WordPress is the most popular platform for websites –34% of the entire internet runs on this platform! And if we count only CMS-built sites, it’s about 60% built on WordPress. Why? Because it’s a robust, open-source platform which allows endless customisations. WordPress is also very search-friendly in its structure. Plus, unlike some other platforms, you are in complete control of it.

However, many WordPress users don’t understand this platform requires regular ongoing maintenance to keep it bug-free and secure – until it’s too late!

So what can commonly go wrong?

  • Outdated platforms, themes and plugins often compromise your website’s security
  • Outdated plugins can cause compatibility issues, sometimes breaking your entire site
  • Updates are often released to fix security flaws…. and not updating them can leave your site vulnerable, since the bad guys know what to look for ?

According to Wordfence (https://www.wordfence.com/), a WordPress security plugin provider, there were 5,369,498,668 website attacks last 30 days that were blocked by their product.

Our recommended steps for your peace of mind

Step 1

‘Admin’ username

This is possibly the biggest risk to your security… using ‘admin’ as a username. It’s the default username given when creating your site, and the bad guys know it!

Solution: Avoid using ‘admin’ for any user, especially one with administration rights.

Step 2

Login URL

By default, your login URL will be yourdomain.com.au/wp-login.php… and again, the bad guys know it 

Solution: Change your login URL. This can easily be done with the security plugin iThemes Security, which we discuss below in step 7.

Step 3

Login authentication

Two Factor Authentication (2FA) adds a layer of security to your login process, most commonly by sending a time-sensitive code to your email address. Without this code, the login process will not continue.

Solution: Install a plugin like Two Factor Authentication (https://en-au.wordpress.org/plugins/two-factor-authentication/) or Google Authenticator (https://wordpress.org/plugins/miniorange-2-factor-authentication/)

Step 4

Using a strong password

How secure are your passwords? Did you know there are programs designed to run automatically, that attempt website logins using infinite combinations of passwords?

This is the test result of a client password that was recently shared with me…

password checker

That should scare you!

Solution: Create a password with at least 16 characters and have a random combination of letters, numbers and symbols. And test your password with a password checker like How Secure Is My Password (https://howsecureismypassword.net/)

Step 5

Backup your website

There are two types of backups that you can run – full backup (which backs up your entire site) and incremental (backs up changes that have been made since the previous backup). The frequency of your backups depend on how often your site has new content. If you have a static site with new content being added once a month or so, then a monthly backup is fine. Alternatively, if you are adding content multiple times each week, then a daily backup is recommended.

Think of it this way… how much data can you afford to lose?

[IMPORTANT] Always store your backups offsite! Preferably in the cloud.

Having a backup of your site will enable you to get it back online fast if any of the following occur….

  • If your server hard drive or other hardware fails;
  • If your site is compromised by malware;
  • If a site user accidentally removes core files; or
  • If you lose access to your website.

It’s wise to not rely solely on your hosting company for backup access and recovery.

Solution: Install a WordPress plugin like UpdraftPlus (https://en-au.wordpress.org/plugins/updraftplus/) or Backup Buddy (https://ithemes.com/purchase/backupbuddy/) and schedule your offsite backups.

Step 6

Keep WordPress Up-To-Date

There are three areas within WordPress to maintain your updates….. the core platform, your theme and your plugins.

So what can commonly go wrong?

  • Outdated platforms, themes and plugins often compromise your website’s security
  • Outdated plugins can cause compatibility issues, sometimes breaking your entire site
  • Updates are often released to fix security flaws…. but not updating can leave your site vulnerable, since the bad guys know what to look for ?

[SIDE NOTE] Delete plugins that are not active and are no longer required.

What can happen when you website is hacked?  Here are two examples of clients’ sites….

Example #1: The client’s site was over-taken with Isis propaganda.  Their pleasant looking pages, with loads of useful business based content, suddenly became a black screen filled with hate speech.

Example #2: Spam content was installed on the client’s site.  While this had no direct bearing on the look and feel of the site for visitors, had it stayed in place long enough, Google could have found it and blacklisted their site, ie removed it from the index.

Solution: Run all WordPress updates on a regular basis, ie two to three times a week.

Step 7

Install A Security Plugin Or Two

WordPress does provide some inbuilt security measures, but they’re nothing compared to the specialised plugins that are available. A top security plugin will include:

  • Active security monitoring
  • Firewalls
  • Malware scanning
  • Blacklist monitoring
  • File scanning
  • Security hardening
  • Post-hack actions
  • Brute force attack protection
  • Notifications for when a security threat is detected

Solution: We use and recommend two security plugins…. iThemes Security (https://wordpress.org/plugins/better-wp-security/) and Wordfence (https://wordpress.org/plugins/wordfence/). It’s vital that you maximize the configuration, otherwise they could be as useless as a box of wet matches.