10 ways to effectively secure your WordPress websiteWordPress
Julian, 18 November 2021
You have worked incredibly hard on your website; installed WordPress, chosen a cool theme, added the necessary plug-ins and filled the site with content. It would then be a shame to keep the risk of getting hacked unnecessarily high.
Securing a website is something people often postpone because it doesn’t yield immediate results. It’s not always visible from the outside and as long as nothing happens, it’s not necessary. At least, that is what most people think. Until the website is hacked.
Oops… and now what? Well, we’d want to prevent that.
10 ways to effectively secure your WordPress website
We would be lying if we said that there is a magic button you can press to protect your website from all threats. Even after implementing all the tips below, there’s still a chance your site could be at risk.
Hackers are good at what they do. But luckily, we are too. You just have to beat them at their own game. To do that, you not only need to have a plan A, but also plan B.
Take action before it’s too late. Don’t make the mistake of only thinking about the security of your WordPress website when it’s too late.
1. Choose a quality hosting provider
Why is choosing a quality hosting provider important? Let’s put it in perspective. You can see your hosting company as the street your website is located on on the internet – it’s where your website lives. And the building in which your website lives is the hosting plan you choose; the bigger and nicer the hosting plan, the bigger the building.
If you are going to buy or rent a house, you also want the foundation to be good, the house to be well insulated and a pleasant environment to live in. The same goes for your website. The hosting party you choose should offer the most reliable and efficient environment you can wish for.
This is because the hosting party has a major influence on how well your website performs, how reliable it is, how big it can grow and how well it ranks in search engines. A good host also offers useful features, excellent support and service that is tailored to your chosen platform.
At Savvii you are at the right place for WordPress. Our in-house experts know all the ins and outs of WordPress. Our platform is specially optimised to achieve the best performance.
But besides good service, support, features, speed and a lot of other extras, you could probably already guess that a hosting provider also has a significant impact on the security of your website. A good host offers:
- Frequent update service, software and tools to respond to the latest threats and eliminate potential security breaches.
- Several targeted security features, such as SSL/TLS certificates and DDoS protection. And a Web Application Firewall (WAF), which helps monitor and block serious threats to your site.
- Daily backups of your site, so if you get hacked, you can easily revert to a stable, previous version.
- Reliable, 24/7 (emergency) support, so there is always someone who can help you if you encounter a security problem.
These are a few points to take into account when choosing a hosting provider. It is advisable to choose a party that offers all the features you need, plus has a reputation for delivering what they promise.
Savvii is a premium managed WordPress hosting company that delivers fast, reliable, stable and above all secure hosting. Do you choose Savvii? Then you will benefit from a free SSL/TLS certificate, a specially configured WAF for WordPress that protects your WordPress website against hack attempts. You benefit from backups, 24/7 emergency support from WordPress experts and many other extras that make your website faster, more stable and more secure – at no extra cost. With Savvii you can be confident that your WordPress website is in good hands.
2. Switch your site to HTTPS
HTTPS stands for HyperText Transfer Protocol Secure – a more secure version of HTTP. Without getting too technical, HTTPS secures the data being transferred between browser and website. When a visitor visits your website, all the content of the website is sent via this protocol to the location of the visitor. If a website does not have SSL, then you get the well-known “Your connection to this site is not secure” message. From your own experience you know that you do not click through to the website. Your visitors will also drop out. We’d want to prevent that.
In the past, HTTPS was mainly used for sites that process privacy-sensitive customer information, such as payment details. Since a few years it is becoming more common for all sites, and in many cases it is even offered for free. A free HTTPS connection is often called Let’s Encrypt or AutoSSL.
To switch your site from HTTP to HTTPS, you will need an SSL/TLS certificate. This tells browsers that your website is legitimate, and that the data is correctly encrypted.
At Savvii, we install Let’s Encrypt by default on every website we host. Every site has a secure connection with it. Let’s Encrypt is an excellent SSL/TLS certificate. However, if you are serious about your website, we recommend a paid certificate.
Now I can hear you thinking; why should I pay for a SSL/TLS certificate when I can get one for free? As described above, a free certificate is easy to obtain, but has some limitations. A paid SSL/TLS certificate can protect and secure a website on a higher level.
3. Choose strong passwords
This is a “no s***, Sherlock” suggestion, but make no mistake how often people choose simple passwords. There is a day named after checking and changing passwords for a reason: ‘National Check Your Password Day’. This day was created to make people aware of how important a strong password is. Therefore, choose your password carefully and save it well.
Nowadays, strong passwords are recommended so that people are less likely to choose an easy-to-crack password. However, if you don’t have a safe where you can store your passwords, people quickly choose something familiar, because I can’t remember that strong password anyway.
Therefore, choose tools such as LastPass or 1Password to store your passwords in a safe, central location. This way you can be sure that your passwords are safe and that you can access them at any time.
4. Use a Web Application Firewall (WAF)
If you own a computer, you’re probably familiar with the concept of a firewall – a program that helps block all kinds of attacks. A Web Application Firewall (WAF) is actually a tuned firewall; it is designed specifically for websites and servers. It can protect websites, groups of sites and servers from threats. So, a WAF forms a sort of wall between your website and the rest of the web. A firewall monitors incoming activity, detects attacks, malware and other unwanted events and blocks anything it considers a risk.
In many cases, especially when you choose managed hosting, the hosting company installs this wall for you. This not only ensures that your website is safe, but the firewall also takes away a lot of extra work.
5. Implement two-factor authentication
It is inevitable that you will be bombarded with it: two-factor authentication. Every tool, website, programme or software pushes this method of security. The name says it all; two-step authentication. It takes a bit more time to log in but provides a stable layer of protection to keep hackers out.
