Website security is an issue that should be taken very seriously by businesses of all sizes. A breach of security can potentially affect not only your business (for example if your site crashes) but also your customers (for example if their data is hacked).
Tom Beavan, Boson’s senior WordPress developer and user experience designer, has some top tips on how to keep your WordPress site secure.
1. Keep your WordPress core up to date
WordPress core files are the foundation of your website; they control its functionality. To keep your site running smoothly it’s therefore important to make sure that you’re always running the latest version of WordPress. Check regularly to see if updates are available. You could also consider setting up automatic core updates; this is a service that’s included in our hosting package.
2. Use WordPress plugins correctly
Unstable plugins can cause major WordPress site security issues, but if you follow some simple guidelines you can minimise the risks:
- Don’t have too many plugins – only use them where absolutely necessary
- Remove inactive plugins
- Keep them updated
- Only use plugins from trusted sources
3. Install a reputable security plugin
Using a WordPress security plugin can help reduce your site’s security risks, but it’s important to choose one that’s well established and supported. We recommend iThemes Security and install this by default on all of our WordPress sites. This plugin has a number of features, including:
- Limiting the number of login attempts
- Blocking IP addresses with multiple login fails
- Renaming the default WordPress login URL
- Enforcing strong passwords
4. Establish secure login practices
Make sure that your site admin has a strong password, and that this is changed on a regular basis. For other users, eg customers, make the login process more secure by using reCAPTCHA. This is a free tool provided by Google, which distinguishes humans from bots.
5. Set up strict file and folder permissions
It’s important to have a system in place to control exactly who (or what, in the case of plugins) can read, write and modify your WordPress files. Clearly, not everyone (or every plugin) needs to have access to your whole website, and having a strict permissions structure will help strengthen its security. We can advise you on how to set this up.
6. Make regular backups
Having a full version of your site backed up in a secure place is the ultimate safety net. If the very worst happens and your site crashes completely, then you can simply restore it from the most recent backup. Our hosts, WP Engine, carry out daily backups for us and we offer this service as part of our hosting package.
7. Remove inactive users
Deleting inactive accounts is good practice in terms of general housekeeping, but also important from a security point of view. This is because inactive accounts can attract hackers, as they are not being monitored by the user.
8. Monitor traffic coming to your site
You can identify potential threats to the security of your website by using monitoring software that checks out your web traffic before it hits the site. We use Cloudflare to do this, and the service is included in our hosting package. Cloudflare offers a number of other beneficial features, including a high-performing CDN (Content Delivery Network).
9. Install an SSL
An SSL (Secure Sockets Layer) is security technology that encrypts communications between a server and a client. Essentially it’s a way of transmitting sensitive data – bank details, contact information etc – in a secure way. We offer SSL installation as part of our hosting package.
Do you need help with your website?
Website security is an integral part of our service and we have expert knowledge in this area. Whatever your security needs, we can advise you on how to achieve them. Please contact us to discuss your requirements.