This is a guest post by Matt Hudson from La Lune Creative. He is a terrific graphic designer and has been building sites with ProPhoto and WordPress for many years. In fact, he designed https://pro.photo! He’s pretty passionate about simple site security measures so we asked him to write up a few tips for folks looking to improve their security without breaking the bank or adding heavy plugins.
Keeping your WordPress site secure doesn’t have to be a hassle or even cost you anything. There are lots of paid services and plugins that can be employed for security, but here are 5 ways to keep your WordPress site secure without spending any money.
1. Use strong user names and passwords
WordPress typically doesn’t allow you to pick “admin” as the default user name any longer; it depends on how it’s installed. The “admin” username is vulnerable for the fact that it’s easy to guess. At this stage, they only need to figure out your password to get into your website! The first step towards more security is to simply change out that username. ProPhoto has a tutorial on how to change your WordPress admin username.
Did you know that a more secure password can be more simple than a bunch of gibberish with numbers, symbols, and letters? If you do a Google search for “most secure password” you’ll find that several articles advocating a 4 word combination with spaces like icecream dog bullet volvo . This is a very secure password, and is far more memorable.
2. Keep your site updated & clean of old plugins, themes and WordPress installs
We’ve helped a lot of clients over the years, and 98% of the time when we log into a client’s website it hasn’t been updated in some time. Falling behind on updates is probably one of the easiest ways to get your site hacked. WordPress does a pretty good job of letting you know it needs an update with an orange icon with numbers in it, indicating how many things you need to update.
If you’re finding that you have a lot of updates, and you feel like you’re doing it too frequently you’ll need to do some spring cleaning. Go into your WordPress install and delete all your unused plugins and themes. If you’re not using them, they’re not being updated, and if they’re not being updated then they are open to vulnerabilities. Did you know you can set up WordPress and plugins to automatically update?
Cleaning up your themes is a great idea. Realistically there is only a need for two in “Appearance > Themes” – the one you’re currently using, and one of the default WordPress themes (2018, or 2017, etc.). Obviously the active one should be there. The other one is there in case you need to manually update your other theme, which requires that activating another theme.
Another huge hack risk is the presence of outdated, unused WordPress installs left on your host. Typically these are from old blogs no longer in use, WordPress installations accidentally loaded in the wrong folder, or the remnant of a site move that was never removed. When they languish in an un-updated state, they become invitations for hacks. Be sure to login into your host’s control panel and make sure you don’t have any extra WordPress installs lying around.
3. Backups of your backups
It’s important to keep your site backed up in case something happens to it. There are several thousand plugins out there to help with backing up, and ProPhoto actually recommends one every time you install ProPhoto for the first time. Your host will likely also have a backup option, but most people don’t know that it’s not done automatically. With most hosts you’ll need to go in and setup your backups or you can ask your host to do it for you. No matter which option you choose, whether you go with a plugin or you’re using your host to do it, be sure to always have your site backed up and on a schedule. We have ours emailed to us weekly and backed up through our host daily. If you are using a plugin or some automated procedure, ask yourself, “Do I really know this is working?” If you can’t answer that with a resounding yes, then it’s time to investigate.
4. Get rid of spam and limit login attempts
Use the Akismet plugin to it’s complete advantage. Akismet has been around for a long time (almost as long as WordPress) and it does it’s job extremely well without all the bloat from other plugins. It’s also usually pre-installed for you if you’re installing WordPress through your host. We only recommend that you turn on the setting that says “silently discard the worst and most pervasive spam so I never see it” option. Otherwise you’ll get a million notices that you have spam, and false positives will always be flagged and shown to you if it thinks it picks up a real comment so you’re totally safe to turn that option on.
You’ll also want to limit login attempts on your site. This prevents bots and malicious attackers from trying too many times to login to your WordPress site by blocking the IP address trying to login. A common one and one of the most popular ones is wp-login-lockdown. It’s not bloated, doesn’t have a ton of features, and it’s free. It only does what it’s supposed to and that’s all you need.
5. SSL / HTTPS
Google is now telling all websites that if you have any kind of form or areas where a user has to input information into your site, then you now MUST have your site on a secure connection. All hosts are now offering a free SSL certificate for your website. Google will also start favoring sites with the secure padlock in the browser bar over sites that do not have one as of October 2017. We offer services to set this up for you or you can contact your host and see if they can help you get this setup on your website. Or you can try setting it up yourself.
See? All it takes is five steps to keep your WordPress site secure. It doesn’t have to be hard or complicated, and you don’t necessarily need plugins that have a ton of features or bloatware. These basic steps will help keep your site nice and clean and worry free!