WordPress Security is vital in this day and digital age. With 25% of the world’s websites being a WordPress one, it’s likely that 25% or more websites being hacked are built using that platform. To be honest, I would say 50% at least because some % of the whole will be mightily more difficult to hack than good ol’ WP, and some will be so few and far between a hacker will unlikely take the time to bother.
That all said, if you are going with WordPress, you need to have a security plan. I would say your chances of being hacked once in five years are about 90% (and by that I mean a proper attempt) and so it makes logical sense to plan for that by putting defences up as soon as possible. In another post about plugins I mentioned Wordfence, and that is where I will start today, and touch on some other things later on, too.
Wordfence is expensive but likely the second easiest way for you to get involved in securing your website. A plugin that integrates into WordPress that is free to start with (unsure how useful at the free level) and then you can pay $99 or so a year to use the premium version – which expectedly is going to be a lot more useful. Best thing to do: decide if your website is worth that much money, and then trial the free plugin, and upgrade as soon as you are happy.
The best option for security would be to pay someone who is a top dev to handle it for you. That is surely the easiest but may be the most expensive too. This “dev” type could be an employee of yours, the freelancer you use, your best friend, or ideally at the host you use. I’d imagine as soon as you are paying a host upwards of $10-20 a month the service should include daily backups and protection from all attacks (using firewalls and whatnot).
If, like me, you find it interesting how this stuff all fits together and want to really understand all the jargon and web type jazz then do some research and learn about things like servers, hosting, rewriting your WP database prefix, encryption, SSL’s, SSH, DDOS attacks etc etc. The learning never ends but you can get to a point where you feel close to zero anxiety. I have three or four checks in place and I outline them simply here.
- I have a super strong password and share it with no one.
- I only give admin access to people I trust, and remove it from anyone who doesn’t use it.
- I never give admin access to someone who is working on a site on my own servers – only external servers, generally for those cheap (but typically fine for most people) shared hosting sites.
- I hide my author/username and create pretty random, unique ones for each site I manage. Don’t have your posts labelled as “author: John” and then have john as your login username.
- I rewrite my WP database prefix. So imagine your site is called “wp_markscompany” – you can change that to”p5mdi_mark” and then hackers can’t guess that easily.
- I have a backup of my whole server at all times. I have a “hard copy” backup of each site on my personal computer, and I back that up too. Lastly, I have a backup stored on a cloud server from a remote paid service; there are a few good options here…
- Sometimes I use Wordfence’s firewall, sometimes Cloudflare’s firewall, and my own server has its own firewall. More fire, more walls. Jokes. Just ensure you understand at what point your site could be vulnerable and make sure some hacker can’t enter your site through a glitch “backdoor” type of situation. there are free resources that should help you check your sites vulnerability. I’ve used Wordfence, ManageWP and a few others over the years.
Ideally, prepare to lose everything and you will likely never do so (#MurphysLaw) and it will give you better sleep at night. Else, don’t prepare, and then when you might lose everything you have no way of saving or restoring your site and you won’t be sleeping at all as you’ll be working so hard to rebuild it from scratch.
Hope that helps!
Bonus tip: There are also services that go in and try rescue a hacked site. So it’s not always totally over. They are super pricey (the ones I have seen) so beware.