fbpx

We provide premium cPanel hosting!

 
 

How to Keep Your WordPress Website Secure

Home > How to Keep Your WordPress Website Secure
 
Posted by on August 9, 2019 in | Comments

How to Keep Your WordPress Site Secure

As a web hosting company that hosts a lot of WordPress sites, LazyLizard would like to share some best practices with you that can protect your site, keep it secure  and help prevent attacks and hacks.  There is nothing more disconcerting than to wake up one morning, go to your website and find that it has been hacked and the hackers have taken it over and defaced it or otherwise disabled it.  The good news is that in most of these cases, we can work with you to get your site back.

If you host your site with us and this happens, please let us know ASAP as we can probably pull a copy of your site, in good condition, from a recent backup.  However, if you wait too long, we may no longer have a backup.  It’s a good practice to check your website every day – no matter who you host it with because no host keeps backups forever.

 

 

There are several areas which require your attention if you want to make attacks as difficult as possible for the hackers.  They are as follows:

Hosting

  • It’s best to host on a dedicated instance or server.  LazyLizard servers are specially designed for WordPress hosting and all our sites are setup on a dedicated instance;
  •  
  • If you’re using a shared host, ensure that sites on their servers are isolated or “jailed”.  This way, what happens to one site cannot affect other sites on the server;
  •  
  • Run an https-only website. LazyLizard’s servers are configured so that each website can run https at no additional cost and with no configuration work necessary.

User Management

  • Only grant users as much access as needed;
  •  
  • Review your user list frequent and delete any that are obsolete and downgrade roles where possible;
  • For security purposes, your goal is to give every user as few rights as possible, in keeping with their roleWordPress Core, Themes and Plugins;
  •  
  • Enable auto-updates wherever possible and practical.  This is essential in keeping everything updated and secure;
  •  
  • Check for updates frequently, at least once a week.  Install them as soon as possible.  WordPress developers are constantly updating their products and most of these updates are to plug security holes.  So, the more consistent and quick you are about updating your WordPress core, themes and plugins the less likely a hacker will be able to cause any damage on your site;
  •  
  • Only download themes and plugins from trusted sources;
  •  
  • Remove all unused themes, plugins and old unused WordPress installations immediately.  WordPress can be addictive and developers get into a habit of trying out a lot of plugins.  Over time, you will find plugins that no longer or that you no longer use, but they’re still sitting there, giving hackers a nice target through which they can penetrate your site.  Your goal is to have as few plugins and themes as possible.  If you only use one theme, delete the rest of them.  They’re not needed.  And each theme and plugin provides an opportunity for hackers to break into your site;
  •  
  • Be careful when selecting themes and plugins.  Only use themes and plugins from reputable and trusted developers.  Anyone can create a theme or plugin and make it available through WordPress.  Remember, WordPress does not check anything that they make available through their Add Ons pages.  Just because a plugin shows up – doesn’t mean it’s safe!
  •  
  • Only use themes and plugins from developers who update them frequently and that have at least several thousand users.  The more users a theme or plugin has, the more likely the developer has the time and motivation to keep it safe and secure.  You can check how often they update by looking at the last time it was updated.  If the last time was more than a few months ago, be careful.  Most themes and plugins should get at least a security update every 1-3 months.  
  •  
  • If a theme or plugin only has 500 users, you’d be best to stay away.  Developers have no inclination to keep maintaining a theme or plugin with very few years.  Maintaining them and issuing security updates takes a lot of time and work.  Most developers will lose interest after a few months if they don’t have a large user base.

Authentication

  • Ideally, use 2-factor authentication;
  •  
  • Require strong passwords for all users – yes, REQUIRE it!  If they resist, suggest a password management program to them like LastPass;
  •  
  • Ensure that your login page is running on *https* alone.  (All LazyLizard WordPress sites come with https pre-installed);
  •  
  • Limit the rate of login attempts.

  • Server Administration:
  •  
  • Only communicate with your server using an encrypted connection (sFTP for file transfer or SSH for shell access).  Never login with a non-secure FTP or SSH program.  That will protect your logon credentials from being intercepted between your computer and your server;
  •  
  • If you connect to your server over a public network, always use a VPN;(virtual private network).  ExpressVPN comes highly rated;
  •  
  • Secure access to your wp-config.php file, including copies;
  •  
  • Secure access to your backups, log files, test files, temporary files and other PHP applications on your web server;
  •  
  • Backup your WordPress files and database at least weekly.  (LazyLizard does a nightly backup of all websites we host.  We keep several days worth and we keep a monthly backup and a backup from two months ago.  If you host with us you’ll always have access to these – at no charge);
  • Use a strong password for your MySQL database user;
  •  
  • Install a WordPress security plugin like Wordfence

Secure Work Environment

  • Protect your internet connection by using a VPN, especially on public networks;
  •  
  • Only install trusted software on your workstation and mobile device;
  •  
  • Use a reputable virus scanner;
  •  
  • Protect your devices with strong passwords.  Again, strong passwords are so important.  But to use them, you really do need to use a password manager.  LazyLizard recommends LastPass as one of the best.  With a password manager you can use crazy strong passwords that you could never possibly remember and it’s no more difficult than if your password was “password” on every single site you manage!  We insist that our WordPress clients use strong passwords and we always recommend LastPass to them;
  •  
  • Watch out for phishing, spear phishing and social engineering attacks

Detect Hacks Early

  • Visit your site often.  We can’t stress this enough.  We recommend visiting your site at least once a day.  A lot of people don’t look at their site that often because they have static content and nothing changes – so they don’t feel the need.  But, we can’t stress enough, the importance of discovering a hack as soon as it happens.  The longer your site is hacked, the more damage that can be done.  And the more unlikely anyone will have a backup of a good copy that can be used to restore the site;
  •  
  • Search for your website in Google frequently;
  •  
  • Set up email alerts in Google Search Console;
  •  
  • Use a malware scanner and set up email alerts;
  •  
  • Investigate customer reports immediately;
  •  
  • Use a source code scanner to verify site integrity;
  •  
  • Use a website monitoring service that detects site changes;
  •  
  • Watch for unexplained spikes or dips in traffic
  •  

If you’re using LazyLizard’s WordPress Security Protection many of these steps are already done for you.  We automatically update WordPress, themes and plugins on all protected sites as soon as the updates come out.  Your site does not have to be hosted with LazyLizard in order to have this protection. But if you do host with us, you’ll have even more fine-tuned WordPress protection.  You can order our WordPress Security Protection by clicking on the link above and you can order Web Hosting by clicking here.  We can provide security for your site wherever it is hosted, but we can provide the most security if you’re hosted with us.

Tips source:  Defiant.com

Leave a Reply