Every independent creative professional should have a web site. Hands down, WordPress.org is the most popular self-hosted content management web site framework. Over 50% of self-hosted web sites are built with the software. CMS software in general is a common target for hackers and spammers because of its popularity. So, if you have a self-hosted WordPress web site (meaning you’re not setup on WordPress.com but are using the software downloaded from wordpress.org on a hosting service of your choice) web site, you should take steps to harden your web site against hacking.
No web site is completely hack-proof.
Although you may think your site or blog is so insignificant that no one will attempt to breach it, every web site is a target. Think of your web site as your online home where you keep the front and back doors locked and install extra protection to keep your stuff safe. Whether you have valuable stuff internet thieves want to acquire, or squatters come along and want to set up a base camp, your site is never out of danger. That’s just the way it is. So you want to do all you can to deter and discourage hack attempts.
Take these 12 steps to strengthen your web site security.
1. Host your site on a platform that specializes in WordPress. Why? They will understand the software’s idiosyncracies and will have knowledgeable support to help you when you need it. Here is a solid list of the top 10 hosts for WordPress. My own sites, and my clients’ sites, are hosted on SiteGround.*
2. Use a https site. An SSL certificate is a bit of data that encrypts (hides) information about a web site. It ensures personal information is kept safe during transmission, and increases visitor trust for your web site whether or not you run an online store, a membership site, or just collect emails for your newsletter. Be sure your WP login page is also https.
3. Use a security plugin to monitor activity on your site, scan for malicious files and block or throttle suspicious activity. Securi is effective and popular. I use WordFence. Look here for a host of other options.
4. Install a WordPress firewall. A firewall is a blockade that sits between your WP installation on your hosting server and the rest of the internet. You will want to use a firewall that does not muck up your .htaccess file and that shuts down brute force attacks on XML-RPC.
5. Use long, complex passwords, and require them for anyone else with admin access, and any member/subscriber. Secure passwords include uppercase, lowercase, symbols and numerals. WordPress allows the use of very long passwords. It will never limit you to “between 7-12 characters in length”.
6. Use strong passwords for your database.
7. Limit login attempts. You can do this through a security plugin or through a separate plugin that offers this function. Basically, you want to block anyone attempting to log in more that X number of times (X is an amount you specify in the plugin’s settings.)
8. Visit your site often, even though you’re not adding new content. While you’re there, log in to your WordPress admin and check Users, Comments and your security scans. Delete spam comments. Update everything that needs updating.
9. Set your plugins and themes to update automatically.
10. Remove all unused themes. You don’t need anything but the theme you’re using (parent and child). You’ll need delete them through FTP. Anything that is unused or that does not get updated regularly is a target for malware and other junk.
11. Remove plugins that you are not using. If your theme requires certain plugins to be installed but they are not being used, deactivate them but keep them updated.
12. Back up your site frequently, and its database. Store backups on a hard drive, and in cloud storage. Although you can access and download your site files via FTP, plugins make it easy, and you can set up a back-up schedule and not have to remember to do it.
No web site is completely secure.
Again, no web site is perfectly secure. I’m repeating that for a reason. Because of WordPress’s versatility and functionality, it is a popular target. You want to beef up security by deploying a number of measures that together provide as much protection as possible.
As an independent creative pro, the last thing you want to lose is your web site. It is your marketing hub and your home base on the internet. It is a vital business tool.
As an independent creative pro, the last thing you want to lose is your web site. It is your marketing hub and your home base on the internet. It is a vital business tool. You want to take care of it, and, if you’re like me, you don’t want to have to take the time to clean up a hack job. Harden your WordPress site now so that you can spend your time in the pursuit of great clients and do great work.
*Disclaimer: This is a referral link.
Your Turn: Do you have anything to add to this list? Share your feedback in the comments.