When it comes to security for WordPress sites, there are companies that will try to convince you to pay them hundreds if not thousands of dollars to secure your site.
I don’t know about you, but I don’t have that much money lying around. This is why I have had to develop an approach to security that relies more on precautions than on paying gobs of money to a third-party.
My approach to WP security involves taking a few basic precautions designed to keep hackers out, and if they get in, also kick them out again ASAP.
I’ve been doing this so long that I have boiled it down to 4 simple steps. If you follow them, your WordPress site will be as secure as mine.
- Pick a good web host
- Install an automatic update plugin
- Set up daily backups
- Install and configure a security plugin
1. Pick a good web host
The first rule of website security is that you cannot have a secure site if it is sitting on an insecure server.
It’s an open secret in the web design world that some hosting companies (Godaddy and Bluehost especially) have insecure servers. This is a problem if you are on one of their servers because your site can get hacked by another site on the same server.
When that happens, the companies take the opportunity to upsell you an expensive security service to keep your site safe. That service will work, yes, but the cheaper and better option would be to choose a hosting company that takes security seriously.
There are any number of companies that qualify, including my hosting company (WriteSiteHosting.com). I can also strongly recommend PeoplesHost.com, and Siteground.com.
2. Install an automatic update plugin
The second most common reason why hackers got into a site is because no one remembered to stay on top of software updates. Security holes are discovered in software all the time, and in fact a lot of those security holes are found by hackers.
It’s easy to forget to install updates, which is why you should automate the process. (I do.) This is why you should install a plugin to make sure that the site is updated automatically.
My current preferred plugin for this task is called Companion Auto Update. I install it on all the sites I build:
Companion Auto Update at WordPress.org
3. Set up daily backups
If your site is with a reliable hosting company, and it’s updated regularly, it’s going to be very unlikely for a hacker to get in. While that sounds reassuring, there’s a huge difference between “very unlikely” and “impossible” , and that s why you need to have a plan for kicking the hackers out again.
This is where the daily backups come in handy. They give you the option of restoring the site from an older, clean, backup that was made before the site got hacked. This will essentially erase the hack, giving you a chance to fix the security hole that the hackers used to gain access to your site.
Some hosting companies will do daily backups for free, while others will charge. My preferred paid option for backups is ManageWP.com. Their backup service will set you back $24 per year per site, and I really think it’s worth it (this is the service I use will all my support clients).
And no, you can’t just install a backup plugin and set it up for daily backups; you need to use a backup service that is separate from your site. This way the hacker can’t touch the backup copies of your site even if they take complete control of your site.
Once you’ve found a good hosting company, set up automatic updates, and set up daily backups, it’s time to install and configure a security plugin.
4. Install and configure a security plugin
I have good news and bad news about security plugins. The good news is that if it is properly configured, a security plugin like All in One WP Security will make it harder for hackers to get into your site.
The bad news is that this same plugin can also lock you out of your site. (This is why the security plugin comes last; I’ve locked myself out of sites before, and had to restore a backup to get back in).
Nevertheless, I still install security plugins on the sites I build, and I usually install them when I rebuild a site. My preferred security plugin is All in One WP Security:
All in One WP Security at WordPress.org
A tip: If and when you configure this plugin, please be careful with the Firewall section. This is the part of the plugin where I kept getting locked out of the site. Fortunately, the issue only happens on some hosting companies (Godaddy and Bluehost, mainly).
O O O
Extra Credit Step: Remove and replace out of date plugins and themes
The thing about keeping your software up to date is that you can’t install an update if the developer stopped releasing updates. This happens all the time, and it’s usually not a serious issue, but if you want to make your site even more secure you should check each of your plugins (and your theme) to make sure they have all been updated in the past few months.
If you find one that hasn’t been updated in a year or more, it would be a good idea to look for a replacement.
There are thousands of themes out there, and tens of thousands of plugins. Based on my experience, there is usually about a dozen alternatives to any plugins. Some no longer work, but others will have been updated recently by their developers, and will have the features you want.