Would you like to know how to make your WordPress website security more effective?
BUT…at the back of your mind…you worry about how secure your website is to unwanted visitors.
Here at SuperSecretary, part of my job is to ensure that clients’ websites are better protected.
Read my top 5 tips on keeping your website safe and secure
1. Install A Reputable Security Plugin
There are some excellent security plugins available for your WordPress website, for example, WordFence or Sucuri. Check out 15 Best WordPress Security Plugins by WebLoggerz – this will help you choose the best option for your site. NB: I have recently switched from WordFence to iThemes Security as it gives you much more protection. See below for my iThemes overview.
2. Change Your WordPress Login Username from “admin” – Essential!!
Many of you still have the default WordPress login username “admin” which makes it very easy for hackers to attack your site.
Here’s how to fix that by adding a new user:
- Access “Users” in your Dashboard
- Add New User
- Create a strong username that is NOTHING to do with the name of your website or your own name
- Create a strong password – use Strong Password Generator – take a screenshot of the new password using “Print Screen” on your keyboard and/or take a picture with your phone camera – close down SPGen web page
- Enter your new super strong password – click on “Show Password” and check it matches!
- Add in an email address that your “Password Reset” notifications will be sent to
- You MUST select “Role” as “Administrator” from pull-down menu options
- Click on “Add New User” button
- Logout from your WordPress Dashboard and login with your NEW username and password to ensure it works
- Select “Users – All Users” option and tick the “admin” checkbox
- Delete the admin account
- Huzzah! *give yourself a congratulatory pat on the back*
PS: It’s really important that you understand WordPress Users & Roles – only yourself (and your web developer) should ever be Administrators. For example: if you work with a Virtual Assistant and do not want them to be able to update your plugins, themes etc, set their User Role to Editor. They can write and publish blog posts for you but not mess with your website.
3. Using iThemes Security Plugin
I have been a fan of WordFence security plugin for a while now but have discovered iThemes Security and really like it. It’s jam-packed with security features and they take you through everything via their Settings Dashboard so you don’t miss any vulnerabilities.
Here are just some of the things it offers:
- Sort out security issues into High, Medium & Low – you work through each “Fix” as you need
- Change your default WordPress website login URL – this is really useful as most hackers know that the default URL is http://yoursitename.co.uk/wp-login.php – leaving you open to attacks
- Away Mode – not making changes to your site 24 hours a day? Make the admin area inaccessible during specific hours so no one else can sneak in
- Protect common WordPress files from access
- Login page does not give out unnecessary information upon failed login
- Site is protected against bots looking for known vulnerabilities
- Site will detect changes to your files
- Block known bad hosts and agents with the ban users tool
iThemes Security plugin only works with the most recent version of WordPress – ensure your site is checked regularly for updates.
NB: if your website has a large database, please refer to iThemes Security to ensure some of the configuration settings won’t break your site.
4. Ensure WordPress & Plugins Are Up To Date
The bods at WordPress take security very seriously. After all, millions of businesses rely heavily on WordPress as the platform of choice for their websites. When WordPress issue a new version, they recommend you update as soon as possible.
If WordPress have issued a new version, it will be to add a security patch or “bug fixes”. There may be some initial plugin incompatibility but developers are very quick to bring their plugin back up to speed so your site shouldn’t be affected for too long. Deactivate plugins if necessary.
5. Use A Third Party Website Back-Up System
It goes without saying that your website should be backed up on a regular basis. I use Updraft Plus Backups and my website is backed up to my Dropbox account. There are other Cloud storage options available. The configuration isn’t the most obvious for beginners but use the “Take The Tour” option and you’ll be OK.
If you have some really useful WordPress website security tips to share with our readers, please do let us know!