Introduction
Maintaining your WordPress website’s security for the benefit of your customers and for your business is just one of those ongoing tasks that’s never really ‘done’. Things change, certain security measures can fall out of date, and new platform vulnerabilities can develop or be discovered. The more regularly you can review your site’s security practises, the better.
Re-evaluate your online passwords
Sometimes the simpler things are the most effective – like making sure that you’re using a strong, unique password for your WordPress site, which you change regularly. Don’t use the same two or three passwords across all your sites, and don’t rely on combinations of words and dates that might be easy to guess! If you don’t already, now’s the time to start using a password manager like KeePass or LastPass to generate strong, random passwords and store them safely. According to Torquemag 47% of people use passwords that are 5 years old, while 21% use passwords that are 10 years old. Lock down your passwords, change them regularly, and don’t be one of those people!
Lock admin access to your IP address
The default Wordpress admin URL is one of the most common locations for hacking attempts, so if only you can access it, you are protecting yourself from a lot of unwanted attention. If you have a static IP you can lock your admin to only be accessible from your IP.
Update your WordPress version
Just 22% of WordPress sites are up to date, according to Torquemag. Updating your WordPress site to the latest version of the platform will provide patches against previous vulnerabilities, as well as security enhancements and new features. It’s an easy, effective way to keep your site more secure, and WordPress version 3.7 onwards updates automatically for new security features (just keep your WordPress version itself up to date.) Remember too that your plugins, themes and core files will have their own updates too, which you’ll need to apply yourself through your site’s admin
Listen out at online communities
With over 46 million downloads of WordPress, there’s a massive community around the platform. Often just keeping your ear to the ground can be one of the best ways of staying secure, so it pays to be involved in community forums to know what’s going on with the platform. You’ll be up to date with any vulnerabilities when they’re found; you’ll find forum discussions on what’s being done about threats and where to find the latest patches… and best of all you can get to know your platform more in-depth, which may even benefit your WordPress site overall.
Disable WordPress trackbacks
Trackbacks are a WordPress feature that let you know when other webpages have linked to content on your site, and they’ll appear as notifications in your comment moderation panel. Not a threat themselves, but they can also be used by third parties to hack your site – so while they sound handy, it’s probably better in the long run to lock this back door on your WordPress site.
To disable trackbacks: Please note that this will disable trackbacks for your future WordPress posts, but not existing ones. To do this you’ll need to enter the following query in your WordPress site’s SQL, or ask your site’s developer to do this for you:
- Click Settings in your WordPress control panel
- Go to Discussion
- Find Default article settings
- Untick ’Allow link notifications from other blogs’.
- Don’t forget to save your new settings!
Please note that this will disable trackbacks for your future WordPress posts, but not existing ones. To do this you’ll need to run the following queries on your WordPress site’s database, or ask your site’s developer to do this for you:
UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post';
UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';Install WordFence – do it now!
One of the best WordPress security plugins you can install is Wordfence. It provides your website with protection against both malware and hack attempts, it’s free to download, and with 710,000 sites using it, it’s the most popular WordPress security plugin available (so download it now!). It secures multiple WordPress sites, firewalls your site against third-party scans and false Googlebots, scans your WordPress site/s for a wide range of threats (including the Heartbleed vulnerability) and blocks against whole networks that are found to be malicious. You also have the option to sign in via your mobile phone, giving you an extra layer of security too.
Set up two-factor authentication for admins
As its name suggests, two-factor authentication doubles up your site’s steps to access. Authentication extensions like the Clef and Duo plugins are an easy way to establish secure access for your WordPress site admins by using email or mobile verification to confirm their identity. You’re bound to have run across similar signup procedures yourself when creating sign-ins for a variety of websites. A little annoying sometimes to have to go to your email inbox just to click a link to confirm you are who you say you are, but at least you know the sites you use are taking your security seriously and add that extra layer to keep you safe. Shouldn’t you do the same when it comes to admins accessing your WordPress site?
So there you go – our top recommendations to help keep your WordPress site secure. Remember that there’s never a 100% guarantee of immunity from attacks online, but the more security measures you implement, the greater your chances of keeping your website safe.