WordPress Security Checklist: How to Keep from Being Hacked

A website can be devastating to any online business, with far-reaching negative impacts. Beyond the costs of cleaning and recovering its data, a compromised website can cause you to lose both valuable customer data and customer loyalty. Lost business during website repairs alone adds up, averaging more than $15 million a year.

It’s critical to take preventative measures to avoid hacking and the price tag that comes with it.

Is WordPress easy to hack?

Contrary to what many people parrot, WordPress is a very secure content management system (CMS). But like all CMSes, vulnerabilities happen. The very large and active WordPress community is quite good at identifying security vulnerabilities and patching them quickly, keeping WordPress secure. An up to date WordPress website that adheres the following security suggestions is not easy to hack.

Keep WordPress and Plugins Up to Date

What is easy to hack is an out of date WordPress website. That is why the first step to securing your WordPress site is also the easiest: updating. Updating your WordPress install keeps you from falling prey to new security flaws. Most hacked websites are out of date, leaving them vulnerable to mass attacks launched on easily accessible sites.

When you do update your WordPress and WordPress plugins, be sure to back up the website first. Once finished, test all aspects of your site’s functionality even if they’re seemingly unaffected by the updated plugin. Most WordPress updates go smoothly but sometimes things break, so it’s best to double check. We recommend using Vaultpress, it’s an excellent backup plugin providing off-site backups through one-click backups and restores, among other helpful security features.

Use a Strong and Unique Password

According to an analysis of 10 million leaked passwords, by using the ten most used passwords hackers can access 1.6% of all online accounts. The less secure your password, the easier it is for hackers to hack.

It is critical to use long, randomly generated, unique passwords for every login—especially logins that can have such an impact on your business. Be sure to force all employees with critical access to also follow best practices for passwords. Using password managers such as 1Password and LastPass makes keeping track of secure, unique passwords, easy.

Reduce Number of Site Administrators

Use the WordPress defined roles to reduce the number of access points to hackers. If an employee does not need administrator-level access, then do not provide it. This avoids giving disgruntled employees or well-meaning employees with limited technical knowledge alike the means to damage your site integrity. You can also create custom roles to further restrict access for higher level security.

Best WordPress Security Plugins

There are a few hardening plugins you can add to your WordPress site to reduce the effectiveness of potential site hacks. The Brute Force Login Protection WordPress plugin helps prevent hackers from guessing passwords through repetitive guesses, while Wordfence will harden the site and repeatedly scan to detect hacks as soon as possible—either is helpful.

Quality Web Host

A quality web host is quite possibly the single best purchase when it comes to WordPress security. Not only do quality web hosts come with hardened servers to repel attacks, but the improved site speed provides a direct return by increasing site traffic.

We recommend WP Engine, Liquid Web, or Siteground as quality web hosts.

Keep Off-Site Backups

Hope for the best and plan for the worst. Site backups are not only critical for updating websites and accounting for human error, but they also make recovery substantially easier.

It’s important to keep backups off the site’s server, to safeguard against corruption and server failure. Quality web hosts include site backups, but having more never hurts. Vaultpress (mentioned above) provides unlimited storage with a 30-day archive, uptime monitoring, brute force protection, and spam prevention. Their business plan even includes in-depth scans to catch compromised websites.

If you’re ready to take these steps to secure your WordPress website, we can help.