One of my very first blog posts was about boosting your WordPress website’s security. I’ve learned a lot since then and I also know that some people just want a few quick steps to take to get off to a good start (rather than the 5 I listed in that post or the 10 that come with the free download).
So I’m back today to give you 3 super quick ways to keep your WordPress website secure. I know security isn’t the most exciting subject, but think of what would happen if your website was hacked.
What would you do?
Do you want to have to pay someone to help you get it back up and running?
Do you have a backup in case everything was lost?
I don’t want you to have to worry about those things quite as much, so go through these quick steps today to get off to a good start.
1. Use a secure username and password
The #1 cause of WordPress websites being hacked is weak usernames and passwords. This one is such an easy fix that it doesn’t make sense for you to put it off.
Check your username
Let’s tackle usernames first. If your username is anything other than “admin”, you’re good to go for the most part. However, you also want to do a quick check to make sure you don’t still have the “admin” username active.
To do that, go to Users > All Users to see all the users with access to your website.
The first column on the following page is where you should look for the “admin” username.
If you see the “admin” username in that first column, no need to panic. But definitely hop over to this tutorial and follow the steps to delete it. (If you’re already logged in as a different user with Administrator privileges, you can skip the Add New User step in the tutorial)
Enforce strong passwords
Next comes strong passwords. If your password consists of a pronounceable word with an exclamation point or a word followed by a couple of numbers, I want you to go in and get it changed right away.
A secure password consists of uppercase and lowercase letters, numbers, and symbols. Yes, it makes it hard to remember, but with the tools out there like LastPass, you don’t have to remember it.
If you don’t have a strong password, go to Users > Your Profile.
Scroll down to the Account Management section, click Generate Password, and follow the prompts to get a new, secure password.
If you’ve deleted the “admin” username and generated a strong password, you’ve already made some huge steps to keep your WordPress website secure.
2. Complete your updates
I wrote all about updates a couple of weeks ago, so I won’t repeat it all here. But I will take the time to reiterate how important it is.
If you want a quick recap of my points in that post, here you go:
- Yes, plugin updates can occasionally cause problems, but those problems can be fixed within a couple of minutes if you know the proper steps to take
- Plugin creators don’t make updates for the fun of it, the updates generally fix important bugs or security vulnerabilities
- When updates come out, hackers know exactly what they can target to gain access to websites that haven’t yet completed their updates
- Even the most popular plugins (like Akismet, Wordfence Security, and Disqus) have occasional patches for security issues
Remember how I said weak usernames and passwords were the #1 cause of hacks? Well ignored updates are the #2 cause!
I know doing updates can be intimidating, but it doesn’t have to be that way.
3. Choose a good security plugin
Using a strong and trusted security plugin is an important part of keeping your website safe.
I previously recommended Wordfence, but now I’m all for iThemes Security. It takes care of things like:
- Limiting login attempts – Those bots that sit and try hundreds of different passwords with the admin username? This feature will lock them out after a few attempts.
- File change detection – This feature emails you if a file is added, changed, or removed, which are common actions completed by hackers.
- 404 detection – This will lock out any bot that is scanning your site for vulnerabilities.
- Strong password enforcement – This is great for if you have multiple users in your WordPress account.
- Away mode – This locks down your website during certain times indicated by you, for example while you’re sleeping or away on vacation.
- Hide login area – This will change the web address of your login area for WordPress, making it more difficult for hackers to find.
- Enforcing of strong passwords – This is great if you have multiple users with access to your website and don’t want to worry about them choosing weak passwords.
- And more…
iThemes Security has a free version (which you can install through Plugins > Add New) and a Pro version with additional features. The Pro version is what I use on my own and all client websites for that extra level of protection as well as support from iThemes, if it’s needed.
If you’ve taken the steps to create a strong username and password, complete your updates, and install a security plugin you’re definitely on the right track.