WordPress Security 101

WordPress Security 101

Website Security Overview

WordPress security is a very important topic for every website owner. Google bans almost 10,000 websites a day for malware and almost 50,000 for phishing a week.

If you’re serious about your site, you need to pay attention to the best WordPress security practices. In this guide, we will share all the best WordPress security tips to help protect your site from hackers and malware.

While basic WordPress software is very secure and is regularly checked by hundreds of developers, there is a lot that can be done to keep your site secure.

At PHXHUB, we believe that security is not about removing risk. It is about reducing your risk. We have a series of actions that you can do to protect your website from security deficiencies.

Why Website Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your online business website.

 

Keeping WordPress Updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update. We typically recommend users (that are not hosted with us) to visit their WordPress admin page and review any updates weekly.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well. You should always look at the plugin developers reviews and how often they update their plugins, you don’t want to be using a plugin that is never updated or has bad reviews.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are always up to date.

Strong Passwords

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database users, WordPress hosting account.

Many users don’t like using strong passwords because they’re hard to remember. The good thing is that you don’t need to remember passwords anymore. You can use a password manager, or use your browsers password manager (we recommend a password manager over browser). Some password managers include are: 1Password, LastPass, and bitwarden, we recommend always to do your own research and choose which one is best for you and your company.

 

Backup Solutions

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon or Dropbox.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

This can be easily done by using plugins like UpdraftPlus or BlogVault. They are both reliable and easy to use.

Enable Web Application Firewall (WAF)

We believe that every website should have some sort of firewall in place. A website firewall blocks all malicious traffic before it even reaches your website.

Recommended: DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your websites server.

Not Recommended: Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as the DNS level firewall in reducing the server load.

We recommend using GoDaddy’s Website Security Firewall (Advanced or Premium).

That’s all for now, we hope this article helped you learn the basics of WordPress security best practices.