settings, an Editor account is perfect for them. With this they can manage content, while still being walled-off from potentially harmful items. Here, we’re not worried about our clients doing harmful things (although, an ignorant one could do some unintended damage).
Rather, it’s the possibility of that user’s account being compromised. If that were to happen, a lower user role won’t have the same impact as an administrator.
If the default roles don’t quite match up with your needs, you also have the option to create your own. This could be used to, for example, allow users access to only a specific post type. It allows for more fine-grain control of who can access what.
As an aside, it’s also a good idea to create separate user accounts for each person who needs to access the back end. This simplifies account maintenance, as you can just remove individual accounts as people come and go from the organization. Plus, the less you share your passwords, the better!
Install a Security Plugin
Sure, you may spend a ton of time online. But you can’t be there to watch over your website 24/7. Therefore, it makes sense to employ tools that will keep a look out on your behalf.
There are a number of security plugins that can handle the job. The free versions of Wordfence, iThemes Security or All In One WP Security & Firewall can offer huge benefits. They can do things like lock out IP addresses, stop brute force login attempts and scan your site for existing malware or security holes. Some will even email you when a problem is found or your install is outdated.
If you manage several websites, a security plugin offers a great way to stay on top of these issues. However, they’re also useful for those times when you hand off a site to your clients as well. Clients who aren’t very security-conscious will have that extra set of eyes that will keep them well-informed.
It’s worth mentioning that there are more plugins available than mentioned above. And each one has its own strengths. The one you choose should fit your basic security needs and refrain from slowing down your site too much. Performance is especially an issue on lower end hosting platforms and should be a consideration.
Of course, these plugins aren’t cure-alls for security. You still need to employ other best practices. But they are great at catching the low-hanging fruit that make up the majority of threats to your site.
Use Common Sense
Make sure you are using unique, hard-to-guess passwords. Please don’t take a easy road for your password since it’s well worth the effort. Here are a few examples:
Install an SSL Certificate
Having SSL enabled will encrypt user communications with your site (on the front and back ends). With web browsers now calling out sites that don’t use SSL, having a certificate is also darn-near mandatory to defend your reputation. And with many hosts offering either free or cheap options, you have zero excuse for not adding one.
Be Cautious with Plugins
Not all plugins are created equally. Before you install and activate one, be sure to do some research. Look at its release history, support forums and user reviews. You’ll get a better sense of how well-maintained it is and whether it’s worth using. And, look for installed plugins that haven’t been updated in a while. They could be a weak point in your security.
Not only should your entire WordPress install (including plugins and themes) be kept up-to-date, but your hosting environment should do the same. Ensure that you’re running a supported version of PHP and other required software. If you’re unsure, ask your host for more information.
Maintain Current Backups
We all cross our fingers and hope something bad doesn’t happen. But if it does, it’s much easier to restore a safe backup! You’ll especially want to have multiple current copies of your site’s database and the /wp-content/ folder.
Security threats are getting more numerous and complex. While WordPress itself is well-written and secure, it does have the biggest target on its back of any CMS. That means we need to remain alert and develop good habits.
It doesn’t need to be so difficult. The steps outlined above won’t take much time, but can literally make the difference between your website being hacked or not. That in itself is reason enough to put in the extra effort.