7 Tips for Securing your WordPress Website

Sep 16, 2015 | WordPress Wednesday

Update 2018 – Malcare

Here’s a new resource that might be more effective for you https://www.malcare.com/

Let’s talk about securing your WordPress website. There’s some truth to the story that WordPress sites can be hacked. Even if you’re blogging about your cat’s daily routine and you feel as though no one would care to hack your site – it doesn’t matter – there are robots out there looking for outdated WordPress core files and plugins and they’ll worm their way into your website and break it, take info, or post their own content all over your website. Here are seven tips to help you better secure your WordPress website.

Full Video Transcript by Mally LaPete

Hey, y’all. Welcome to another WordPress Wednesday. My name is Kori Ashton. Today I want to walk you through 7 awesome things that you can do today to actually go back to your current website, make some changes, and be sure that you have great security in place. It’s super important that you do these things. They’re things that you might not have thought about. Maybe one or two of them, but maybe not all of them. They all can make a great difference in your WordPress website.

Before we get started, just want to give some love over here to three of our incredible partners. WP Engine is an awesome hosting company. I’m going to talk a little bit more about their services later on in this list because they’re hosting provides incredible security that really will help tighten up your website and be sure that nobody is getting into it.

WP Elevation. If you’re an entrepreneur, a freelancer, somebody using WordPress to make a living, you need to jump over to their website. Check out their different tracks. Invest in all of their awesome resources for you because it’s going to make a difference in your company, how you sell your product, how you offer your services.

WP 101. If you’re doing WordPress tutorials, you’re trying to watch through some YouTube tutorials, maybe you’re not finding the quality that you want (other than our channel, I’m sure) but maybe you’re not finding the exact quality you want. Jump over to WP 101. You’re going to find some incredible, up-to-date tutorials. Just an incredible, fantastic team over there. Check them out. Tell them Kori Ashton sent you. I would appreciate that. That’s kind of how I show them my appreciation for what they do for us here at WebTegrity.

7 things. Here we go. 7 things that you might not have thought about. The very first one … You’re probably wondering wonder why I’m not mentioning updates first. Updates is going to be our second one. Our very first one is your username and password. Whenever you establish your account—whenever you start to build your WordPress website— you’re going to be entering in your username and password. If that is something you’ve set to a generic mindset, or very easy to hack username and password, you’re going to get hacked. You might think to yourself, “Why would anybody ever want to hack my website?”

You might say, “I have a website about cats who like blogging. Would nobody ever think about hacking my site? It doesn’t matter. There are robots out there geared to look for outdated WordPress websites. There are hackers out there looking to just be malicious and cruel and take over your website. It doesn’t matter if you think, “I’m an obscure website. Nobody is ever going to bother me.” I promise you, if you leave these seven things that I’m talking about untouched or intended to, you’re going to end up with a broken website at some point.

I want you to be sure that your username and passwords are set in place. You certainly don’t want to be using Admin as your username. And you certainly don’t want to have password123 or ABCD or 123456 or whatever those passwords are that generically get set. You want those to be locked down and tight. That’s one of the new updates that happened in 4.3. As you can see, our website is out of date on the updates. That is my second tip. We want to be sure and go in and have all of our updates in place. Let me shrink down for a minute so you can watch the screen a little bit more. It’s saying that 4.3.1 is out. That actually was a really huge update needed for security purposes. They released it with an alert saying, “Please update now.” You want to be sure to click update.

Before you do all that though, of course, you want to have backups in place so that we know our website is secure again, and that we know we’ll have a backup in place in case anything goes wrong or breaks. 4.3.1: Super important that you get here if you’re not already updated to this level. There’s been a big security issue that was release notified. Please be sure to go in, have a backup in place, and click update. Once you do that though, now in your profile area, they’re giving us the ability to generate a password. Whenever you generate that, look how long this is. They’re not expecting you to remember it.

They know that your computer will do that for you, or that you should be having a system that allows you to remember to automatically save that password. They need something in your database that is locked down, difficult for hackers to be able to get in and have. Be sure that you’re accessing this so you don’t have to try to figure out a long involved one. It will do it for you now. Usernames and passwords: be sure that they’re tricky. You also want to be sure that all your updates are in place, not just your core, but also you can see this alert. It says that I have two plug-ins that need to be updated. I want to go ahead and be sure that all of our plug-ins at all times are completely up to date. Again, you want to be sure that you have a backup in place so that in case any of these updates, by chance, would break your theme or your website, you would be able to revert back very quickly and be up and running without any downtime or any loss of edits that you may have made. Now that all of our updates are in place. It’s still saying I have two updates. Let’s go see what it’s griping at me about.

I think I’ve got some Themes in here. Okay. So. I’ve got some Themes sitting over here that I have installed on our server space that are just needing to be updated. It’s not a bad idea to keep these up to date. They’re still files that are sitting on your server space, so it doesn’t hurt to come through here even if you’re not using the Themes. Either remove them completely or go ahead and update them since they’re sitting here with their most current secure version on your server. I do recommend having at least one extra Theme sitting here. We’ve talked about that before for security purposes.

In case anything were to happen to your current Theme, you can easily activate your other Theme and you’re back up and running and at least have an access point to get back into your website in case it breaks. Argh. That’s always frustrating. Some people ask me, “Why are you always looking down?” I try to do these tutorial videos in a one-take wonder so that I’m fast for you, so I have notes. That’s why I’m looking down here. I can’t always remember things. I do want to talk about your comments and your spam.

A lot of people, especially if you’re using your website as a blog, struggle with having a lot of spam hit their comments area. There are some things you can go into with your settings. You can go into Settings and go into Discussion. You can just read through these things. You need to see that it starts over here.

