Bulletproof WordPress: Surefire Tips to Secure Your Site
WordPress dominates as the world’s go-to content management system — and there are many great reasons for that. Yet, the platform’s popularity alone can make it an obvious target for online attacks. Fear not: there are just a few easy steps you can take to keep that beautiful WordPress site of yours safe. You’ll want to protect all the hard work that’s gone in, after all. Your visitors also need and expect security. So with that, let’s dig into our surefire tips for keeping WordPress under lock and key. Use strong, unique passwords It’s sad but true: 48% of small businsesses are targeted by cyberattacks each year. So, to start with the obvious: you really ought to use strong and unique passwords across all your WordPress accounts. Change your passwords often. This is true for your admin account, FTP and database access, and all other associated accounts. Reused passwords can be compromised. Try your best to make your password over 10 characters long and to include uppercase and lowercase letters, numbers, and special characters. One great tip is to take the first letters of a memorable sentence and put that into a clever password (or a “mnemonic”). For example: “this little piggy went to market” might become “tlpWENT2m”. Password manager tools are also available — both for generating and storing passwords for each account. Change your login URL By default, WordPress login URLs are easy to guess because they’re usually www.example.com/wp-admin or something similar. Hackers know this and will target your login page to attempt brute-force attacks. However, you can protect your website by using a plugin to change your login URL to something unique, making it harder for hackers to find. One of the most popular plugins for changing your login URL is WPS Hide Login, which allows you to change your login URL to anything you want. It’s also easy to use and comes with a simple user interface. Just make sure you keep a record of your new login URL so you don’t lose it and only share it with people who need access to your website. Use an SSL Certificate SSL Certificates are sort of like digital passports and they’re especially important when exchanging sensitive info. Have you ever noticed the padlock icon when shopping? SSL’s work to encrypt the data that transfers between a browser and a web server, making it practically impossible for hackers to intercept. This includes things like credit card details, login credentials, and other personal data. Fortunately, SSL certificates are easy to set up, and you can read more about them here. 123 Reg Managed WordPress actually comes with a free SSL certificate to help keep your website and your user’s data secure. There are all sorts of very good reasons to get an SSL Certificate. In fact, they’re a must-have for any sort of website that deals with transactions or sensitive information. If you’re not using 123 Reg Managed WordPress, you may need to purchase an SSL certificate separately and install it on your server. Once you’ve installed the SSL certificate, you need to configure your WordPress website to use HTTPS instead of HTTP. This is easy to do using a plugin like Really Simple SSL, which automatically redirects all HTTP traffic to HTTPS. Don’t use the default “Admin” username WordPress sets the default username as “Admin,” which is easy for hackers to guess. When creating your WordPress account, always use a unique username. If you’re already using the default “Admin” username, you can easily change it by creating a new user with administrator privileges and then deleting the “Admin” user. To do this, go to Users > Add New in your WordPress dashboard, create a new user with administrator privileges, and then log out. Log back in with the new user account and delete the “Admin” user. Keep WordPress core up to date WordPress regularly releases updates to improve performance, add new features, and patch security vulnerabilities. It’s essential to keep your WordPress core up to date by regularly checking for updates and installing them promptly. 123 Reg Managed WordPress automatically updates your WordPress core to help keep your website secure. If you’re using a WordPress hosting package that doesn’t offer automatic updates, you need to regularly check for updates and install them manually. To check for updates, go to Dashboard > Updates in your WordPress dashboard. If there are any updates available, click on the “Update Now” button to install them. Make sure you backup your website before installing any updates. Keep WordPress plugins and themes up to date, too The average WordPress website has over 23 plugins and themes installed — and over 99% of security vulnerabilites are related to plugins and themes. Just like WordPress core, plugins and themes can also have security vulnerabilities that need patching. In fact, plugins and themes are the sources of the majority of WordPress vulnerabilities. It’s essential to keep your plugins and themes up to date by regularly checking for updates and installing them promptly. Outdated plugins and themes can be a significant security risk, as they can be used to gain unauthorised access to your website. It’s a good idea to test the effect of updating plugins and themes in a staging environment. You can do this from your WordPress Dashboard and looking for the section named (you guessed it) “Updates”. If there are updates available, click on the “Update Now” button to install. It’s also good practice to remove any unused plugins and themes as they can pose a security risk. Back up your website — and do it often Backups are essential to recover your website if it gets hacked, corrupted, or accidentally deleted. It’s essential to have a recent backup of your website stored securely, so you can restore it quickly if something goes wrong. 