Basic WordPress Security Setup

If you like stats, checking https://www.internetlivestats.com/watch/websites-hacked/ will show you the number of websites hacked today. Given that 37% of all websites is built using WordPress, makes you think about the security of your site.

 

Let’s start with WordPress Basic setup.

Before doing anything else, make sure passwords are strong. Really strong.
https://passwordsgenerator.net/ is a good password generator tool, while https://password.kaspersky.com/ will show you if your current or a new password is good. Make no mistakes, we’ve seen people using weak passwords and maximum security getting hacked. Wonder why…

There are a number of passwords you need to make sure are well. Emails, cPanel-or some other SMP, FTPs, Main Site, and any subdomain. Having a weak password on email will get hacked to ask for a cPanel password change and take over your account. Easily.

To change the password on your WordPress site, go to admin dashboard > Users > All Users > And update all Administrator passwords or any users that have permission to install plugins or have access to anything other than comments. While you are there, make sure you don’t have any “admin” username. If you do, make a new admin account, login using it, and remove the admin user. If you have it, you are only making it easier for hackers.

To update your cpanel password (which is the most common SMP) Login to your cPanel account > Preferences > Password & Security.

For FTP cPanel > FTP Accounts. If you have only one FTP account, that one has the same password as your cPanel account, so you can skip it. Any other, update if necessary.

For email accounts, cPanel > Email Accounts > Find Email account you wish to update password > Manage > New Password > Save.

With these steps alone you are more secure than one-third of people using WordPress. Staggering, we know.

Next, change wp-admin login. Easy plugin to do this is: https://wordpress.org/plugins/wps-hide-login/

Last but not least, is SSL. But every host now gives you a free one, so 99% of users already have it at their disposal.

FYI if this is too much for you, check out our PDF Guide in our sidebar!

Update Your WordPress, Plugins and Themes!

This goes without saying, but having any software updated at all times is a must.

Removing any extra themes/plugins that your site is not using, reduces the chances of hackers exploiting them.

Why WordPress Backups?

This can go in deep with plugins reviews and how-to’s but google is already overcrowded with tips on this, so I will cover what we use and do. Before any work, make a backup. Depending on the site, we would either export the database using phpmyadmin or make a backup using https://sr.wordpress.org/plugins/all-in-one-wp-migration/. All in One is really great plugin but restoration of backups requires a premium version of the plugin. If a site is changing daily, we would use https://wordpress.org/plugins/updraftplus/ It’s all up to the user and any backup plugin will have a good “how-to” for it.

The most important thing about backups is to not be stored on the server you are currently on. Store them on your local storage, dropbox, gDrive, etc.

What Security Plugins To Use?

Finally, let’s switch to plugins. The one we recommend and use is https://wordpress.org/plugins/sucuri-scanner/

Free plain is a good start and once you can afford the premium, go for it. It’s well worth it. Once you install it, activate it and go to settings. You need to get API key for it:

Click Generate API Key to the upper right side of your screen.
Check the Terms of Service and Privacy Policy boxes once you have read them.
Click Submit. An email confirmation will be sent to the primary email address with confirmation.

The second step is to go to and Enable Hardening Options.

Once that is done, go to Alerts where you can edit settings for email alerts. Have important alerts enabled and make sure you will be checking on them. This way you can prevent a lot of damage.

The main reason why we love this plugin is its Core Integrity Check option. This option will scan through your WP core files and alert you if something is added or a file edited with extra code. It really is the fastest way to know if you got hacked and to do something about it. Caution though you would need to make sure the files you will be reverting/removing really are bad.

Monitor Your Website

We all ben on vacations, busy with our work or we got distracted that we didn’t check on our site for more than few days. Most of the hacks would inject code in index.php file witch will make your site go down, or to re-write your homepage. Taking all the steps above will reduce the risk of this happening, but it’s not a bulletproof system. New code problems are found each day, new ways of hacks are discovered daily and it will take time for plugins/themes to fix their code to prevent this.

What you can do? You can sign up for our FREE WP site monitoring tool which will alert you as soon as your homepage changes. That way, you can easily pop the website open and see what’s happening. Of course, if that actually happens and something is wrong, you can either try and fix it yourself, or you can contact us!

To Sign up, fill in details on the right side of the blog page, or below, depending on your device!

Conclusion

If you have time, it’s fairly easy to take care of your site. Having backups is always a must and in most cases, a safe bet. The problem occurs when your business fires up and you can’t be the one who takes care of everything. That’s why we offer services that will keep your site running all the time, leaving you with one less problem to worry about!