“We’ve had a security breach and had to shut down our WordPress website. Can you help?”
We get several calls just like this one every year from marketers who’ve found themselves in this difficult and stressful situation. Security breaches can cause a business significant financial loss, disrupt customer service, and damage a company’s brand.
We can mitigate disaster, but we prefer to help you avoid disaster in the first place. WordPress websites require a lot of due diligence to keep them secure, but the good news is that it’s not all that hard.
Apply the following five effective and easy-to-implement WordPress security best practices to fortify your site against outside attacks.
Implement SSL Certificates
Secure Sockets Layer (SSL) certificates aren’t new. If you’re unfamiliar with them, an SSL certificate is essentially a file that contains information about your website’s identity. Sharing this certificate with browsers allows them to confidently send data back and forth between your website and users.
Google has indicated that SSL certificates matter, to the point of emphasizing secured sites in its search algorithm. So, an SSL certificate could improve your SEO. But its core purpose is to create a secure link.
We still come across websites that lack an SSL certificate. We also come across sites that have a mixed certificate, meaning that only parts of their website are secured. Typically, this happens when media is added to a WordPress site in a test environment. When that media is pushed to a production or live environment, the SSL certificate doesn’t cover the new files.
We recommend running your site through a scanning tool to confirm that your SSL Certificate protects all pages, media, files, and links. Numerous online vendors provide this service for a fee.
Note: Some SSL Certificates auto-renew and some don’t, so it’s important to keep track; mark your calendar and make sure to renew on time. Your due diligence will pay off.
Enable Two-Factor Authentication (2FA)
Two-factor authentication annoys me – and everyone else – but we all understand its value. It adds an extra layer of security to your WordPress login by requiring a second form of verification. Some hosts offer this service, and such plugins as Wordfence and Two-Factor provide tools for adding two-factor authentication.
Compromised passwords alone justify two-factor authentication. This happens more often than you might think. Consider how many users can access your WordPress admin dashboard and how many phishing attempts occur in a single day. That second security factor could be the difference between a relaxing day at the office and a splitting headache that last weeks.
Find the two-factor authentication approach that fits your business and make implementation a priority. The added level security it offers can head off disastrous consequences.
Make Regular WordPress Updates
All the businesses that have come to us for recovery after breaches have one thing in common: outdated plugins.
The thousands of WordPress plugins available are one of the biggest benefits of WordPress. They’re also its greatest flaw. Those plugins can create the website of your dreams, but they need ongoing attention. Smart marketers set aside time each month to run updates to the WordPress platform, plugins, and theme.
Don’t stop there.
WordPress, plugin, and theme developers often send notifications when security patches are available. Successful marketers keep a finger on the pulse of their plugins, and they jump when a security patch drops. Best practice: Implement security patches within 24 hours of announcement.
I can’t stress enough that keeping your plugins up to date is the most important thing you can do to keep your WordPress website secure.
Enact Strong Password Policies
“QWERTY,” “Password” and “Letmein” are not – I repeat, not – good passwords. Your business’ name with a capital letter or your company’s address is also not a good password. (A quick, personal aside to the many highly valued marketers I work with who stubbornly continue to use short, simple passwords: Stop that!)
Think of your password’s value as determined by the number of characters it contains. If you have something short and all letters, you’re risking your website’s security. A hacker can break your short password in seconds.
We recommend a password with a minimum of 12 characters and a mix of letters, numbers, and special characters. Create something unique and memorable, if you like, or enable a password management tool that saves everything in a convenient location.
The key is to be smart and implement a strong password. Once you’ve done that, reach out to everyone who has access to your site and ask them to do the same. If persuasion doesn’t work, a company-wide policy mandating the change will.
Have a Backup Strategy
A good backup strategy can be the difference between a month-long security breach disaster and a quick fix. The best WordPress hosts offer daily backups as part of their overall package. Not only do these backups help restore previous versions if you accidentally break something, but they can serve as a quick way to fix your breached site.
Smart marketers set up WordPress websites with hosts that offer daily backups and the ability to download backdated points. WP Engine and Kinsta are two great examples of hosts that don’t nickel and dime when it comes to backups.
Once you find the host that best suits your business, be vigilant in downloading backup files. Back up sites with modest content annually. Back up more robust sites monthly.
Final Thoughts
It’s critical to implement these five simple tactics to help ensure your site’s security. Not only will you protect your data, but you’ll safeguard against financial losses, loss of customer trust, and the erosion of your brand.
Ready to protect your WordPress website? Learn about Northwoods’ Worry-Free WordPress services.