10 Easy Steps for Website Security (+Easy Website Security Checklist)Feb 14, 2021
WordPress blogs don't get hacked any more than other sites. Since WordPress is open-source--which means that anyone can read the code—even the bad guys who spend all their time looking for vulnerabilities can exploit it.
Add in the enormous popularity of WordPress, and it’s easy to see why you hear about hacks on a regular basis.
Table of Contents
- Keep Your Site Up to Date – Update Plug-ins
- Avoid SPAM
- Use SSL for your Website
- Get a DDoS mitigation service
- Use Strong Passwords
- Limit Administrative Access
- Be Smart About Your Hosting
- Perform Regular Maintenance
- Use a reliable Online Payment Processor
- Use a WordPress Security Plug-ins
Myth: WordPress is a Security Risk
Service Providers who prefer static HTML sites say this the reason for being stuck with difficult-to-manage sites. While WordPress is certainly less secure than HTML due to being php-driven, it's by no means the safety risk some people would have you ever believe.
Fact: Good Security Practices Greatly Reduce Your Risk
Managing the risk is the best practice. Just because you drive a vehicle doesn’t increase your risk of an accident, but that doesn’t mean you don’t drive. It just means you take steps to reduce your risk.
WordPress is no different. With a couple of security measures on your site, your risk of being hacked is almost non-existent.
Concerns about security can prevent you from using open source software and, especially, the pliability of WordPress. If you believe all the hype that WordPress is inherently not secure, then you’re missing out on all the great things WordPress has to offer, for no good reason.
By implementing just a couple of security best practices, and a WordPress Security Checklist, you'll greatly reduce your risk of being hacked.
1. Keep Your Site Up to Date – Update Plug-ins
This is definitely the most important risk when it involves security. New vulnerabilities are discovered in WordPress and its plugins and themes on a daily basis, and if your site is out of date, it's in danger of being hacked. Hackers actively look for outdated websites they will attack, so make it your mission to update your site regularly. Update plug-ins, themes, and the WordPress software itself.
2. Avoid SPAM
Internet Service Providers (ISPs) use a fraud management tool to identify spammers. SPAM can be found in comments or emails.
For example, a spam trap will appear to be a legitimate email address, but it really doesn't belong to a real person. will look like a legitimate email address, but it doesn't belong to a real person.
So if you have run into a Spam Trap, you need to do a better job maintaining a healthy email list.
Using a WordPress Plug-in to help reduce SPAM such as Akismet, or using a Content Developer Network (CDN) such as Cloudflare can help reduce SPAM exponentially.
3. Use SSL for your Website
Speaking of CDNs, you can also use Cloudflare to protect your website using SSL, a certificate that shows website visitors that your information on your website is secured through encryption algorithms. In other words, being SSL Certified stops hackers from getting your customer names, addresses, and credit card info, etc.
4. Get a DDoS mitigation service
Get a distributed denial of service (DDoS) mitigation service, as well as a web hosting with built-in protections against DDoS attacks such as Cloudflare. Many hosting companies, as well as all-in-one providers such as Kajabi, include Cloudflare in their services.
DDoS is simply defined as:
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. -- Wikipedia
By having DDoS protection, you can defend against DDoS attacks making your site most always accessible.
5. Use Strong Passwords
Second only to out-of-date installations when it involves inviting hackers, weak passwords are regularly exploited with something called a “brute force” attack. Simply put, a hacker sets a computer virus to repeatedly plan to log into your site using thousands of the foremost commonly used passwords and what is referred to as “dictionary” words.
Reviewing and updating your passwords as part of a WordPress Security Checklist can help you mitigate vulnerabilities. This type of vulnerability is often easily avoided just by choosing good passwords. Ideally, your passwords should:
- Be 12-15 characters
- Contain upper and lower case letters, numbers, and symbols
- Never be used for more than one site
- Never be stored in plain text on your computer
- Never be sent by email, unless encrypted
Also, consider using a password manager such as 1Password to generate and securely store good, strong passwords. You’ll never need to worry about remembering your passwords, and you’ll greatly reduce your risk of being hacked.
6. Limit Administrative Access
Never use “admin” as your user name. Create user accounts for your staff and provides them only the permissions they need. Don’t make them administrators if they don’t have to be. Use the principle of “least privilege”, the least amount of privilege needed to perform their duties.
7. Be Smart About Your Hosting
You’ve probably seen the claims for unlimited domains, space, and bandwidth for $2! You may even have a hosting account with one of these companies.
Here’s the problem. This type of shared hosting is inexpensive only because they overload their servers with thousands of internet sites. Similar to how crowded classrooms allows a cold to quickly spread, crowded websites on a shared server means one infected site is a risk to all the others.
Rather than trying to find the cheapest (and riskiest) hosting option, choose a hosting provider that permits you to isolate each site on its own cPanel. Doing so will greatly improve the safety of your website.
8. Perform Regular Maintenance
Performing routine maintenance on a daily, weekly, monthly basis is essential to security. For more information, see our recent post.
9. Use a reliable Online Payment Processor
Whether you’re processing PayPal, Stripe, credit or debit cards, or web payments, you want this to be done through a trusted provider. Use reliable Online Processors from services like Stripe and Paypal, the two leaders of online payment authentication. These two will give your customers peace of mind as well as securely process payments.
10. Use a WordPress Security Plug-ins
You should consider using a WordPress security plug-in to manage virus protection, malware, and other vulnerabilities. There are two that I recommend:
- Wordfence (paid, but comprehensive web application firewall)
- iThemes (paid, lower cost than others)
Until next time,
Let’s be social: