8 Easy Ways to Protect Your Website from Hackers
It’s not just Yahoo and Sony that face hacking. Your online business needs certain measures in place to mitigate hacker and robot attacks, too.
You would think that if you only run a personal blog or tiny eCommerce shop, no one should want to mess with it, right? Not necessarily. Hackers go after websites for three main reasons:
- They want to use your site to send spam email.
- They want to steal access to your data, mailing list, credit card information, etc.
- They want to cause your site to download malware onto your user’s machines or your own machine.
Malware, or malicious software, can be installed in a way that makes it very hard to tell it’s even there. Great for the hackers, not so great for your site. Hackers will often do this to use your machine in larger scale attacks, such as a Denial of Service attack.
Here are eight easy steps you can take to secure your WordPress website. These are usually very quick to implement by yourself or a trusted helper, and should not take more than an hour or two total in most cases. Don’t put your online presence at unnecessary risk by not doing the easy steps on this list.
1. Always use strong passwords.
It seems obvious, but many WordPress users overlook this vital security measure. If your WordPress password is short, if it’s something readable, if you use it on multiple sites, or if somebody who knows you well could potentially guess it, then chances are it should be stronger.
2. Install a security plugin like iThemes Security or WordFence.
Many of the most important features of these plugins are are free, and they will disable some of the most common entry points used by attackers. I recommend iThemes Security based on its available features and how little upkeep it requires, but Wordfence works really well, too.
When you visit the iThemes settings page for the first time, the plugin will ask for your permission to set some very simple defaults. With just 2 or 3 clicks, you’ve got a basic level of protection for your WordPress site.
3. Make backups of your website regularly.
The frequency of your site backups is entirely up to you, however we recommend creating either weekly or monthly WordPress backups, based on:
- How busy your site is or how often you change content, and
- How often you update your WordPress installation version, theme version, and plugins.
There are several free and premium solutions available, but you’ll want to make sure you have a backup program that backs up BOTH your actual website files like the core installation, any plugins, and any pictures or graphics you have uploaded AND your database.
If you backup all your files and forget to do the same for your database, every setting you’ve ever customized and every word of text you’ve written will not be saved with it. I recommend either the Updraft Plus or the WordPress Duplicator plugin to get a complete snapshot of both components, whether you wish to restore your entire website after a catastrophe or move hosts completely.
These plugins save your backup in a folder on your host by default, but DON’T store them there, where they will take up space on your hosting server, and leave them vulnerable to hacking and other technical problems.
Instead save your backups externally to your Google Drive, Dropbox, etc. That way you’ll have access to them even if your site goes down.
4. Keep your WordPress, themes and plugins updated.
Plugins and themes can occasionally have security vulnerabilities, which are patched by the developer as soon as they’re discovered. It’s important to update regularly because many malicious bots specifically search for out-of-date plugins and themes with known vulnerabilities.
When installing new plugins, be sure to check if they have any known and unfixed issues. You don’t have to give up on a plugin that has a history of vulnerabilities, but it’s definitely something to note when comparing options.
If you’re not also updating your themes and plugins regularly, you risk leaving your site exposed to these vulnerabilities. Plus, updates often patch other bugs and enhance usability, so it’s a win all around! Just be sure to backup your website and database before updating!
5. Uninstall inactive plugins and themes.
Even deactivated plugins and themes can have vulnerabilities, and for that matter, can still take up your server’s resources. It’s best to simply uninstall any plugins or themes that aren’t consistently active. You can always reinstall themes or plugins later if you need to.
6. Sign up for a free CloudFlare plan.
CloudFlare offers several neat features: It can serve as a content delivery network (CDN) to cache parts of your website around the globe so that they load faster; it can provide free HTTPS/SSL security for your visitors; and it can even block your website in case of a coordinated attack like those distributed denial of service (DDoS) attacks we hear about in the news from time-to-time.
One CloudFlare feature that is particularly valuable is the ability to ban IP addresses or entire ranges of addresses from even touching your web servers, so if you notice you are getting a lot of login attempts from computers in, say, Russia, you can nip that in the bud fast.
7. Change your WordPress login URL to something unique.
By default, you can (try to) login to any WordPress site by going to www.websitename.com/wp-admin. Given how popular WordPress is, any low-level hacker can try to gain access to your website through this easy channel. Try changing it to something easy to remember, but different enough to avoid being an easy guess either.
iThemes Security already has this feature built-in. All you have to do is go to the “Advanced” Settings page, click on “Hide Backend,” and fill out the settings to your own desires.
8. Choose a great web host.
When it comes to finding a company to host your website, you do get what you pay for.
In my professional opinion, the hosts owned by EIG (such as Hostmonster, Hostgator, Bluehost, etc.) tend to be very cheap, but they also tend to have lots of glitches, are very susceptible to hackers, and when you’re site goes down or has problems the customer service is abysmal or absent altogether.
Premium hosting costs more, but it offers what is known as dedicated or managed hosting. On a premium host, you will not be sharing server space with lots of other sites, so your site will load faster. You also get daily backups, outstanding customer service, a staging site for testing new design ideas, and outstanding security.
There are some great premium hosts out there, and I’ve worked with most of them. My three favorite premium hosts are Accelerated WP, Flywheel, and WP Engine.
Accelerated WP is a small company with great prices and outstanding customer service. They even have a developer on staff to help you figure out the trickier problems that can sometimes occur. I host my own high-traffic sites on Accelerated WP, and recommend them highly.
Flywheel specializes in fast, secure, managed hosting catering to web designers and developers, but don’t let that stop you from checking them out. You might like having great customer service, push-button staging sites, one-click backups and restorations, and free SSL. Flywheel generally costs more than Accelerated, but less than WPEngine.
WP Engine is arguably the Mercedes Benz of the premium hosts, with a price tag to match. But for the price, they are arguably the fastest, most secure, and easiest to use web host out there. With push-button backups and restorations, free SSL, host-level security and automatic site updates, WP Engine takes the worry out of website hosting. If you can afford WP Engine, it’s definitely worth it.
Your business relies heavily on having a safe and secure web presence for your users and customers. So even though these easy steps to secure your WordPress website are not 100% guaranteed, nor will they be able to stop more sophisticated attempts against you, they are the equivalent of putting a lock on your front door, and will provide a basic level of protection from the most common attacks.