A safe WordPress website: we all want it and need it. A recent report shows that 29.3% of website administrators use WordPress, making it a huge target for hackers and spammers who look to take advantage of unsecured websites.
Even though WordPress’ Security Team works efficiently to provide security updates and vulnerability patches, keeping a safe WordPress website, away from potential threats, will always be a continuous process.
To do so, we might have to change some habits that could be compromising the integrity of our website without us noticing it.
1. Using Universal and Weak Passwords
We many times try to simplify things by using short and easy-to-remember passwords. Sometimes even using the same one for more than one account.
This is a common mistake among internet users, but it can have terrible repercussions that make it easier for strangers to gain access to our accounts. So, it’s important we take time to create strong and different passwords for each account and change them periodically.
Strong passwords should have the following characteristics:
- At least ten characters without two identical characters in a row.
- At least one uppercase character.
- At least one lowercase character.
- At least one digit.
- At least one special character.
Of course, we can only remember so many passwords, but there’re Password Management Systems available that can make it easy and secure.
Another option to take in account is to employ Multi-Factor Authentication, minimizing the weight of passwords in the process.
This can be done plugin such as Secure Login and Two-Factor Authentication for WordPress, and creates an additional layer of security to the website.
2. Leaving WordPress and Plugins Updates for Later
We sometimes delay updates or forget about them completely because we think they can be bothersome.
This is a common problem: statistics show that 64.7% of users are still using an outdated version of the service. That’s not a good path toward a safe WordPress website.
It’s imperative we keep WordPress updated to ensure that our websites are patched against bugs and other potential vulnerabilities.
Since the 3.7 release, it provides automatic updates, which can be activated manually by including the following line in the wp-config.php:
define( ‘WP_AUTO_UPDATE_CORE’, true );
The same applies for plugins: keeping them updated keeps your site healthy.
Learn more on the Two-Factor Authentication and Registration Plugins website.
3. Careless Selection of Plugins and Themes
Usually, when we search for a plugin or a theme for our website, we guide ourselves just by functionality and aesthetics. That is, we only care if the plugin does what we want or if the theme makes our website looks good.
However, poorly-designed plugins and themes can be the biggest threat to your safe WordPress Website.
Almost 51% of the attacks on websites come through ill-protected plugins and themes. It’s necessary that we take the time to assess the options we’re willing to use to our website and keep them updated.
There are important indicators of quality we should review before start using a plugin or theme:
- The plugin or theme has a large Install Base.
- The plugin or theme has a high average rating and plenty of User Reviews.
- The plugin or theme’s developers are supporting and frequently updating it.
Also take be sure to read the Terms of Service and the refund policy, if there is one.
4. Keeping Unused Plugins in a Safe WordPress
Again, although plugins make our websites work better and provide important functions, sometimes we’re oblivious when we stop using them and more often than not we keep them disabled.
Following the same line of thought as the last point’s, outdated plugins can jeopardize the safety of your website. Not to mention hinder its performance.
So, if there are any plugins that are not likely to be used again at all, the best choice is to delete them. It’s as simple as clicking “Delete”.
5. Not Using a SSL Certificate
Websites that display HTTPS have what is called an SSL certificate. Secure Socket Layer (SSL) encrypts website information between a server and browser. This is what creates a HTTPS in the URL instead of HTTP.
This is a signal for visitors that a website page is secure. It’s far from being a new resource: users now expect this, and will refrain to share sensitive information in a website without it.
There are many ways to pursue this, some easier than other. A sure-fire way is adopting a plugin that manages all the hassle for you, such as the HTTPS SSL Manager Plugin.
6. Keeping the default ‘admin’ account and username
A common security mistake – and one often exploited by hackers – is the use of the default ‘admin’ account and username.
It’s not hard to change it and doing so will make much more difficult for attackers to access your website.
To change it, just follow the next few steps:
- Log in as an administrator.
- In the Dashboard, select Users > Add New.
- Create a new account using a different email address and set its Role to Administrator.
- Save the new user and log in with your new Administrator account.
- In the Dashboard, select Users > All Users.
- Delete the username ‘admin’.
- Set the new Administrator as publisher of old posts.
7. Not Getting Extra Security (Bonus)
Getting some extra security never hurt anyone, and sometimes it’s better to be sure our website is protected and we have guaranteed care and security from a reliable source.
This will not only take some of the weight from your shoulders , but make your visitors feel more safe.
The CM Essential WordPress Security Tools Plugin Bundle is a great way to improve and ensure the security in your WordPress website.
It’s amazing how much safer we can make our WordPress Website with just spending a little bit of care and time on it.
Security is a constant process and by changing small things we can make ourselves, our business, our clients, our users and visitors more safe.