It’s every website owner’s nightmare – you pull up your site in a browser and see something you didn’t create. Or you log into your WordPress admin and see a bunch of plugins you didn’t install. Worse yet, you try and log in to your admin and find out someone has changed the login ID and password.
What do you do? How did this happen?
Chances are, this happened not because of something you did…but because of something you didn’t do.
The Big Picture
Website security is difficult to manage because your site is composed of so many moving parts. For the purposes of this article, we’re going to focus on WordPress because it’s what so many agents and agencies use. In a WordPress site, you have the basic WordPress software, your theme, plugins, and any customizations you’ve made to those themes or plugins. One change to any piece of code may stop one or more of these things from working together the way you expect. Once you’ve got your site working the way you want, it’s tempting to say, “I’m not changing a thing. It works the way it is.”
But new security vulnerabilities are being discovered all the time. If you skip a plugin update because you’re afraid it will break another part of your site, you’re leaving yourself vulnerable to a security breach. Whether your site uses WordPress or you paid a developer to build it by hand, you need to create a plan for maintenance, security, and updates.
The Basics of WordPress Website Security
WordPress security begins with your username and password. Hackers know the default login ID is “admin.” If you’re logging in with “admin,” you’re giving the hackers a head start. Create a new login ID that isn’t immediately obvious – and delete the “admin” username. Also, be sure any site contributors have only the permissions they need. An assistant posting to your blog might not need full admin access, for example. If that user’s ID and password are hacked, don’t make it easy for the hacker by allowing admin-level access to all users.
TIP: Include your email address on your site? Don’t use the part of your email address before the @ sign as your login ID. For example, if your site is John’s Insurance Agency and you publicly post your email as "[email protected]," don’t use “john” or “John” as your login ID. Hackers can run scripts that browse your pages looking for easy clues like this.
It should go without saying, but we’re gonna say it anyway: use a ridiculously strong password. We’re not kidding when we say ridiculous. Don’t write it down or save it in your browser, either. You have to memorize it or use a program like LastPass to store it. Here are a couple of great resources to help you select a strong password:
- Password Generator. Set your criteria (length, symbols, similar characters, etc.) and let this tool auto-generate a strong password for you.
- How Secure Is My Password? Type a password and see how long it would take a hacker to crack it.
Tip #1: Stay on Top of Updates
Many agents and agencies run their websites through WordPress. Unfortunately, it’s really easy for security to fall through the cracks, especially if you hire freelancers to handle things like web design, customization, content, or optimization. These folks are not necessarily knowledgeable about security. Do not assume they are handling security for you just because they designed your site or posted content or implemented code for a quoter widget. It’s your responsibility to have a clear plan for who handles security, what security measures you plan to take, how often those procedures should be reviewed, and what to do in case you’re hacked.
Let’s go over a few basic steps to make your WordPress website more secure.
Keep WordPress updated. WordPress ships with automatic updates for maintenance and security since October of 2013 (these are called “minor core updates”). These aren’t the only updates available, however. Major core updates are not automated by default, and neither are theme or plugin updates. How do you know you have a major core update available? Log into your WordPress dashboard. If you see a notice that says, “WordPress X.X.X is available! Please update now,” you have an update waiting for you. Installing it is as easy as clicking.
Use a child theme. In WordPress, your theme controls the look and feel of your site, from fonts to colors to footers and widgets. Even with very little coding or CSS knowledge, it’s possible to make customizations to a theme. Some themes even include “customizers” that make this easy; others require you to add a few lines of code to your site’s CSS. Sounds good, right?
Customizations overwrite the existing code of your theme. Your site will display the way you want…until your theme provider sends out an update. If you install that update, the theme provider’s fresh code will overwrite your customizations. Now you’re back to square one – unless you use a child theme.
A child theme is a way to keep your customizations separate so you can update that theme without losing all your hard work. Essentially, you’re creating a new theme that tells WordPress to layer all your customizations over an already existing theme. We’re not going to explain the ins and outs of creating a child theme in this post, but you can find easy step-by-step tutorials online. If you’re hiring a designer, make sure you require they use a child theme if they plan to customize your site’s theme.
Keep your themes updated. Okay, so you’ve updated WordPress and created a child theme. Now you’re free to update any themes you have installed. WordPress comes with a default theme, one new theme each year (Twenty Fourteen, Twenty Fifteen, Twenty Sixteen, etc.). These need to be updated just like any themes you purchase from vendors. You need to be sure to update all installed themes, not just the theme you’re using. You can view and update all your themes in the Appearance / Themes section. Updating is as easy as clicking. Any themes with available updates will display like this:
It’s a good idea to delete themes you’re not using, in case there are code vulnerabilities you don’t find out about in time. Always keep one default theme installed, though – it’s handy for troubleshooting theme or plugin compatibility issues. In almost all troubleshooting scenarios, you or your developer will want to deactivate all plugins, activate the default WordPress theme, and then reactivate plugins one by one to find out which one is causing problems. If all the plugins work with the default theme, re-activate your chosen theme and then each plugin, one by one, to isolate the troublemaker.
