We have all heard about websites being hacked. The Philippine government was hacked repeatedly in…
An Easy Guide to WordPress Website Security
Data security and privacy are crucial to earning a potential customer’s trust in the online world.
According to a survey by Gemalto, only 27% of consumers feel businesses take serious precautions to prevent data breaches. More importantly, 70% of consumers would stop doing business with you if you experienced a data breach.
This signifies something we all already know. You have to earn someone’s trust before they do business with you, and you can’t stop at earning their trust. You have to maintain it.
In this blog post, we’re going to discuss measures you can take to ensure your WordPress website’s security.
Let’s get started.
Make sure WordPress is up-to-date.
WordPress is open source which means that anyone can download and use it. In fact, 32.4% of all websites use WordPress, so it’s not surprising that it’s a popular target for hackers.
But WordPress takes precautions to prevent attacks. They test the software and detect vulnerabilities, bugs and other issues. They then fix these issues with each update they release.
Anyone could find out which WordPress version you’re using. All they would have to do is click on View Page Source, an option provided by almost all Internet browsers.
If you continue to use an old version, it could be targeted by hackers who’ve found vulnerabilities that were already fixed in a recent update.
They could find sensitive information about your business and customers, resulting in a major data breach. They could install malware and get you blacklisted from Google search results.
What the result is, years of hard work would go down the drain.
How to Update WordPress
Before updating or making any changes to your website, back everything up. Download all your files and save them in a safe space.
If you’re unsure how to do this, we’ll discuss it in the second section of this post.
According to WordPress, “when a new version of WordPress is available you will receive an update message in your WordPress Admin Screens. To update WordPress, click the link in this message.”
Updating is easy and doesn’t require any technical knowledge. You can do it with the simple click of a mouse. Here are a few steps to keep in mind:
- Whenever WordPress releases a new version, they prompt all users to update their website. Check your dashboard regularly to make sure you didn’t fail to notice one.
- WordPress also notifies you if your plugins need to be updated. Update these regularly as well since some hackers target websites via plugins.
- After you update your website, go through all your web pages. See if everything is working properly. This includes pages, images and forms.
Back all your files up.
In early 2015, computer manufacturing company Lenovo’s website was hacked. Instead of their homepage, Lenovo’s visitors saw a slideshow featuring photos of bored teenagers instead.
Even the European Union wasn’t safe from malicious attacks. Hackers once replaced a photo of the Spanish Prime Minister with a photo of Mr Bean.
The point is, even large companies and government bodies have been victimised by malicious attacks. You should do what you can to deter attacks and protect your website.
Backing up your files, including web pages and images, is crucial.
In case an update goes wrong or your site is attacked, you don’t have to scramble to get your website up and running again. You can simply restore your files.
How to Backup Your Website
When backing up your website, you have three options.
- Use a WordPress plugin. – This option requires little to no technical knowledge. You install a plugin. It will then back up your files for you and upload them to the cloud storage of your choice. You can decide if the back up should be done weekly, monthly, or yearly.
- Use your web host. – Some web hosts take daily backups and store them for a period of time. They also give you the option to download your files so you can upload them to cloud storage.
- Manually backup your files. – For this option, you’ll have to access your file manager and download the files without the assistance of a plugin or your web host. You may even need to use FTP or File Transfer Protocol. This step is more technical than backing up your files using your web host and may also require professional assistance.
If you’re unsure which cloud storage service to use, here are a few choices:
- Google Drive
- Apple iCloud
Come up with a system for backing up your files. How often you backup your website depends on how often you update it. Some need to do it daily while others can choose to do so weekly. Determine which frequency meets your needs.
Name your backup files in an organised manner. You could choose to include the dates they were downloaded in the files names. Doing this helps you avoid confusion in case of an emergency. You’ll know which version to restore when you need to.
Choose secure passwords.
Passwords are one of the few things that stand between your website and a malicious attack.
However, we often forget to make them as secure as possible. According to a survey, only 44% of consumers changed their passwords once a year or less.
