13 Must-Have Components to Keep WordPress Websites Secure

Hackers, ransomware, and bots are all real things — and they’re annoying (maddening, actually).

Here are some ways being hacked can affect your business: 

  • Ransom $$$: Ransomware hackers (there’s some mob-level stuff going on here) take control of your systems (not just your website) and demand ransom in exchange for not deleting everything. It’s expensive no matter how you deal with it. Everyone is vulnerable to this — government agencies, big companies, small companies, even individuals.
  • Spam or malicious content: Hackers or bots will put spam (think ads for “Natural Viagra” or porn) or malware that spreads to others computers.
  • Loss of Search Engine Rankings: Google regularly scans for malware and malicious code. When they see it on your site, you can lose rankings and visitors when they put a security notice on your site’s listings AND redirect people to a warning about your site. You’ve probably seen this before.
  • Loss of Leads & Sales: Downtime or the decrease in visitors mentioned above can be really — really — bad for business.

You get it. It’s expensive to fix hacks. They suck. In fact, feel free to punch a hacker in the face for me.

Onward Forward…

Here are 13 security must-haves to keep your WordPress website safe.

There’s more you can do, of course, but these 13 things are pretty easy to put in place, cost little or nothing, and should take care of the vast majority of concerns.

We do more but these are basically the first steps. Some of these are specifically for WordPress but most of them apply to any website.

Let’s jump in.

1. Update Plug-ins

WordPress adds various functionality to sites with software add-ons called plugins. Plugins get updated by their developers to make improvements and to keep up with updates to the core WordPress software and PHP (the code language) — see #’s 2 & 3 below — and to fix and/or plug security issues. Plugins that aren’t updated are probably the number one reason we see people getting hacked. They are updated as needed or based on the wants/needs of the developers. Could be rarely; could seem almost constant depending on the developers. Important note: always update plugins BEFORE updating the core WordPress. “Plugins first.”

2. Core WP Updates

The core WordPress software gets 2 or 3 major updates per year and other updates “as needed”. The updates are mostly to make improvements (functionality and speed) and/or fix security concerns. Leaving WordPress un-updated simply leaves you vulnerable to those security issues they fixed.

3. PHP Version Updates

For more of the same reasons, PHP (the scripting language WordPress is based on) gets updated fairly regularly — to speed it up, improve functionality, and increase security. Your PHP version may have to be updated at your host. It’s not difficult but you’ll definitely want to test your site after making a PHP upgrade. PHP is sort of the leader of the pack where updates are concerned and sometimes plugins are a bit slow to keep up with PHP updates. We find that sometimes we have to stay on the older version of PHP for a few more weeks before everything works properly together. It’s not ideal but our other security measures pick up the slack.

4. Malware Scanner (and regular scans)

You should have an active malware scanner plugin on your site OR you should put together a schedule of regular manual malware scans. One of my favorite malware scan plugins is Anti-malware by Eli (gotmls). A lot of people like WordFence but I find it’s overly complicated for beginners. We also use Defender. We also do manual scans.

5. Disable XML-RPC 

XML-RPC is like a backdoor that is available for posting to your blog from outside software. If you do that, then you know about this. If you don’t post to your blog from other software then you probably don’t care. Close the backdoor if you’re not using it. If you are using it, make sure you’re using strong passwords. I’m going to say this is the 2nd or 3rd most common way WordPress sites get hacked.

6. Turn on Brute Force Attack Defense

A “brute force attack” is when a bot keeps trying to log into your site repeatedly by trying various usernames and passwords (ever see The Lawnmower Man where he’s trying all the combinations?). You can stop this with lockout defense. Basically, when someone or something tries more than 5/8/10 times (you pick) the site will lock that IP address out altogether. The settings for this will be in your anti-malware plugin.

7. Backups (double is best)

Always have a complete site backup and don’t assume your host company or IT company is doing it for you. WP Engine is commonly regarded as one of the best WordPress hosting platforms (maybe the best) and does automatically do daily backups. You can WPEngine hosting packages and prices here.. How often backups are done depends on how often you update your website. If you barely ever touch the site, then weekly or even monthly backups are fine. If your site is highly active and includes e-commerce or memberships, then you probably want multiple daily backups.
BIG NOTE: Host companies make mistakes and occasionally accidentally delete entire accounts — and all the associated websites (I’ve seen this firsthand, recently from a giant company you definitely know) — and their Terms of Service says something like, “yeah, that might happen and you’ll be screwed and we’re not paying for it.” OK, maybe that’s paraphrased a bit. SO, we recommend the second level of backups off-site from the host. You can download it to your computer or automate it. We’re moving our clients to a double-backup system. 

8. Downtime Monitor

A downtime monitor gives you a notification when your site goes down. A site going down could be an update to a web server or it could mean the beginning of an attack that got through. Getting a notification quickly can give you time to (a) run anti-malware and fix the issue before it gets bad and/or (b) dump the wrecked version and pull up a virus-free backup before damage is done.

9. Contingency Plan and Process

This goes along with #8. If something happens, what do you do? Do you do the cleanup yourself, call your marketing or IT folks, or maybe even your host company (most of them don’t help much)? What if you’re out of town? Who takes care of it then? You need to have a written contingency plan — even if it’s just an email you save so you can forward it later. Have a few processes in place and passwords and relevant phone numbers handy.

10. Update Your Theme

I should have included this with numbers 1, 2, and 3 but, frankly, I don’t want to go back and re-number everything. WordPress websites operate on a theme which is the foundation of the site’s basic layout and features. Like with plugins, theme developers make regular updates to their themes for security and improvements (or they should anyway; see #11). They need to be updated, too. Still, “Plugins First”, then theme, then WordPress core.

11. Use a Proven and Supported Theme

This one is really important to me. While we make custom websites, we don’t do custom-coded websites. I believe it’s a disservice to our clients. We only use solid and proven customizable themes. The reason is simple (and I won’t make any friends in the designer community with this): Remember what I said about the WordPress Theme updates? Well, custom-coded themes don’t get updated. Usually, the developer/designer makes the website and moves on down the road. After a while, usually a few years, things start breaking on the website. Suddenly, some feature doesn’t work or you can’t make edits in some areas (these things really, truly happen). We almost always design on a theme platform called Beaver Builder. They’ve been around a while, have awesome support, and make updates regularly to keep functionality and security solid. The design options are nearly unlimited and your site can look like anything. You don’t need a custom theme. OK, stepping down from the soap box.

12. Strong Passwords

You should know this already but I just want to remind you that hacking really does happen. Also, tell your employees and partners to use really strong passwords. MyName11! isn’t strong. Use lots of characters, numbers, and a mix of capital and lower case letters.

13. SSL Certificate & Encrypted Forms

SSL stands for Secure Sockets Layer. It authenticates the identity of a website (so people know your site is legit) and it encrypts the information sent between the site and the server. Google basically requires it so it affects your SEO, too. In the same vein, encrypted forms are also important. This is more about protecting your site’s visitors than protecting your site. It means that the information submitted via your forms is encrypted, making it much more difficult to steal information. SSL and encrypted forms prevent hackers from being able to eavesdrop on your site’s and visitors’ activities.
There you have it. Again, there are many more actions you can take to keep your WordPress website secure but if you have all of these in place, you are way ahead of the average site owner.
If you’d like assistance getting your WordPress website setup securely, contact us online.

Leave a Comment