How to improve website security, in particular WordPress websites
Here are the most basic Website Security steps – in order of importance, with more information on each step below:
1. Hide your login page
2. Install a Limit Login Attempts plugin
3. Add a Captcha to your login and contact forms
4. Keep your WordPress install up to date (monthly)
5. Keep all of your plugins up to date (weekly)
6. Disable the comments feature
7. Enforce secure usernames and passwords
8. Install a good anti-virus plugin.
1. Website Security checklist – Hide your login page
In order to beef up your wordpress security you need to pay attention to the the areas hackers target most often. And first on that list is the login page. This is because all WordPress websites have the same default address for their login page; /wp-admin. That means the hackers can go straight to that address and start trying to hack into it. So you need to change it. Use the ‘WPS Hide Login’ plugin and change the login page address. There’s your most important WordPress security issue resolved, and it’s a five minute job.
2. Website Security checklist – Limit Login Attempts
If hackers do get to your login page, you can generally keep them out buy limiting the number of login attempts they can make before being locked out. You can install the ‘Limit Login Attempts’ plugin, and set it up to lock people out for as long as you want, after as many failed login attempts as you’d like. There’s your second important WordPress security issue resolved. Download the plugin here – https://wordpress.org/plugins/limit-login-attempts/
3. Website Security checklist – Add Captcha to your forms
Simple plugins like ‘Really Simple CAPTCHA’ (https://wordpress.org/plugins/really-simple-captcha/) is very widely used and allows you add a tick box so that users can verify they are human. This is a crucial element of website security and although at #3 here, it’s a crucial element of website security.
4. Website Security checklist -Keep your WordPress install up to date
People often forget that the WordPress install its self is a website security issue and needs stop be kept up to date. As soon as you login, you will get an alert on your dashboard to tell you if the WordPress install is out of date. Don’t be afraid to follow the instructions and cross another job off your Website Security checklist.
5. Website Security checklist -Plugins!
Your plugins will need updating regularly. The more you have, the more of a website security issue they will become. So get in the habit of checking on them each week. When you login, you will get an alert on your dashboard, just the same as as above, telling you how many updates you need to do. Click on the ‘Plugins’ link down the left hand side of the Dashboard, then click the ‘update’ link on each one. Then cross another job off your Website Security checklist.
6. Website Security checklist -Disable the comments feature
Most websites don’t need to have the Comments feature activated. I recommend switching it off as it allows external users to post comments which are often used to create backlinks to their own content. This is only a small website security issue, but worth avoiding to be on the safe side. These comments are also likely to have a negative effect on your website SEO over time as the links, if spam, are seen as toxic by the search engines. You can do this with another plugin called ‘Disable Comments’ which you can download here – https://wordpress.org/plugins/disable-comments/
7. Website Security checklist -Enforce secure usernames and passwords
Everyone is lazy when it comes to usernames and passwords. But when it comes to keeping your website intact, don’t take the chance. Use the password generator, or come up with an alpha-numeric password of your own.
If you think the username might be obvious. don’t use it. More on WordPress Security here
8. Website Security checklist -Install a good Anti-Virus plugin.
I prefer using Wordfence. Having tested a number out on the same site with known malware. I found Wordfence to be thorough and fairly easy to use. Like most antivirus programs, they take a bit of time to configure, but they’re a vital tool in wordpress security.