How to improve WordPress security for your small business website
With all the media surrounding the increasing number of cyber attacks on government and big multinational websites, you already know that websites can be hacked. In the majority of cases, however, this isn’t because of a problem with WordPress itself, it’s simply due to the fact that website owners don’t know how to improve WordPress security for their site.
A comprehensive approach to security hardening for your WordPress website will go a long way to making your site safe from hackers. So let’s take a look at some of the fundamental steps you can take which are relatively quick and easy to implement on your website.
Common WordPress security mistakes
Not initiating strong passwords
Everyone knows that we should use strong passwords, but too many of us tend to forget this fact. Instead, we use very weak passwords that are easy for us to remember but also easy for the hacker bots to identify. These bots are designed to perform brute force attacks that cycle through hundreds of iterations every minute, eventually finding the weak passwords. An unexpected consequence of these attacks is that they slow down your server and can even crash your site.
The solution is not only to have a strong password that can be generated by going to your admin area under Users > Profile, but also by installing a security plugin, such as Defender. This plugin prevents brute force attacks by locking out IPs that have a fixed number of failed logins and by installing a firewall and two-factor authentication. Knowing how to improve WordPress security using strong passwords is one of the best steps you can take to secure your website. If you are also struggling to keep track of secure passwords for apps, hosting accounts, private and professional email accounts, and even your banking accounts, it’s wise to invest in a password manager such as Keeper to securely manage all your passwords in one place.
Not updating plugins and themes
If you’re using a WordPress theme, rather than one designed by your developer, then it needs to be updated regularly, as do any plugins that you’ve installed. Themes and plugins, however, can become an easy entry point for hackers, particularly if they aren’t updated with the latest security code.
The solution is to regularly update the theme and plugins to avoid WordPress plugin vulnerability
as they become available. You’ll see these notifications in your admin area and can perform these updates yourself or set WordPress to perform them automatically. There are also a range of WordPress security plugins that can be beneficial for webmasters to install to keep on top of your security management.
Not opting for trustworthy hosting
Hosting providers can make a big difference to the security of your website. One of the ways they do this is to ensure that the PHP version used in your hosting account is up to date. PHP is the programming language used by WordPress, and it’s regularly updated to patch security holes, improve performance, and add more benefits/features.
Your hosting account usually needs to be manually updated over time to continually use the latest PHP version, so it can easily be out of date without you realising. If it’s out of date, it’s more vulnerable to hackers.
The solution is to check what version of PHP is used by your website and update it in the admin area if needed. It’s also a good idea to review your hosting package to ensure you have access to the latest PHP version, and that the provider offers local technical support.
Not restricting user access
Another important point on our list of how to improve WordPress security concerns the level of access you give to users. If you automatically give everyone in your office administrator level access, then they can make any changes they want to your website. This can include changing the accounts attached to the payment gateways to removing your site from the internet or creating ghost accounts for themselves so that they can regain access even if you delete their access!
The solution is to give administrative access only to the people in the organisation who need it, ensure every person accessing the website has their own private login, and that user accounts are terminated when employees leave the business.
Not updating WordPress
WordPress frequently publishes core updates that are designed to address specific problems created by hackers. These updates include the code to prevent cyber criminals accessing your website. There’s nothing wrong with the WordPress code, it’s just that hackers design ways to get around this code. This is why WordPress is always on the lookout for these issues and publishes frequent updates to counter them. So if you haven’t updated WordPress for a few years, then your site could be wide open to hackers.
The solution is to make sure that you update WordPress whenever these become available. A good hosting provider will automatically update WordPress for your site, but you can do this yourself in your admin panel. Statistics show that only one third of websites are using the latest version of WordPress, meaning that a huge two thirds of websites are potentially vulnerable to hackers. If your provider already updates WordPress for your site, then you can knock this one off your list of how to improve WordPress security.
Not using an SSL certificate
If you’re not using an SSL certificate for your website (which protects data sent to and from your website), you might have noticed your search engine rankings drop, because Google in particular, wants everyone to install them in their websites. That’s because SSL makes it difficult for hackers to access your site and they do this by encrypting the connection between your hosting provider’s server and your customer’s browser. This gives customers confidence that your site is secure and it’s this confidence that Google is promoting.
The easy solution is to ask your hosting provider to add a SSL to your website. Depending on your needs, you can install a free SSL (we offer that here at GO Creative) or a paid SSL certificate, as well as SSLs for multiple sites. Once this has been added to your site, and the necessary conversion steps have been taken, your website’s address will begin with HTTPS instead of HTTP, clearing indicating to your customers that their connection is now secure. In fact most browsers now have a warning message if the website isn’t secure, which means installing SSL is absolutely essential.
Not using a customised login area
The vast majority of website owners continue to use the default login page that comes free with WordPress, which is located at “/wp-admin” on the end of your website address. Hackers know this is the default address, so they already have part of the pathway to access your login details. If you have a weak username and/or password, that just makes it even easier for them.
The solution is to change the login page URL to something unique, such as “/site-login”. This makes it a lot more difficult for hackers to even find your login page, let alone try to identify your login details and passwords. If you install the WP Defender plugin mentioned above, or others like it, this allows you to create a customised login page. Your developer can also do this using custom code.
If other security measures are taken to protect the login page, this step isn’t absolutely essential, but it’s definitely worth consideration.
Knowing how to improve WordPress security issues is vital to ensuring that your site isn’t vulnerable to cyber criminals. If you need help increasing the security of your small business website or simply want to learn about WordPress security best practices, call our team at GO Creative today!