123 Reg Managed WordPress automatically creates daily backups of your website, so you can easily restore your website to a previous version if necessary. If you’re using a self-hosted WordPress
8 WordPress Plugins you have to Install
WordPress is one of the most well known blogging platforms. In recent years it has evolved so much that people like myself use it as the CMS of choice for all their websites. As well as this you can install a wide range of plugins, acting like extensions/add-ons to the WordPress platform, that can really help your site or blog in many ways. Here are 8 plugins I make sure I have on all WordPress sites: 1. WordPress SEO by Yoast Joost de Valk is a genius when it comes to WordPress, and this plugin illustrates that. The WordPress SEO plugin helps you with many aspects of optimising your site including editing META data (page titles and descriptions), inserting breadcrumbs, enabling an XML sitemap to help search engines find all the pages you want indexed for people to find, and lets you add information within your RSS feed so that other sites don’t just steal your content and put it on their own site. 2. Google Analytics Another plugin by Joost de Valk, which helps you connect your WordPress site to a Google Analytics account. If you are interested in analytical data this is a great plugin as it lets you segment data directly from the plugin settings page so you don’t have to learn code yourself! 3. W3 Total Cache Google doesn’t like websites that take a long time to load. In fact, they actually use page load time as a factor on where to rank your site in their search results. This plugin helps this by using a number of methods to reduce page load time. 4. WP Smush.it smush.it is a service owned by Yahoo! that lets you compress your images to the lowest filesize without reducing any quality whatsoever. Simple really! If you already have a bunch of images on your site that’s fine – there is an option to “bulk smush.it” which will go through each image already uploaded and compress them for you. 5. Facebook Comments I developed this one 🙂 This plugin inserts the Facebook Comments system into your site and places it above the native WordPress comments form. Once installed and configured you can then manage all comments within your Facebook account. I use this for a few reasons: There is less spam activity as you need to be logged into your Facebook, Yahoo!, AOL or Hotmail account. The comments are now indexed by Google, which means they are more SEO friendly than they were a month ago When someone comments on a post or page, the comment can be posted to their Facebook profile. This adds a social aspect to your site as the comment will appear on their friends’ news feed with links back to your site 6. Twitter Feed Another one I developed. This feed is a more SEO friendly way to output your latest tweets, search results, hashtags, mentions and favourites into your site. Using a simple shortcode is all you need to do to insert the feed and is highly configurable. 7. Gravity Forms This last one isn’t free but I use it all the time and is, in my opinion, well worth the money. This plugin takes contact forms to a whole new level! This highly versatile plugin helps you insert forms of any kind into your site from a simple contact form and questionnaire to a fully fledged entry form to create new posts within your own site. Everything can be configured from what is asked, whether new questions should be asked based on what has been entered already, and your thank you message once the form has been completed. 8. Simple URLs This plugin lets you manage outbound links and track them by clicks. So, for example, your blog site is at myblogname.com. Your link to somewhere you want to track outside of the site is abc.com. Instead of directly linking to abc.com you can make a Simple URL like myblogname.com/go/abc. This is good for a number of reasons. The main reason I use, is to use them for affiliate links. This way they are easier to give out to people, they’ll be tracked and you can keep them within your own domain and change where they link to at any time. This article was written by Alex Moss, partner at Manchester SEO agency FireCask. He provides freelance SEO for all kinds of businesses as well as developing WordPress Plugins. You can find him on Linkedin or follow him on Twitter. Follow @alexmoss