Those numbers become more alarming when you learn that 81% of hacking-related data breaches utilised stolen or weak passwords.
How to Choose a Secure Password
Use a complicated password.
It’s easy to fall into the trap of using easy-to-remember passwords like yourname1234 or qwerty000. In this day and age, we have multiple online accounts. It’s difficult to come up with complicated passwords for all of them.
Simple passwords are easier to use. They’re also easier to hack.
To avoid a security breach, create a complicated password. Include random uppercase and lowercase letters, numbers and characters if possible. If possible, make your passwords long. The longer a password is, the more difficult it is to hack.
Don’t use personal information.
Some people even use personal information like birthdays, addresses and the high schools they went to as passwords. Never do this. Some of this information can be found online and accessed by strangers with malicious intentions.
The same goes for your security question and answer. Whenever we need to reset our passwords for certain accounts, some websites require us to answer security questions we previously set before we can proceed.
Choose questions with answers that can’t be easily discovered online like your middle name, alma mater or hometown. Whenever possible, choose a question that’s personal that only you would know the answer to.
Don’t use the same password more than once.
As previously stated, we all have several online accounts. Coming up with complicated passwords for all of them sounds too complicated. In fact, according to a recent survey, 59% of people use the same password for all their online accounts.
This is a huge mistake. Data leaks happen all the time. There are even cases where websites sell user information like usernames and passwords. If one account is compromised, all of your accounts will follow.
If you have too many accounts, you can start using a password manager. There are several choices available, and LastPass appears to be the most popular one.
LastPass allows you to create a free or paid account. They’ll store and generate passwords for you, and you can access everything with a master password. According to their website, they’ve “implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.”
Change your password regularly.
Despite efforts at creating strong, secure passwords, data breaches can still occur. Changing your password regularly adds another safeguard against malicious attacks.
Expert opinions on how often you should change your password. Some recommend changing it once a month while LastPass argues against this, saying that it’s unrealistic to expect such a thing from users with hundreds of accounts.
They do recommend changing your password when you feel security could be compromised. For example, you and one of your employees have admin access to your website. If your employee leaves the company, you should change the password ASAP.
Even if the employee left on good terms, you still want to minimise possible security risks.
Limit user roles.
Aside from choosing a secure password and changing it regularly, you can also control user permissions. This means limiting the function users can perform whenever they log into your website’s dashboard.
For example, one user can log into your WordPress dashboard and edit web pages and posts. They are, however, unable to change your website’s theme or make other major changes.
WordPress allows you to assign the following roles:
- Administrator – They have access to everything and can perform major changes and assign roles to other users.
- Editor – They can change the website’s content but are restricted from making other changes.
- Author – They can only access and edit website content they personally created.
- Contributor – They can create content using WordPress but are unable to publish it without approval from an Administrator or Editor.
- Subscriber – They can read your content and post comments but can’t access anything else.
If you’re unsure how to assign user roles, there are several plugins available that can help you accomplish it. User Role Editor appears to be a popular option. It lets you assign user roles and even hide certain menu options from them. The plugin has both free and paid versions.
As the most widely used Content Management System, WordPress is often subject to malicious attacks.
Updating to the latest WordPress version ensures you’re safe from vulnerabilities hackers found in previous versions.
Backing your files up equals less stress in case of a security breach or update error. If something goes wrong, you can restore it yourself.
Choose a secure password for each of your accounts. Use a long complicated password with uppercase and lowercase letters, numbers and characters. Steer clear from using easily accessed personal information in your security questions and answers.
Limit user roles. In case one of your user accounts is breached, hackers will still have a hard time wreaking havoc on your website.
Cornerstone Digital is a web development company in Sydney. If you’d like to keep your WordPress website safe, we’d be glad to help you. Call us on (02) 8211 0668 or email us at [email protected]
Co-founder of Cornerstone and web junkie, Michael knows just how to diagnose your online problems and remedy the issue. An online enthusiast who believes in technology as an enabler of growth, Michael worries about all the details so you don't have to.