10 Tips for Securing Your WordPress Website

Recently, our website hosting partner WP Engine published a fantastic white paper detailing 10 best practices for keeping your wordpress website secure.

Whether you’re a small business with a 10-page website or a enterprise-level company with 500 pages, you’ll want to make sure your website is safe and secure. Below we’ve outlined a few snippets along with a link to download the entire PDF.

1. Make WordPress Core Updates Quickly

Keeping “core” up-to-date is incredibly important for security. Un-patched core installations are often a primary attack vector since many of the WordPress updates and patches are designed to improve security. Using a tool like WP Updates Notifier can help organizations stay on top of important updates to the WordPress core. It’s important to always watch for updates and to make them as soon as possible.

2. Proactively Upgrade Plugins and Themes

Along with outdated core WordPress components (as listed above), out-of-date plugins and themes are among the most easily compromised components of a WordPress installation, particularly due to a lack of current patching. The plugin dashboard provides notifications as updates become available.

3. Prevent Sniffed Login Attempts

Securing the wp-login.php and wp-admin areas of a WordPress installation with an SSL certificate and/or VPN solution can greatly reduce sniffed login attempts. Additionally, utilizing a login solution based on directory services such as Google Apps Authentication, LDAP, or SAML is an important step in adding security to the login process.

4. Enforce Strong Passwords.

Weak passwords are one of the easiest ways to fall victim to brute force or “dictionary” attacks. It is imperative to ensure all users use strong passwords. An easy way to achieve this is by enforcing use of the “Force Strong Passwords” plugin and/or the “Limit Login Attempts” plugin.

5. Remove the “admin” Account.

The “admin” account is a default account on every WordPress installation. If the “admin” account is kept active and not disabled or removed, half of the puzzle is already solved for an attacker. The attacker no longer would need to guess a username AND a password to compromise a blog or website; a password is all that is needed. Removing the “admin” account or changing the username prevents a WordPress site from being open to automated attacks.

6. Actively Security Attacks.

It is vital to actively block security attacks, which are often run on a large set of web properties to test for “easy ins.” An organization does not need to have specific enemies to fall victim to a security attack. Using a security plugin like Securi enables organizations to take charge of their WordPress security. Securi’s Audit Log capability is a great example of a utility that helps people understand what is going on inside their WordPress installation from a historical perspective.

7. Ensure Proper Permissions

When running multiple WordPress installations for different stakeholders in an environment, remember these sites should be isolated from each other. Should one customer’s file system become compromised, there shouldn’t be easy access to another customer’s data. Keeping careful tabs on proper file permissions is critical in achieving this, and configuring appropriate virtualization across the different environments is key for isolation.

8. Conduct Vulnerability Scanning

Vulnerability scans, often referred to as “penetration testing,” are imperative for organizations of all sizes in order to discover hidden and hard-to-track-down security issues. It is recommended to run quarterly scans on all critical infrastructure, from a systems and OS perspective, as well as an application (WordPress) perspective. To receive the most unbiased results, these scans should be run by an experienced third-party scanning partner.

9. Employ a Robust Backup Strategy

The worst can happen to even the most seasoned IT teams in the most robust data centers. Ensure WordPress installations are backed up off-site, on schedule, and optionally, in an encrypted fashion. Going a step further and having a secondary and tertiary backup site gives extra reassurance that all data will be stored safely and retrieval will be possible when needed.

10. Enforce Strong Staging.

The importance of a regimented process for moving development work from testing/staging to production can’t be highlighted enough. Pushing untested changes directly to production can have disastrous results. Encourage teams to test and test often in staging and they should be able to do so painlessly with tools built for them.

Download the FulL White Paper

Implementing these tips will help keep your wordpress website nice and safe from external threats. Click the image below to download the full white paper:

10 Tips for Securing Your WordPress Website PDF.

Looking for WordPress Website Hosting?

We provide hassle-free, fully-managed wordpress hosting so you can stop worrying about your website, and stay focused on running your business.

[bra_button text=”Explore Fully-Managed WordPress Hosting” url=”https://sproutboxmedia.com/marketing-services/wordpress-website-hosting” size=”large” color=”greenbtn” target=”_self”]