7 Step WordPress Security Checklist

With over 50,000 websites being hacked daily—yes, daily—it’s not a question of if your WordPress website will be targeted, but when. However, by taking a few simple steps you can make your site less desirable to hackers, scam artists, and other ne-er-do-wells out there on the web. Whether you’re an owner, marketer, or IT specialist, you can protect your work, your investment, and your business.

Now, let’s get into it.

Password Security Test: What’s your Password?

If you can answer that question from memory then your password is not secure enough. Or you have amazing recall. Or you need to write an article on creating strong passwords that are also memorable.

So, what should you do?

You can use a tool like this Random Password Generator to generate a strong password. Tech Target suggests converting pass phrases to passwords so that they are easier to remember. But remember, your password should be unique. So even if you convert a password to a pass phrase (a pass phrase is a set of words that you string together such as dailydisco) – you should still use a different pass phrase for each login. So it’s probably best to find a way to store your strong passwords somewhere so you can access them when you need them.

NordPass offers one of many solutions available to make the process of creating and using strong passwords more manageable.

Pro Tip: Is your WordPress username admin? You might want to change it. Admin is the default WordPress username so it’s the first one that hackers target.

Changing your WordPress username can be a bit tricky, (you can’t just change the username in the user settings of the admin console,) but it’s certainly doable and something you should consider. Here are the steps to change your username:

Login with your current username and then go to the users section.
Create a new user with the username that you want. This user must have a different email address than the current user – but keep in mind you don’t have to put in a real email address. You can enter a made-up email address and then change it after you’ve created and logged in under the new user name.
Assign the new username administrative privileges and take note of the password.
Log out of the site and login with the new username and password.
Go back into the users section and delete your previous username and update the email for your current username with the correct email you want attached to your account.

One Step Further – Two Factor Authentication

Want to make your login credentials even more secure? You can install a plug-in on your site that will enable Two Factor Authentication. This typically requires an authenticator app that you need to install on your phone or computer. When you login to your site, not only will you need to provide your username and password, but you’ll then be prompted to provide the code generated by your authenticator app.

What’s your role?

While you’re on your site updating your password and username and adding two-factor authentication, take a look at the other users. Do they have roles that are appropriate to their responsibilities? Keep in mind that anyone with an administrator role has a lot of power on your site.

Consider assigning other roles to users to limit what they can do and access on the site. WordPress provides default roles that can be assigned. If these don’t meet your needs, you can also install a plugin like Members or User Role Editor which allow you to create custom roles and control access and capabilities.

When’s the last time you updated your site?

You should be able to answer this question. If you can’t – you’re probably not updating your site often enough. Site updates are important because they make sure that you have the most up to date code – which can include fixes for identified security risks.

You need to keep WordPress up to date, your theme up to date, and your plugins up to date. 99.42% of all WordPress security vulnerabilities in 2021 came from core (WordPress itself), themes, and plugins, with 92% alone being traced to plugins. And in case you resist paying for plugins – keep this is mind: when you pay for a plugin you are typically paying to receive updates – this includes security updates and fixes. Of the plugins causing issues in WordPress, 91.38% were free. A good reminder that you get what you pay for. After all, this is your business we’re talking about.

Of course, you can enable auto updates for plugins and WordPress core, but you should still check on your site on a regular basis – monthly will do it.

First, make sure there is a recent backup of your site.
Then, check to see if there are updates for WordPress, themes, and plugins that need to be made and go ahead and make them.
Also check to see if there are plugins or themes that you’re not using and delete them. If an update breaks the site, you can restore from your most recent backup.

Finally, if you’re looking to add a plugin to your site, you want to make sure it’s from a reputable author who keeps the plugin up-to-date. If you’re not sure, check with your WordPress developer before adding a plugin…this can save you headaches down the road.

When is the last time you backed up your site and where is your backup stored?

Backing up your site—both your files and your database–is essential as it makes sure you have something to revert to should you site be hacked. There are many options available to backup sites – some hosts offer this as part of their service, but often overwrite each backup with the new backup, so beware.

You can also use a service like codeguard or a plugin like UpdraftPlus. Daily backups are typically sufficient unless you make a lot of changes to your site every day.

Where you store backups also matters. Ideally, you’re backup files should not be on the same server as your site. UpdraftPlus provides an option to automatically send/post your backup files to a variety of storage locations.

What additional security measures do you have in place?

There are a variety of WordPress security plug-ins available that will make it easier to establish some additional security measures on your WordPress site as well as give you real-time feedback on how your site is doing.

These include Wordfence, Sucuri, and All-In-One Security. These allow you to setup protections from things like brute force attacks (when a bot tries to login over and over and over), file access permissions, and new user creation.

Is that all I need to do?

Yes and no. There’s more you can do – but the important point here is do what you can. Everything listed above should be accessible and relatively easy to implement. Get the easier stuff in place first and then you can look into further website security measures if you want.

One thing we didn’t cover was installing an SSL certificate. You know a site has an SSL certificate when the address starts with HTTPS. SSL certificates enable your site encrypt information so that essentially someone can’t snoop and access information. You can learn more from our article on SSL certificates. If you’re adding an SSL certificate to a site that didn’t have one before, you may need to add some code to enforce the use of HTTPS. If this sounds scary, just talk to a developer who should be able to do this easily.

Now What?

Go do everything we talked about in this article. With this information, you now know how to secure your website. Rest easier knowing that one of your most important business assets is prepared to fend off hackers and backed up in the event that something goes awry.

If this all sounds too daunting, flyte is here to help. Almost all of our clients use our WordPress Care Plan, which includes many of the recommendations above. Ask us about the current security of your site and we’ll be happy to make some recommendations or help you secure it properly.

7 Simple Ways to Secure Your WordPress Site