WordPress is the most widely used website platform, and it powers almost half of all websites. That immense popularity means that developers are constantly adding new software options, but it also means that hackers are always looking for WP sites with lax security.
Here are six steps you can take to make your website more secure.
- Don’t use “admin” as a username.
Did you know that the first account created when a new WP site is set up is usually named “admin”? Hackers know that fact, and it is why they always try to hack that account on any WP site they attack. It doesn’t matter the age of the site or how active it is, hackers will always target the admin account first. That is why you should never use that account.
Solution: Make a new account with administrator privileges, give it a unique name, and then change the permissions for the account named “admin” so that it is no longer an administrator. Change it to a “subscriber”.
- Use a strong password.
Every year web security experts list the most common passwords, and every year hackers use that list to try to gain access to your website. So if you have an easily guessable password like “12345”, “qwerty”, “password”, or “12345678”, you should change it right away.
Solution: Luckily, WP will suggest a secure password for you, so all you need to do is visit your profile page on your site, scroll down to where it says “New Password”, and click the button to generate a new password. Copy the suggested new password so you don’t lose it or forget it, and then scroll down to the bottom of the page and click the “Update Profile” button to finish the process.
- Disable your web designer’s account on your site.
Did someone help you set up your site? Do they still have an account on the site? If you answered yes to both questions then you should consider disabling that account right away. This may come as a surprise, but even a pro will sometimes be careless and use an easily guessable password. In fact, I just helped a client clean up their site after it had been hacked through the old web designer’s account. A hacker had found that account, guessed the password, and gained complete access to the site.
Solution: Change the web designer’s account so that it is no longer an administrator for the site; instead, make it a subscriber. But don’t have to delete the account, because if you work with the designer again you can always restore their privileges.
- Keep WordPress updated.
Did you know researchers are finding new security holes in software all the time? Developers are constantly patching their software to fix the issues, but hackers are also on the lookout for sites which are behind on updates. If hackers find you missed a critical security update, they will pounce without mercy.
Solution: WordPress now has an auto-update feature. You should go turn it on right now.
- Install a firewall plugin.
You wouldn’t dream of browsing the web without a firewall, anti-virus, and anti-malware software running, would you? Of course not; that is just web safety 101, and the same is true for your website. A firewall plugin will alert you to someone trying to hack your site, and it can also tell you if a hacker has already gained access and is making changes.
Solution: Install either Wordfence or Sucuri plugins – and don’t forget to go through the full set up process. My recommendation is Wordfence; I like its email notifications. But Sucuri is also good in that it has the better malware scanner.
- Set up Daily Backups.
Six plus years of working on websites professionally has taught me that three things are inevitable. The first is that software is going to fail. The second is that hardware is going to die.
And the third is that sites are going to be hacked. Despite your best effort, it’s going to happen anyway, which is why I make sure to run daily backups on all the sites I support.
Solution: Install the ManageWP.com plugin, and set up an account and enable the daily backup feature. It costs you $2 per month, and is worth it.
Nate Hoffelder has been helping people fix broken tech since 2010. He builds and repairs WordPress sites, and acts as a virtual IT department for authors. He also blogs about the Kindle and indie publishing. His site, The Digital Reader, has been mentioned on news sites such as the New York Times and Forbes.
Nate belongs to a number of writing groups, and is the president of the Riverside Writers Club. When he’s not volunteering, he spends his time working on projects such as The Speaker Bureau and Author Website in a Box.
Sign up for Nate’s newsletter to stay on top of publishing news.
If you like this blog post, you’ll love our Author Toolkit covering websites, blogging and social media for authors. Check it out!