7 tips for better security on WordPress
Make your WordPress experience even more secure with these seven easy steps.Read More
Nobody likes to get hacked — it’s like having your house broken into and your treasured possessions trashed. And just like a home break-in, every hack is different. Perhaps you don’t even notice it, but something’s going wrong in the background; or it could be that things just look a little off and you can’t work out why. Or maybe your site has been taken down completely, and all you can see when you visit is a black screen with the words “you’ve been hacked” flashing at you. (It’s pretty easy to see that you’ve been hacked when that happens.)
Being hacked isn’t fun, and it can also have negative long-term effects: obviously if you’ve got the black screen of death your visitors won’t be having a good experience of your site, but even small malware installs can disrupt user experience. Malware can impede your site performance by slowing down loading times, and it can destroy your SEO scores. If you store your visitors’ data in your system, hackers might access that information and send spam to your audience, which isn’t great for your reputation.
Right, so we’re agreed that being hacked is bad, right? Good. So what can you do about it? Start by doing all you can to improve your WordPress security and prevent being hacked in the first place.
Start with the basics. The number-one best thing you can do is to make sure you have a password for all your accounts (WordPress, hosting, domain registrar), and that you don’t use the same password for any of these. We’ve found 1Password to be invaluable for this, as it creates high-security passwords that you don’t have to remember! You just type in one password (hence the name) and you have access to all your login data. Plus, you can choose to make the passwords generated by the system longer or shorter, or adjust them to fit any special requirements a website might have — some require you to have at least one upper-case letter, for example, or to be exactly eight characters long. LastPass is another option for this.
If your username for WordPress is “admin”, change that as soon as possible! There are several ways to do this, but the easiest is to create a new user and delete the old one. Follow these instructions to change your WordPress username from “admin” to something more secure.
How to change your WordPress username from admin
1. Create a new user: log in to your WP dashboard and click users/add new.
2. Fill in the details for your new user and make sure to assign the role “administrator.” You’ll have to use a different email address than for your exisiting admin account.
3. Log out of WordPress and log in as the new administrator.
4. Go back to the users section, find the old admin account, and click the “delete” button under the name.
5. BE CAREFUL! When you go to delete the old account, WordPress will ask you what to do with the content attributed to that account. Click “attribute all content to” and assign it to the new user you just created. If you don’t do this, all the content will be deleted.
6. Click “confirm deletion”.
7. You’re all done. If you want to, you can now change the email address back to the one you used for your original admin account.
You almost certainly don’t want just anyone to be able to sign up for your site, so it’s worth checking that you don’t have this functionality turned on. In your WordPress dashboard, go to settings/general and look for the “membership:” section. If the box labelled “anyone can register” is checked, untick it.
Once a month, check your user list for anything unexpected. If you suddenly have a new user in your WordPress account that you haven’t authorised, it’s worth investigating further.
Most WordPress security breaches and hacks are due to out-of-date plugins and themes, so it’s important to run updates as soon as they are available. Bear in mind that some of the updates will be fixing a problem that’s been around for awhile, while others are solving brand-new issues that might have been caused by the previous update! Log into your WordPress dashboard every day; you’ll get a notification there if there are any updates to run. For most bloggers, your best option is to go ahead and run that update straight away.
Debra Corbeil, award-winning travel blogger at The Planet D.
However, sometimes plugins and themes don’t play nicely together, and updating one item might cause another to act strangely. For example, you might notice some weird layout issues, or you might inadvertently end up sending an email to all the people who have commented on your blog. In the worst-case scenario, your site could crash altogether. If you’re seeing less than 10,000 visits a month, a few minutes’ downtime isn’t the end of the world, and you can fix the issue by rolling back to a previous version of your site. Which brings us on to the next point:
Your host should be backing up your site regularly, but it’s important to also have a backup that isn’t stored on the same server as your site — if something goes wrong with your server, all your data is gone. We recommend VaultPress, which costs around $5 per month for daily backups — not much for piece of mind.
If you’re seeing high traffic volumes or run an ecommerce site, you can use a staging site to see what will happen if you run the update. Basically, you make a copy of your site that isn’t live, run the update, and see what happens. If you want to know how to go about this, send us an email using the form below and we’ll let you know!
We’ve found that many performance issues are caused at a server level, so it’s worth investing in good hosting. If you’re just starting out, a budget hosting service might be the right choice for you, but as you grow you’ll want to invest in a better, stronger service (like Performance Foundry’s Managed WordPress Hosting).
A server is more secure if it’s running the most up-to-date version of its software; most run PHP and MySQL. Find out how up-to-date your host’s server software is by sending an email to the support desk or checking the FAQ. In August 2016, the latest version of PHP is 7.0.0, (the previous version was 5.5, for your reference). The latest version of MySQL is 5.7.14.
There are a whole bunch of technical fixes that can be done to strengthen your site and make it less vulnerable to hackers, but many of them require specialist knowledge or are specific to your site — a bit out of the scope of this article. However, the Securi Scanner plugin will go part of the way to making your site more secure than ever. We don’t recommend you leave it running, as it will eat your resources, so run it then disable it.
There are hundreds more ways you can improve your WordPress security and protect your blog from hackers, but these seven tips are a great place to start!
If you’re a blogger and need some help, we’re here for you. We love seeing small businesses succeed online, and we created our managed WordPress hosting and maintenance package to make things easier for small business owners and bloggers — check it out to see if it’s for you. If you’ve been hacked and want your site to run well again, we can remove the malware and strengthen your security using our Malware Removal Package.