Many website owners think that all of the work to build their WordPress website happens up front, but in reality, the design, development and creation of a WordPress site is just the first step. When you launch a new WordPress site, you become a website owner, and as a website owner, it is your responsibility to take care of it, to care for it, and to keep it safe and healthy.
Owning any website, not just a WordPress website, requires ongoing maintenance. Your WordPress website is powered by the WordPress software, and all software — like Adobe Photoshop, Microsoft Word, Apple iTunes, and all of the Apps on your phone — has ongoing updates that you must manage.
Ignoring software updates can cause numerous problems:
The good thing: Even if you’re non-technical, you can learn how to improve WordPress security 🙂 Just review this WordPress security checklist to get started.
The following list can’t give you a full overview of actions and tasks to perform to make sure that security is good. If you want to dive into it more detailed, we recommend you check back with your programmer or with the official WordPress community! However, Even with little to no technical prowess, you have the power protect your WordPress website from security vulnerabilities and help prevent your WordPress site from being hacked.
With this WordPress security checklist, you can improve WordPress security — even if you’re a non-technical website owner.
1. Use strong passwords and a password manager
The most simple website security measure you can take is to use strong, unique passwords. This means skipping your dog’s name, kid’s name, birthdays and common words, including the words password.
When creating your passwords you should make sure they include:
More than eight characters
A mix of uppercase and lowercase letters
At least one number
At least one special character
You should also make sure that every password you create is unique.
Do not use the same password for multiple websites or online profiles, and do not use your WordPress password for anything else — especially for a social media profile.
I know managing all of the different passwords can be tough, especially when you avoid any common words and add in numbers and special characters, but there is an easy solution. Use a password manager like LastPass or 1Password to manage all of your unique passwords and provide you with one master password.
As of WordPress 4.3, passwords are strong by default. Before users were presented with an empty box and created a password from scratch, which allowed them to use weak passwords. As of WordPress 4.3, strong passwords are now created automatically for users, who can then choose to keep it or edit it. As the password is edited, the password strength meter will communicate how strong your new password is.
WordPress 4.3 also saw the end of emailing passwords, with password reset links now emailed that expire in 24 hours by default.
2. Don’t share your password
Your WordPress password is your WordPress password. Do not share it with anyone else, not even your team members or business partners. Instead, maintain the integrity of your account by:
Setting us anyone else who needs access to your site with their own user account and password.
Give each user account the minimum access needed. Do not give everyone Administrator-level access.
When everyone who has access to your site has their own unique user account, it is easy to remove access when a team member no longer works for you or you end a contract with a subcontractor.
With separate user accounts, you’ll also be able to track each user’s activity on your site, seeing when they last logged in, what they did, and more.
3. Update WordPress regularly
While incremental WordPress updates are pushed out automatically so you don’t have to lift a finger to update your site to the newest version of the software, the major updates don’t work the same way. For major releases it is up to you to update WordPress to the latest release.
When a new version of WordPress is released, a log is published noting everything new about the latest release. This includes all security vulnerabilities that were patched, which means that the security vulnerabilities of past versions of WordPress are made public.
To protect the security of your site it is best to always keep your sites updated to the most current version of WordPress.
4. Update plugins consistently
Just as a log is published noting everything new about the latest release of WordPress, a similar log is published for every plugin every time it is updated. This also means that all security vulnerability information about previous plugin versions are made public.
“If you have five plugins installed on your WordPress site that are two to three versions out of date, everyone of those plugins could post a security threat to your site.”
Every time a plugin releases an update, you should back up your site and update the plugin, keeping all installed plugins current.
5. Keep your theme updated
WordPress themes and parent themes also have periodic updates you must manage.
As with the WordPress core software and WordPress plugins, when new versions of themes and parent themes are released, information about bug fixes and security patches are published, making the security issues with the previous version public knowledge.
It is also important to delete any WordPress themes that you are not using from your site. But be careful, if you are using a parent/child theme setup like the Genesis Framework by StudioPress, be careful not to delete the parent theme (Genesis).
6. Disable and delete all unused plugins
With more than 46,000 plugins in the WordPress.org Plugin Directory, you have a lot of plugins to choose from and try out.
It is inevitable that at some point you are going to test out a few different plugins that all do the same thing to see which one you like the best and want to use for the long term.
While it is best to test these plugins out in a staging environment or local development environment, not everyone is that tech savvy. If you’re going to test new plugins on your live site, first performs a full backup of your site just in case anything goes wonky, then test away to your heart’s content.
Just be sure to disable and delete any and all plugins that you are not actively using.
If you test out three different contact form plugins and decide on one of them, disable and delete the other two from your site. Trust me, the last thing you want to deal with is managing and keeping plugins you’re not even using up to date, yet if you don’t a plugin you’re not even using you create a backdoor into your site for a hacker.
7. Actively manage cPanel and/or FTP access
Just as you should never share your WordPress password with someone else, you should never share your Control Panel or FTP password with anyone else. Instead set them up with their own user account and password. This again gives you the ability to revoke access when they no longer work for you or you part ways with a subcontractor.
8. Keep your OS, software and browsers updated with latest version.
It’s easy to think that malware or a website hack can only come from outdated WordPress installs and outdated plugins, but that just isn’t the case. Your WordPress site can become vulnerable to malware attacks and security hacks through outdated software on your computer, including old operating systems, and old browser versions.
There have even been instances where a malware virus traveled through FTP clients to infect sites. So if one person had passwords for multiple websites stored in an outdated FTP client and one site got infected, the malware could spread to all of the other websites.
9. Encrypt your home/office WiFi network
When your home WiFi network and office WiFi network are encrypted, the data is passed through the network more securely.
“When your home WiFi network and office WiFi network are unencrypted, the data is passed through the network in plain text and anyone can log into your network and see everything that is being transferred.”
That means your usernames and passwords are being transferred in a way that anyone can access them, leaving your accounts personal information and accounts vulnerable.
You should never log into your WordPress site on an unencrypted WiFi network, and again, always use a strong, unique password.
10.Invest in website security
No matter the scale of your WordPress website, you could be a target for hackers. In order to proactively — and consistently — protect against malware, viruses and other online threats, a website security service is a must.
Wordfence Security – Firewall & Malware Scan :(hyperlink :https://wordpress.org/plugins/wordfence/)
–THE MOST POPULAR WORDPRESS FIREWALL & SECURITY SCANNER–
Wordfence includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.
11. Continuously revisit your WordPress security checklist:
Remember, when you launch a new website, you become a website owner with responsibilities to not only create an awesome design, publish new content, and drive traffic to the site, but to care for and maintain your website. It’s an ongoing practice.
From using strong unique passwords and a password manager, to keeping WordPress, plugins, and frameworks updated, to actively managing user access to your site and investing in website security, you have the ability to ensure that your site runs smoothly and avoids security issues.
Hopefully, this WordPress security checklist helped you understand the steps you must take when learning how to improve WordPress security. Your actions are the first step to keeping your WordPress website safe and secure.
This content was originally published here.