WordPress provides power and freedom which has allowed it to make up 30% of the internet over the last 15 years since its inception. However, WordPress security is notoriously vulnerable and little has been done to increase security over its lifetime.
Due to the popularity of WordPress, it is often the target of large-scale cyber attacks. These attacks are often successful for many avoidable and predictable reasons, neglect and/or negligence being the number one factor contributing to its vulnerability.
If you Google “ WordPress Security,” it will return 625 million results. WordPress Security has been written about ad nauseam. Our aim here is to provide a few simple steps non-developers can take to ensure that their WordPress site is much less vulnerable (if not completely secure). The articles linked at the end of this post contain additional techniques that may require a developer or someone who is more familiar with servers and code, but the tips and strategies provided here should be accessible and attainable by everyday WordPress administrative users.*
* Prerequisites: To perform the following recommendations, you will need to have the following: WordPress Administrator user access, WordPress site has one-click updates and installs activated.
1. Use Secure Wordpress Hosting
The absolute best thing you can do to secure your WordPress site is to use a secure WordPress host. Secure WordPress Hosts can manage all the technical, hardware and server security vulnerabilities and make sure that - outside of someone gaining access to your site through a username/password - your site will be completely secure from the inside. It’s worth the investment. In some cases, these hosts will keep your WordPress core updated automatically, and blacklist any vulnerable plugins or themes, keeping your site much more secure and safe.
Here’s a short list of secure WordPress Hosts we recommend:
2. Don’t Use “admin” as a Username.
Most WordPress installs start out with an administrative user with the username “admin.” Change this. You can change this by going to “Users,” and creating a new Administrator user with a username that cannot be guessed and then removing the default “admin” user (if it exists).
3. Use Strong Passwords.
There are many safe password generation softwares out there that will create a secure password for you and save it for you to access later on (whether through an app or a browser extension). Just be sure to set an equally strong “master” password for the software that you will remember. A few that we like are LastPass and 1Password .
4. Use Two-Factor Authentication.
In addition to strong passwords, using Two-Factor authentication is a great way to secure all users and decrease the chances that someone will be able to gain access to your site, even if a username + password is compromised. Two-Factor authentication is the process of logging in with a username and password (single-factor authentication) and then being required to perform another task to log in (entering a randomly generated code from an authentication app, or from an email or text message, for example). For WordPress, numerous plugins exist that will automatically set you up with two-factor authentication. Here are a few of the most popular:
5. Keep WordPress, Plugins, and Themes Updated.
WordPress has made it downright simple to update the core software, plugins, and themes you have installed. While in some cases you can turn on auto-updates for WordPress core, you will most likely have to be diligent in logging in, checking for updates, and clicking the update buttons to keep things safe and secure. Most of the time, when a WordPress site is compromised, it is because of an out-of-date core, plugins or themes. The WordPress community is strong and active. As long as you are running the updates, you should be pretty safe.
Daylight Takes Security Seriously
At Daylight, we take security very seriously. Many of our clients run their entire business through their website and can not afford to have vulnerabilities. This list represents a primer for getting started with WordPress Security and is a great first step to making sure your site is secure. If you have concerns about security on your site (WordPress or otherwise), contact us right away so we can discuss further strategies for securing your site.
Interested in more exhaustive explanations about WordPress security and ways to keep your site secure? Here are a few explanatory blog posts with additional information, tips, strategies, and techniques for securing your WordPress site.