As with many WordPress features, two-factor authentication is easy to add with a plug-in. Two Factor Authentication is a solid choice – made by reliable developers.
Another option is the Two-Factor plug-in, which is known for its reliability. The plug-in is built by well-known WordPress developers. As with any plug-in, it takes a while to get to know how everything works, but it gets the job done and is very secure.
6. Add plug-ins and themes carefully (and don’t wait too long to update)
WordPress is a great platform because of its large community, availability of themes and plug-ins. Want to add a new feature to your website? You’ve heard of the term “there’s an app for that”, same goes with plug-ins.
Unfortunately, installing a plug-in or theme is not always without risk.
Plug-ins and themes are not always developed by WordPress, but largely by external parties. Because of this, it can happen that a developer is not careful enough; unreliable, unsafe or simply does not work properly. Make your choice for a plug-in or theme carefully, thought through and make sure it is a solid option that will not harm your site or cause problems.
Finally, you should keep your plug-ins and themes up to date to ensure they work well and are secure. Fortunately, this is quite simple; you just have to visit your WordPress dashboard, click on plug-ins, select the ones with a notification and click on update now. You can also update the plug-ins in a batch by selecting them all and clicking on the update button. However, we cannot recommend this. If one plug-in does cause problems, it is difficult to find out which one.
Do you host at Savvii? Then we take care of it for you. Every plan at Savvii includes automatic updates. What does that mean for you?
It means that you don’t have to do core and plugin updates anymore. In our control panel you have the option to enable automatic WordPress core and/or plugin updates. We will then perform the updates for you and check your site. Something went wrong? Then we restore the backup we just made and inform you about it.
7. Configure folder and file permissions
At tip 7 we go a little further into the technical side of things.
All plug-ins, themes, files and data on your WordPress website are stored in folders and files. Each folder and file are assigned to a permission level; this determines who can view, edit and/or execute the file or folder. The file permissions are represented by a three-digit number, with each digit having a meaning.
The first digit represents the individual user (website owner), the second digit represents the group (e.g. members of your website) and the third digit represents the rest of the world. The numbers range from 0 to 7 and have the following meaning:
0 : Can not access the file.
1 : Can only run the file.
2 : Can edit the file.
3 : Can edit and run the file.
4 : Can read the file.
5 : Can read and execute the file.
6 : Can read and edit the file.
7 : Can read, edit and execute the file.
If a file is given a permission level of, for example, 740, this means that the user can read, edit and execute the file, the group can read the file and anyone outside the user and group has no access.
WordPress recommends setting folders to a 755 permission level and files to 644. You can stick to these guidelines quite safely, although you can set any combination you like. Keep in mind that it is best to give as few people access as possible.
Note: When making changes, check carefully that you have entered the right numbers. A wrong choice can have major consequences for your website.
8. Monitor the number of accounts on your site and keep it low
If you and you alone manage your WordPress site, then you don’t need to worry about this step. By keeping the number of accounts as low as possible, or even limiting it to just yourself, you are the only person who can make changes. As a result, you know exactly what is going on.
This tactic is also known as ‘me, myself and I’.
We often see people adding other people and the number of users increases. This could have various reasons; getting other authors to contribute, needing people to edit the content or adding new features. In many cases this is very useful and sometimes even necessary, as your business grows it is almost impossible to do everything yourself. However, it is also a security risk.
The more people you allow on your site, the greater the chance that someone will make a fat-finger mistake. It sounds childish but it goes wrong often enough. Try to keep the number of users as low as possible without restricting growth. Also pay attention to the roles that are assigned. Someone who only writes content does not need access to the entire website.
9. Keep an eye on things
You probably know how it goes: multiple users on your website. You hire a new employee, a new developer or someone who writes guest blogs, everyone needs access to be able to do a certain task. Each user has access to your website and the ability to make changes based on the assigned permissions.
As mentioned before, it is not a bad idea to refresh the list of users once in a while. Are they still using your website? If not, delete that account. The fewer people who have access, the less chance there is of things happening that shouldn’t happen.
Apart from keeping the number of users as low as possible, there is another quick win to be aware of what is going on in the background. You can follow the activities. This way you can see exactly where and when other users are making changes. When a strange change is made, it’s nice to know who is behind it. You can cover this with a plug-in.
If you want a hands-off approach, Simple History lives up to its name by creating a streamlined, easy-to-understand log of important changes and events on your site.
10. Make regular backups
The last but not least important tip is to regularly back up your website, regardless of the CMS. Just paying attention to security is not enough, you have to prepare for the worst.
If your website gets hacked or crashes, making a backup is like coming back to earth. A good hosting company makes standard daily backups of your website, database, media folder and so on. At Savvii every hosting plan has daily back-ups. We keep these backups offsite for 14 days. Do you need a backup for any reason? Then you can simply indicate which part of your site you want to restore, or just the whole website.
However, we recommend that you also make weekly, monthly or periodic backups. Would you like to restore an older version of your website, for example from one month ago? Unfortunately, we cannot help you with that, but you can help yourself.
Preventing is better than curing
These 10 security tips will help you to boost the security of your WordPress website. Some are simple, others affect your whole site, like switching to HTTPs or adding an SSL certificate. Changes that affect the whole website require extra attention or help from your hoster.
Above all, make sure that your website is running on highly secure WordPress hosting. Our hosting is specifically designed for WordPress. Choose premium managed WordPress hosting, then you can be sure that your website is fully protected on the server side.
And if you ever encounter a security issue, we have you covered with automatic daily backups, a daily malware scan, automatic updates and our support team of WordPress experts!