Keep your plugins updated. This is one of the most important steps in protecting your WordPress site. That huge hack on the Panamanian law firm? It was most likely because of an outdated version of a WordPress plugin called Revolution Slider. Plugins are fantastic tools, but they’re also a security risk.
WordPress makes it easy to know when one of your plugins needs an update.
- Update Icon. The update icon shows you the total number of theme and plugin updates you have available. Click to be taken to the update screen. It’s a good idea to hover your mouse over this icon, too – sometimes the tooltip that pops up will tell you there’s an update even if this number displays as “0.”
- Dashboard Menu. If you click “Dashboard” from your left-hand menu, you’ll see an option for “Updates.” Your total number of available updates will be displayed beside it. (image)
- Plugins Menu. If you click “Plugins” from your left-hand menu, you’ll see a list of plugins currently installed on your site. Even inactive plugins will be displayed; these need to be kept updated, too. Any plugins with an available update will have a message like the one shown below:
Tip #2: Make Regular Backups
If your site is hacked, you’ll need to re-install WordPress, your theme, and your database. You can re-download a fresh install of WordPress, as well as your theme, but your database is a bit trickier. To do this, you’ll need to make sure you create regular backups of your site and store them in a safe place. Your web host can often do this for you—check with them about how to set up a regular backup, as well as how to access it. Good web hosts have automated systems that run backups for you on a schedule, as well as email you when they’re complete. That’s not always enough, though—after all, what if your host is hacked? What if their backup is lost, deleted, or otherwise compromised?
It’s a good idea to install a plugin that will create another backup. One advantage of using a plugin is the file storage location. Your web host’s backup will remain on their servers. A good backup plugin can put your backup in the cloud via Google Drive, OneNote, or Dropbox. Here a few highly rated backup plugins:
- VaultPress—prices starting at $55/year
- BackupBuddy—prices starting at $80/year
- BackWPUp—basic backups are free; upgrade for additional features
- UpdraftPlus—basic backups are free; upgrade for additional features
Tip #3: Enhance Security with a Plugin
Okay, so we warned you that plugins can pose a security risk to your site. However, one of the best defense methods against hackers is a security plugin that can limit access or your site and tell you when something’s going wrong.
There are a number of free plugins that provide basic security features, with stronger protection available for a fee. For many folks, the basic protection is sufficient; however, it may be worth the investment (often less than three figures a year) to amp up your site’s protection.
Here are the kinds of things a security plugin can do for you:
- Alert you when someone logs into your WordPress Admin
- Block IPs that attempt to log into your site with repeated incorrect logins
- Provide reports on suspicious activity, including core file changes
Here are some of the most highly rated security plugins for WordPress:
- Sucuri Site Check – will scan your site for malware, spam injections, and more for free
- Sucuri Security—basic service is free
- iThemes Security—basic service is free; upgrade for additional features
- Wordfence—basic service is free; upgrade for additional features
Tip #4: Enhance Security with a Few Code Tweaks
Roll up your sleeves for this one—you or your developer will need to make a few manual code changes to your site’s files. Before you make any of these changes, be sure you have a full backup, just in case. As with any change to WordPress core files, there’s a chance something in your theme or plugins might conflict and bring down your site until you can resolve the conflict. It’s a good idea to run through standard procedures for site testing and recovery if you get the dreaded WordPress White Screen of Death.
Modify your .htaccess file. This file sets rules for who is allowed to access certain file types on your site. There are two changes you can make to this file that keep web traffic from tunneling into your core WordPress files and adding malicious code.
- Change #1: Block web access to your wp-includes folder. If someone tries to hack into your wp-includes folder, this code change will redirect them to the home page of your site. The image below shows you the code – you can copy it directly from this page in the WordPress codex. Add this code above the line that reads # BEGIN WordPress, as shown below:
- Change #2: Block web access to your wp-config file. If someone were to hack into your wp-config file, they could get access to your database username, password, and table prefix. The image below shows you the code – you can copy it directly from this page in the WordPress codex. Add this code under the code you inserted to make Change #1 above:
Lather, Rinse, Repeat
Phew! You made it—your site is now more secure than before. Be sure you stay on top of your updates, check on your backups to make sure they’re actually complete, and monitor any users who have admin permissions. If you plan on having people handle this for you, be sure they know it’s their responsibility to log in daily and check for updates.