The sentence starts on the left side. This is a little difficult because sometimes people just read down through here. It says, “Anyone can post a comment.” Yes, we want anyone to post a comment, but that’s not the full sentence. It says, “Email me whenever anyone posts a comment. Email me whenever a comment is held for moderation.” The sentence starts here. Read through all these. Be sure that “Before a comment appears, comments must be manually approved.” You can click that. You can do all sorts of things where you’re hiding certain comments if they contain certain words.

You can blacklist certain comments with any sort of words. You can require that the user have an account and be logged in to comment. You can require all these things. I would just suggest going through here, see exactly how you want to work these, and make those suggestions, and click Save Changes. And, also, any comments that do come through, be sure that you’re moderating them. Go to your Comments section and be sure to approve or spam them. You’ll have a whole list here and typically an alert that says, “Yes, approved.” Or “Yes, we should trash that comment.” Okay.

Keep that in place.

If you’re using comments in a comment section, or you might have a contact form as well, what I would like to suggest you do is a lot of people don’t like the captchas. You know those things where you have to fill in the numbers for the code and prove that you’re not a robot, that you’re a human. One of the things that Gravity Forms has … If you don’t know what Gravity Forms is, check out our tutorials. I’ve got a whole list of Gravity Forms videos that you can figure out this awesome premium forms plug-in. You can go to Form Settings. Each individual form you have to do this.
Go to Form Settings and there is an anti-spam honey pot. If you click that and enable that, what it does is (it will tell you right here if you hover over the little question box here) it will tell you that it basically gives you a hidden field that robots don’t realize is hidden. The robots will fill it out. And you’ll know automatically that it is a robot instead of a human and it will trash it/spam it and not allow it to publish. That’s brilliant! And well worth the premium price that you pay for Gravity Forms.

The last few things that I want to run through. We want to talk about a plug-in that you can throw on your website. It’s a free plug-in. It does have a pro version but it’s phenomenal even in its free version. You’re going to go to plug-ins and add new. I’m going to slide off the screen so you can just watch and see exactly what I’m doing. You’re going to search plug-ins for Sucuri. That’s the name of it. You want to be sure and get the one that has the 100,000+ installs.

You install that one. And walk through all the settings and be sure that you’ve got this locked down, in place. It’s totally free to use. It does have an upgraded version, but this is phenomenal. Immediately you’ll start to be able to run tests and be sure that your website has not been hacked, that you don’t have any malware sitting on your site, and that everything is good to go. You just have to generate an API key. Again, it’s free though for you to do that. That’s a great plug-in that we highly recommend. The other thing that I wanted to mention about WP Engine.

If you don’t have really great hosting in place, they’re not going to alert you to things that are going on in the WordPress world. That’s why we love WP Engine. I’ll take you over to their site really quickly so you can see how incredible they are. These guys are just fantastic. They only do WordPress websites. Their server support guys are just amazing. If you have any questions, you can come over here to the Chat and start chatting with them. It is more expensive than an average $5 [US] hosting. It doesn’t matter though. This alert that came out that 4.3.1 that was a huge security alert, they automatically pushed through all the updates on our websites that we knew for a fact that they were locked down and secure.

If there’s a plug-in out there that the WordPress world alerts and says, “Hey. This plug-in is now susceptible to hacks. It’s bad if you’re running this version,” WP Engine watches WordPress and they will lock down that plug-in. Or send you an email really quickly and tell you, “Hey. You’re using that plug-in. Did you know that it is susceptible to hacks? You need to update.” It’s a fantastic service. Well worth the invested money.

If you’ve ever called your hosting company and they go, “I don’t know how to help you. That’s a WordPress issue.” That conversation will never happen inside of WP Engine. They will always tell you, “We know exactly what’s going on. Let me help you.” because they only know WordPress. That’s incredible, right?! We love them. They’re amazing.

If you don’t want to change hosting companies, I’m going to challenge you to go after a secure socket layer, or SSL (secure server license). Whatever you want to call it, that’s what you need to go after. It’s about $50-$80 [US] a year. Invest in that. Put that on your website. What it’s going to do is it’s going to change your address to be https:// and then whatever your domain name is. It puts a secure lock around your website so that any sort of interaction that happens on your website—somebody sending you an email, somebody typing in their contact information, somebody typing in a registration form or a credit card or a donation amount—all that is now a secure transaction coming through email. Really important to have that on your website. Google likes seeing that as well.

Last but not least, the 7th thing that I want to talk to you about is your backups. That’s another reason why we absolutely love WP Engine. They’re allowing you to do all sorts of really great stuff when it comes to backing up. They automatically backup not only your files but also your database. You can set that to be backed several times a day, or daily, or weekly, or however often you’re making changes and you want to have a fresh backup in place. You can set that up automatically to happen with one click [snap of the fingers] you can restore your website back to where it was. No more freaking out about “I’ve lost my website!” They’ve got a safety net in place that’s just phenomenal.

If you don’t want to use WP Engine, I’m going to give you a free opportunity with a plug-in called Updraft Plus. Let’s go over here and Add New. You’re going to be looking for this plug-in: Updraft Plus is the name of it. It is free. It does a backup for you. It’s pretty fantastic. I’ve got to say it has saved some of our clients who are not hosting on WP Engine. Pretty fantastic. Plug that in. Walk through the setup on that. And be sure that you have a backup in place.

If you love this video, be sure to click this little bitty Play button right here. Click that. You’re going to subscribe to our channel and every single Wednesday we’re going to be releasing a really cool

WordPress video for you to watch and hopefully help grow your website. If you have any questions, be sure to put them in the description box below. Share this video. Help us out. We’re going to keep coming back every single Wednesday.

Have a great day, y’all. Bye bye.