5 Tips for Securing Your WordPress Website
Use a Security Plugin
WordFence and All In One WordPress Security are two of the most popular plugins out there — because they work. Plugins like this will help guide you through the changes you need to make to keep your WordPress website secure. They work by modifying the .htaccess file on your server, helping you easily block bots and IP addresses attacking your site. They also provide assistance in changing some common WordPress URLs and installation settings as well as securing WordPress common files (such as wp-config.php). Just be careful when using these, because it is possible to lock yourself out of your own site — trust us, we’ve seen it happen.
Change the Admin Username
Seriously, change the administrator username to something other than “admin”. Since the WordPress default installation uses “admin” as the administrator user name, that is the first username bots and hackers try. Of the 18,000 failed login attempts above, more than half tried admin or some variation (i.e. adm or domainadmin). Do not use a significant part of your domain name either. For example, if your domain is mycompany.com, do not use “mycompany” as your username. That was the second most used user name in the failed login attempts. Others to stay away from include the full domain name, “Webmaster”, “Webadmin” or other similar usernames.
While you are changing the admin username, make sure there is a “real” name attached to the user. When a post or page is published, the author is often public. If you do not set a first and/or last name for the user, WordPress defaults to the login username. The bots then pick up that username and attempt to get in. Secondly, be careful with the usernames. For example, when “Jane Smith” posts, bots will try “Jane”, “JSmith”, “Smith” and other various combinations trying to login to her account.
Change the WordPress Database Table Prefix
When WordPress is installed, it puts “wp_” in front of all its database tables. This is to help you identify which tables belong to WordPress if you are using the database for more than one application. Change “wp_” to something else. Ideally, you would like to use more characters and mix of letters and numbers.
While you are checking on your database, make sure the database name, username, and password are secure. cPanel accounts default database names to your account username followed by an underscore and then a name you choose. Pick something nonsensical for that name — make it a string of characters that would not appear in a dictionary. The same is true for your usernames and passwords. Passwords for databases should be at least 12 characters long with a mix of uppercase, lowercase, numbers, and special characters.
Keep WordPress and Plugins Updated
Always make sure you have the current version of WordPress and your plugins running. Also make sure all your plugins come from reputable sources and are listed in the WordPress plugin repository. Do NOT download a “free” version of a premium plugin you find somewhere–there is no way to verify the veracity of that plugin and you are hurting the people who have put hundreds of hours into developing and supporting something that is making your life easier.
WordPress is excellent at releasing patches to fix bugs and secure vulnerabilities. You can turn on automatic updates, which will automatically update your installation for the smaller releases (i.e. 4.7.1 to 4.7.2). For the bigger releases, you will need to update WordPress yourself, which is as easy as clicking a button. ALWAYS make sure you have a backup of your site files and database before starting an update process.
Backup Your Site Regularly
Speaking of backups…your hosting provider should be able to provide backups for you – some will charge an extra fee. Your hosting provider should also be storing offsite backups – ask if they do. You can also use plugins such as JetPack and Updraft Plus. They provide backups right from your Dashboard. Premium versions will allow automatic scheduling and some offer automatic backups to the cloud. Having a clean version of your database and files is important in case your site is compromised.
WordPress is a great and popular platform for building websites — because of that, hackers try to take advantage of the uninformed. Keeping your site secure is easy, but takes a little vigilance on your part to make it happen. If you have ANY questions about how to secure a WordPress website, find a reputable web development firm with WordPress experience. For a small fee, they will be happy to review your security settings and provide recommendations.
what people are saying
Your team continually impresses me with their professionalism, knowledge, accuracy and promptness. I am wow-ed by the service we get from IMC. This morning you made a global change to our site in 15 minutes. The IMC team is always there when I need them and amazingly the work often gets done the same day. I am so glad we chose Interactive Media Consulting!
Thank you, IMC, for a wonderful art website that is a) easy to update, b) looks great, c) gets lots of positive comments, and d) has encouraged sales by allowing my work to shine.
Your team is especially incredible (and patient!) to work with. It’s been a pleasant and rewarding experience working on this with them and, in the end, I have exactly what I want. Thanks!
I will be eternally grateful to you for what you have done to create this beautiful, fun, interactive web site. You are AMAZING!!!
I wanted to send a quick note just to say thank you to you for everything IMC did to help us get our new website up and running. IMC really understood our brand aesthetic, while helping us modernize our look. Nathan, was quick to address any issues, was able to talk me through the entire process – he was so patient and helpful!
IMC offers impressive internet/web services and custom programming, delivering excellent value. Technical experts, creative minds, and super service…make IMC your first call!
Partnering with Interactive Media Consulting has been one of the best decisions our company has made. We have never had a web design partner that has brought so much long-term value. We have a professional website that has been maintained and expanded upon regularly. EXEControl Global Solutions refers all their clients to IMC for their web and branding needs.
We have been with IMC for over two years. They redesigned our site and have hosted it over that time frame. We can’t say enough good things about their services, prompt action and fair pricing. Very professional and still friendly, can’t be beat for our money.