If you’re starting a new WordPress blog or website, or you’re looking to make an existing site more secure, consider the following five steps to tighten up your installation.
Please note that these are simply recommendations towards a more secure installation of WordPress. Take this post as a starting point from which to build on.
1. WordPress theme choice
The rule of thumb when choosing a new theme is simple + reputable = win. When you’re looking for a free or paid, keep the following checklist in mind:
- Is the theme made by a reputable developer?
- Is the theme regularly updated?
- Are updates likely to continue into the foreseeable future or is the developer a “here today, gone tomorrow” type?
- Does the theme rely on a long list of 3rd party plugins to deliver its core functionality? The more plugins you use, the more chance there is for one to go out of date and be susceptible to malware attacks and other types of security breach.
To give you an example of a theme that fits these criteria, let’s look at the theme I’m using for Wpliving. It’s called Illustratr and it was developed by Automattic, the people behind WordPress. I chose it because
- it fits my design needs for this site.
- the developer has a good reputation and is likely to be around for the next few years.
- the theme is part of Automattic’s WordPress.com collection, meaning that it receives frequent updates.
- the code is clean and lightweight.
- the theme works well with the Gutenberg editor.
- the theme requires no 3rd party plugins to function properly.
2. WordPress security plugins
Even though I said a moment ago that having fewer 3rd party plugins is good practice to avoid increasing the chance of a security breach, there are two plugins you should consider installing when you set WordPress up.
Akismet Anti-spam: This is Automattic’s flagship antispam plugin and can be run at $0 cost.
WordFence: this is free plugin which offers an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. The plugin is frequently updated with the latest firewall rules, malware signatures and malicious IP addresses to keep WordPress sites safe.
Both of these plugins have premium options if you want more functionality, but the zero cost versions are enough for the everyday blog or website.
It’s crucial to use a different password for every single online account you own. It’s also important to use a lengthy string of letters (uppercase and lowercase), numbers and (if possible) symbols (%, &, $, # etc.) when creating a password.
Yes, this means that you will need to work out some way of remembering your passwords – I’m old school and carry a notebook – but it pays off.
This probably seems like a platitude, but you’d be surprised by how many people use the same simple password across all their online accounts.
4. Antivirus software on your computer
Another key step towards site security, and digital protection in general, is using antivirus software on your computer or tablet, be it Mac, Windows, Linux or any other system.
I recommend taking a look at Kaspersky, Bitdefender, AVG, Avira, or Avast in terms of free options. Tom’s Hardware Guide has a good review of the latest free antivirus software that helps put these different offerings into perspective.
5. Cpanel scans
If you’re like me and you use budget web hosting to run your sites, then chances are you’ll be using some version of Cpanel as your main administration interface for your hosting.
Cpanel has a virus scanner that you can use to do one of the following 4 things:
- scan Mail — Scans all of your account’s mail folders.
- Scan Entire Home Directory — Scans your account’s home directory.
- Scan Public FTP Space — Scans all of the folders that you can publicly access through FTP services.
- Scan Public Web Space — Scans all of the folders that you can publicly access through the web.
If you think something suspicious is happening with your site, then you could start by running a virus scan in cpanel to check your site files.
If the virus scan returns a positive result, be sure to contact your webhost to take further action.
Last word: back it up!
The last thing, and this too goes without saying, is to make sure you have a backup system in place for your WordPress database files in case you get hacked or your files get infiltrated with malware.
There are different ways of doing this. For example, it’s possible that your hosting company provides backups as part of your package. Check how far back the backups go.
You could also add one final plugin to your collection. If you’ve been keeping count so far, that collection (providing your theme runs by itself) is now up to 3: Akismet, WordFence + a backup plugin.
Rather than enumerate the different plugin options, I recommend IsitWP’s recent article that compares the various offerings.
Remember, don’t leave WordPress security to the last minute. Take action!