If you run a WordPress website and have been paying attention to the recent data breaches that have affected millions of consumers, you may be interested in keeping WordPress secure. But if you’re a small business or non-profit, you may feel ill-equipped to secure your data. That takes thousands of dollars and consultation with experts, right?
Though creating the most secure WordPress website possible does require a lot of expertise, there are methods of keeping WordPress secure that anyone can employ.
Do I Really Need to Worry About Keeping WordPress Secure?
Occasionally, we get asked this question by a client and our answer is always: are you comfortable with someone taking over your website or potentially making off with all the data it contains? WordPress websites are a prime target for hackers looking for financial information or any other kind of information they can exploit for personal gain. This is simply because WordPress is such a popular platform. Any time a single application is used to run 17 million websites, you can guarantee that application will be a target for hackers.
So, the answer this question is definitely yes. You want your WordPress website to be secure in order to discourage hackers from targeting you and to make it more difficult for them to breach your website if they do decide to target you. Below are some easy things everyone can do to improve the security of their WordPress websites.
Thing #1: Use Secure Passwords and Make Sure All Users Do So, Too
One of the first vulnerabilities hackers will exploit is an insecure password. Passwords that make use of common words, dates, or numbers associated with a website user are easy to crack. High-end hackers will even use tools that tell them how easy a password is to crack. If your website is secure, however, the tool will move on to the next site.
In general, all your passwords should:
- Be at least 16 characters long
- Include at least one symbol (e.g. @#$%)
- Include at least one number
- Include both upper and lower case letters
We like this tool, which auto-generates secure, random passwords: Secure Password Generator.
Having a hard time remembering your secure passwords? Use a password manager to remember them for you. We like LastPass.
Thing #2: Convert Your WordPress Website to SSL
As we mentioned in a recent post, Google is now penalizing sites that don’t use an encrypted connection. Converting your site to SSL, which means your site will use HTTPS rather than HTTP in all its links, makes it more difficult for third parties to capture data from your site. If you need help converting your WordPress website to SSL, check out this recent post for tips.
Thing #3: Use a Secure App for Any Ecommerce Features
Ecommerce features can be another source of vulnerability on WordPress websites. If customers are storing credit card information on your website, and a hacker manages to bypass your defenses, they can steal this information. Though credit card companies protect their customers against identity theft, if your data is compromised, you will be required to disclose this to your customers or face possible fines if their financial information is later revealed to be compromised and you didn’t use security best practices.
To avoid this scenario, we recommend using third-party apps whenever possible. WooCommerce is a great, secure solution for integrating ecommerce into a WordPress website. WooCommerce is built by security experts, meaning that it will be much more secure than any custom solution you might develop.
Thing #4: Use a WordPress Security Plugin
If you want to go that extra mile to protect your data, there are a host of WordPress security plugins, all of which are available for free with limited features. These plugins enable you to:
- Automatically scan your website’s code for malware, or malicious software that hackers place there
- Automatically scan your posts and comments for links to malware
- View your website traffic in real time to see if there are any threats
Our experience with these plugins is that they are not very usable for people unfamiliar with advanced WordPress features, however. If you install one of these plugins and find you are lost when it comes to setting it up, it is probably worth it to work with a WordPress developer to help you secure your site.
How Will I Know If My Website Is Secure?
Ultimately, it’s difficult to know how secure your website is. Some of the plugins mentioned above will generate reports that tell you how secure your site is, but ultimately WordPress security is about peace-of-mind. The threats are simply too great to risk hosting an insecure WordPress website, as are the costs of repairing a site that has been compromised.