Website security is important, although it can seem daunting or tedious — it doesn’t have to be. These six simple and effective best practices will help you protect your WordPress website from malicious, unwanted attention (hint: Jetpack can help!).
1. Find a reliable host.
Picking a hosting company can be hard. Hosts may provide a range of features, from a barebones place to host your site to full suites of tools, and picking from all those options might be overwhelming. But, those questions can be narrowed down to a few points:
- What kind of site will you be hosting? Is it a personal blog about your travels or are you trying to be the next YouTube? Features like available storage, bandwidth, and ease of upgrading when you need it should be considered.
- Are they optimized for WordPress? Many reputable hosts offer WordPress hosting plans. These plans typically are optimized with the proper versions of PHP and MySQL recommended for your WordPress install. Some hosts also offer Managed WordPress hosting that has even more features and includes WordPress specific support.
- Support that fits your needs. Do you often work on your website at 2am, or on weekends? You’d want to look for 24/7 support.
- Reliability. Many hosting providers also offer an uptime monitor or uptime guarantee for their services. If they do, take a look at how frequently their service is interrupted and how much information they provide. Downtime happens, but how quickly and effectively did they respond?
Most reputable hosts will have support staff dedicated to pre-sales questions, so feel free to ask away before you make a decision. Need a head start? We have some recommended hosts on our Get WordPress page.
Jetpack includes a feature called Monitor that notifies you of any site downtime.
2. Manage user accounts securely.
Secure management of your site’s user accounts involves a three-pronged approach.
First, you want to ensure anyone who accesses your site in a user role creates and uses a strong password. You can use a service like How Secure is My Password? to determine a password’s strength. Another option is to utilize a tool like 1Password or LastPass to generate and store your passwords; this allows you to create long, complex, unique passwords without actually having to remember them all.
Also, avoid creating physical versions of passwords (like on a Post-it note or notepad), re-using the same password, or even sending them via email. If you have to send a password to someone else, you can use a tool like QuickForget which allows you to send messages that will expire after a set number of views or a time period.
Secondly, when creating accounts for users of your site, think about what level of access they require; does everyone really need to have an administrator user role? Since administrators have full access to all the administration features (including adding plugins/themes/etc.) within a site, having someone who is just going to write posts on your site be an administrator would be overkill. Additionally, avoid using “admin” as a username. This username is a typical first attempt for hackers to try and access your site and while modern security plugins take this vulnerability into account, it’s a bad practice.
Also, when someone leaves your organization, make sure to revoke their access to your site! It’s important to think carefully about adding someone to your site, and it’s just as important to make sure you remove them after access becomes unnecessary. If you have a large site with a number of users added, put time aside periodically to audit your user list — it will go a long way to ensure that people that have access to your site should have access.
Lastly, switch your site to HTTPS, or at least switch on HTTPS just for administration. Without this level of security added, other users connected to the same wifi network could intercept your username and password. You do need a SSL certificate from your webhost in order to configure this — contact them if you need assistance with setting this up.
Jetpack includes Single Sign On to authenticate users using SSL and two-factor authorization through WordPress.com.
3. Install brute force protection.
One of the most common methods hackers use is something called a botnet or brute force attack. Sites of any size can be susceptible to attempts by these automated bots, but you can keep yourself protected with some very simple tools that add brute force protection. Picture your
/wp-login.php file as a door. Brute force protection is like having a security guard who tells an attacker to leave if they’ve failed to unlock the door too many times.
Additionally, file scanning can detect cases where malicious code has made its way into the files on your site. This can happen because of an outdated plugin, a security flaw in the code that has yet to be patched, or weak passwords. Once malicious code has been detected, you can manually remove the offending code or ask a professional to do it for you. Jetpack’s sister product, VaultPress (paid), offers security scanning with its available plans.
Jetpack includes Protect, which stops brute force attacks.
4. Do your research.
Before installing a plugin or theme, make sure what you’re installing is well supported, actively worked on, and doesn’t duplicate functionality you already have on your site.
Using plugins that are actively being developed is one way to ensure that you keep your site safe. Confirm this by checking the changelog for the plugin or theme you want to add — as an example, here’s the changelog for Jetpack. It’s best to source plugins and themes from reputable vendors with a good track record — check reviews, take note of the number of downloads for each, and see how frequently its been updated. Another point to consider is how well is the plugin/theme supported – if you have a problem, is someone there to help you fix it?
Also, items in the official Plugins Directory and official Themes Directory are removed as soon as a security vulnerability is reported; to see if there are any known security vulnerabilities for a plugin or theme from elsewhere, try searching the WPScan Vulnerability Database.
5. Stay updated.
As time passes, vulnerabilities are discovered in almost all software, including plugins, themes, and even WordPress itself. While WordPress is continually improved and updated, good plugin authors and theme developers also release updated versions of their products to address vulnerabilities as they are discovered. Keeping your plugins and themes up to date greatly reduces the possibility that these vulnerabilities can be exploited on your site.
Another important step is to remove plugins and themes that you aren’t using. This helps reduce the possibility that outdated code is living on your server. The exceptions to this are keeping a copy of the parent theme if you use a child theme on your site and keeping a copy of WordPress’s default Twenty Sixteen theme around for testing and troubleshooting. If possible, we strongly recommend enabling auto-updates for plugins and themes so that you won’t have to remember to keep them up to date.
Jetpack includes Manage, which gives you a clean interface to manage your plugins and set them to automatically update. You can use this to manage multiple sites and see notifications when other things like themes or WordPress itself has an update.
6. Back your site up.
In the event that your site is compromised or your hosting provider lets you down, a backup of your files and database can provide a quick means for recovery. A restoration may be required if a hacker has gained access to your site, files are deleted by a user, or a server or site installation fails. At a minimum, you should do periodic manual backups to provide some means of recovery should your site experience a devastating failure.
Automatic monthly, weekly, daily, or real-time backups are an even greater insurance policy – the more frequently you update or add content, the more frequently you’ll want to back your site up to ensure that as little as possible is lost. Even if your hosting company provides a solution, a redundant backup will provide peace of mind.
Jetpack’s sister product VaultPress (paid) provides plans that include automatic daily backups with a 30-day archive or real-time backups with a full historical archive. Best of all, they have easy, one-click restores. Great for peace of mind.
For even more information on keeping your site secure, this guide about hardening WordPress offers some solid tips.
With a little bit of work now, you can save yourself from massive headaches down the road.
Is there a specific topic or feature of Jetpack that you’d like us to cover more in-depth in a future post? Let us know in the comments!