In response to frequent WordPress hacks, we thought it might be helpful to write about some of the best practices we’ve used to secure WordPress websites.
- Use unique, strong passwords for your login. One of the techniques hackers use is a stolen password – a password you’ve used elsewhere – to login to your site. Another technique is to crack a weak password using a bot, repeatedly trying weak password combinations.
- Use Multifactor Authentication at your Wordpress login. Plugins such as “Google Authenticator” will implement this.
- Update your installation at least monthly. This includes updating WordPress itself, all plugins, and any themes you’ve installed.
- Change your login page. Bots will try the default login URL to find your login page. Simply changing this URL to something unique will give them nothing to probe. Plugins such as “WPS Hide Login” (https://wordpress.org/plugins/wps-hide-login/) can help make this change easily.
- Install a security plugin. Multiple plugins exist for free that will ban IP addresses that repeatedly try to access your login page, or change the default URL for you. Caution – these plugins will also ban you, if you’ve forgotten your password and try too many times.
- Backup your site. SpireTech backs up our servers nightly, but these backups are not accessible to customers and recovery requires assistance from the service desk. Configure backups through our Plesk site manager for easier site restoration. Wordpress Backup Plugins usually utilize local storage which counts against your disk space quota, and may not backup the entire site. Plesk backups will not use your disk quota, and will backup the entire filesystem, all databases, and if located on the same server, email as well.
If you don’t have time or the ability to do all of these things, please consider subscribing to our new Managed WordPress hosting package, where we’ll take care of these things for you.