Although we’ve seen services like Wix and Squarespace build large market shares in recent years, they still don’t come close to challenging the dominance of WordPress. The open-source content management system still runs on 40% of all websites on the internet, nearly 30 times more than either Squarespace or Wix.
It’s free to use and almost infinitely extendable with plugins and themes that make it the most versatile content management system (CMS) on the web. It can even be converted into a forum, a social networking site, or an eCommerce platform that rivals many paid-for solutions like Shopify and BigCommerce. However, this popularity comes at a price.
WordPress is a valuable target for hackers who can exploit nearly half the internet if they find a bug in the software. Therefore, WordPress sites are significantly more likely to be attacked than any other CMS. So if you want to keep your website protected, here are some steps you should take.
Install a Firewall
Even if your site is brand new, it’ll very quickly be discovered by bots that scour the internet looking for WordPress installations. Once they find it, they’ll begin probing it for weaknesses. A firewall plugin can help detect these attacks and block them.
There are several great options, but one of the most popular is Wordfence. It’s easy to install and can help prevent people from finding things to exploit on your site while still letting users and search engines like Google discover you.
It can also prevent brute force attacks by blocking a visitor’s access to your site if they enter an incorrect username or password too many times.
WordPress uses a standard username and password system for controlling who has access to your admin dashboard. In addition to the usual precautions like using a strong password and having unique ones for each site, it is also a good idea to enable two-factor authentication for your WordPress accounts.
Two-factor authentication is a common security technique used across the internet today that requires you to enter the third piece of information to sign in. In addition to your username and password, you’ll be asked to type in a one-time passcode that is generated by an app or sent to you by SMS message. You will likely already be using this today if you’re a member of sites like Facebook, PokerStars, or Amazon, so you should at least be familiar with the process.
Unfortunately, WordPress doesn’t support this natively, so you’ll need to find a plugin to enable it. There are plenty of different plugins available, but if you already have a firewall like Wordfence installed, then you don’t need to download anything else.
Set Up Cloudflare
Cloudflare is a third-party DNS service that offers a number of performance and security benefits to website owners. It offers a free package and a catalog of premium features for business users.
It offers a range of security features right out of the box without you having to do anything, but you can combine Wordfence and Cloudflare together to create a multi-layered set of protections for WordPress by blocking access to key files like wp-config.php and requiring a CAPTCHA to be completed before accessing the admin login screen.
Keep Everything Up-to-Date
WordPress is updated on a regular basis, as are many of its plugins and themes. These plug security flaws in the software, make performance improvements and add new features. Of course, our main concern here is the first one, so make sure you log in regularly and run any updates.
In the last few years, the option to run updates automatically has been enabled, making this much easier. Occasionally, updates can cause compatibility issues though, so if you prefer to run updates manually, just be sure not to forget.
It’s also worth disabling and deleting any plugins or themes that you don’t use anymore. This removes the risk of an undiscovered exploit being used to hack your site or for you to forget to install a critical update.
Keeping a backup isn’t going to prevent your WordPress site from getting hacked. However, it will ensure you can still use your site if it does. If the worst does happen, simply delete the site’s directory on your server, do a clean WordPress install, and restore the backup.
Just remember to keep your backups somewhere other than the server where the site is installed.
There are numerous paid and free backup solutions for WordPress, including many that will run automatically so you don’t have to worry about forgetting.