5 Security Essentials for WordPress Beginners
There’s no fooling point around when it comes to online security. Don’t make the mistake of thinking just because you’re not a major enterprise, you’re not a target! Malware and hackers are everywhere. It’s heartbreaking to have your hard work ruined by an outside evil—if you want to ensure your site stays safe, you need to take preventative measures.
Thankfully, you don’t have to be a tech wiz to man the digital barricades—with the help of plugins, applications and a few other simple adjustment, your business can confidently avoid the more sinister parts of cyberspace. If you’re a business owner and haven’t learnt the technical side of security, that’s absolutely fine! Most don’t—it takes a lot of time and hard work, and you’ve got other things you need to be doing.
1. Set Up a Backup
Backups save your data in preparation for an event of a security breach or other critical failure like database corruption, so you can easily recover any affected files. While the reputable WP backup plugins aren’t free, they’re going to cost you a lot less than not having a backup in place. There’s a few different types of backup plugin:
- Some backup plugins will only allow you to back up your database.
- Some plugins will let you back up your entire WordPress website, database and any other files inclusive (recommended).
- Some plugins will automatically back up from time to time, making sure data is up to date, optimizing security if any security breach does occur.
- Some plugins require manual backup.
The other difference you need to consider is where the plugin is placing your backup data. Is it placing it in your own server? Or is placing it in an external location such as Google Drive or Dropbox. We recommend having backup data external to your server, as a security breach can affect server accessibility and then you’re locked out of your own backup.
2. Install a WordPress Security
Hackers have found plenty of unorthodox ways to breach into systems, and you need a plugin that covers all known possible vulnerabilities. Thankfully, because WordPress is an open-source platform, developers also have the ability to create effective responses to new hacking methods. Some WordPress security plugins will have pro versions that offer extra hardening to certain aspects of security. This reinforces security, and also means that in the event of a security breach, a hardened process still cannot be tampered with.
Most plugins will have some variation of the following:
- A way of showing live traffic updates and any current suspicious activity.
- A way of blocking any security breach attempts.
- A malware check or verification check for plugins or apps you’d like to install.
- A way of measuring your current vulnerability.
I would recommend installing Sucuri Security. It’s one of the more popular security plugins, and is absolutely free.
3. Enable a Web Application Firewall (WAF)
A WAF stops all malicious traffic before it even reaches your site by redirecting all traffic to run through an additional application or proxy server that identifies which code is malicious and which isn’t. Think of it like a bouncer at a club: it checks the ID of everybody that wants to come in and blocks hackers, malware attacks, DDOS attacks and anything else that doesn’t fit the rules that have been set for entry. If something is powerful enough to get through, the WAF will still slow it down and give you time to prepare.
A WAF either comes with a WordPress security plugin or can be installed independently. Either way it’s essential to have.
4. Implement an SSL Certificate
For any site that’s storing or using personal data (i.e. any eCommerce store) an SSL certificate is imperative. These generally cost $60-100 a year, though the Let’sEncrypt project has been working to make free SSL encryption available to all. What does an SSL connection actually do? It protects all personal data from being intercepted by hackers as it travels from a browser to your server. There are some great guides online about how to install a free SSL certificate, though it’ll change depending on your server—make sure you know what your server host setup looks like before you follow any particular guide.
If you don’t have an SSL certificate, browsers will mark your site as unsafe, and some virus scanners may prevent users from accessing it at all. You’ll be unable to take user data like credit card information, locking you out of eCommerce almost entirely. You want it for two reasons: it keeps you safe and secure, and it’ll slash your bounce rate.
An SSL certificate sometimes comes with your web hosting package, or can otherwise be purchased from a third-party vendor.
5. Install a Plugin that Limits Login Attempts
Brute force attacks seem positively quaint in 2019, but they’re still one of the most common forms of attack because they work. WordPress’ default setting for login attempts is infinite, and crackers know this—brute force attempts happen on WP sides every single minute. Most of them are automated, hitting as many sites as they can to find one that’s poorly-secured. Don’t let it be your site.
Thankfully, brute force attacks are easy to shut out: install a login limiter. There are plenty of Plugins to choose from, many of which are free. I’d recommend Limit Login Attempts Reloaded by WPChef. It lets you toggle lockout conditions, among other useful functions.
Where to Go Next
The five security tips listed above are just the beginning. As your website progresses you will require more plugins, addons, and general assistance—not just for safety, but for performance. Gaining an appreciation for good security habits even with a lack of technical knowledge is a fantastic start, and will pave the way for a promising future.
Most serious WordPress users will run a mix of free and premium security plugins. It’s important you’re never lazy with security, but the reality is you may have to wait for certain business success to make upgrading security financially viable—not everybody can afford to bring on a blue pen security team. One option you may want to consider is hiring a specialist WordPress developer like Unicorn Factory or CodeClouds —the latter do very affordable custom WordPress development. They can maintain security best-practice, as well as optimize the performance of the rest of your website.