In this post, we use our 5 years of experience with WordPress to give you a simple guide on how to keep your WordPress website secure from hackers and stable from crashes, without having to spend hundreds of euros a year on maintenance packages.
The end of our WordPress maintenance plans
First, some context.
We also don’t like selling maintenance packages to past WordPress clients; doing so is just another way of saying ‘This expensive website we created for you won’t continue working well unless you keep paying us each month.’
Would you buy a car that has to be taken to a mechanic every single month?
But we also don’t want to leave clients without a solution, as we take pride in solving problems for our clients.
So, here is our guide on keeping your WordPress site secure and stable..
Update WordPress and all plugins regularly
We'll start with the most important thing you can do to keep your WordPress website secure and stable: regularly update WordPress and all plugins on your website.
When WordPress or a plugin on WordPress has an update available, it usually just adds new features or makes the plugin more efficient. But updates can include important security updates too.
It is difficult to write code that is completely safe from hacking attempts, so mistakes are sometimes made despite best intentions. When this happens, the issue will eventually be discovered by the creator of the plugin and they will release an update to fix it. The danger arises when a hacker discovers the issue before you apply the update. Now your website is at risk of being hacked into, crashed, deleted - the severity depends on how bad the security flaw in the plugin is.
The updating process:
- Back up your WordPress website. There is a small chance that an update will crash your website or corrupt its data. If this happens you can simply go back to the backup.
- Update WordPress, if an update is available.
- Update all themes and plugins that have updates available.
- Check that everything is working correctly on your website.
You can save time by automating this process, while also backing up your website daily and scanning for security issues, using a service called ManageWP.
You can use wpsec.com to run a free security scan on your WordPress website that will detect any plugins with security issues.
Use a secure username and password
This applies to pretty much any kind of website but also to WordPress.
All accounts on your WordPress website, especially Administrator ones, should
- Have a unique name and not be ‘admin’ as hackers and bots will usually try ‘admin’ as a username when trying to break into a website.
- Have a strong, unique password.
- Strong: We like to use passphrases, which you can generate and save for free using Bitwarden.
- Unique: Only use this password for this account on this website. Don’t use it anywhere else.
A screenshot of BitWarden generating a secure passphrase. These are like passwords but use words to make them easy to remember.
iThemes Security - allows you to force all users to set a strong password.
It is also important to ensure you use a strong password on the hosting account that your WordPress website is on.
Use Two-Factor Authentication
Two-factor authentication is one of the best security steps you can take on all of your online accounts, not just WordPress.
After entering your password, two-factor authentication requires you to enter a code that is generated from an app on your phone or sent to you via text. These codes are usually six numbers, generated at random, that change every minute or so.
Using this makes it virtually impossible for someone to hack into your account using your username and password, as even if a hacker obtains your password, they would need access to your phone to log in.
WordPress does not have two-factor authentication by default, so it must be added via a plugin like iThemes Security.
It is also important, where possible, to enable two-factor authentication on your hosting account.
Install a good security plugin
Every plugin installed on WordPress has the potential to slow down your website, or allow it to be crashed or hacked. So it’s best to install as few plugins as possible.
That being said, it’s important to have a dedicated security plugin installed on your website. Our preference is again for iThemes Security, as it has a number of other important security features as well as two-factor authentication.
Where possible we try to use one plugin to accomplish multiple goals, as this means there are fewer plugins needed on the website, which is good for security and stability. In this case, there are many plugins that only provide two-factor authentication, so by using iThemes Security we need one less security plugin on our website.
iThemes Security has a number of important features, including
- A firewall to keep known hackers and bots off your website.
- Login protection that stops hackers from trying to guess your password repeatedly.
- Protects your website from spam.
Some of these features are available in the free version of the plugin, others are in the paid option. The more important your website is to your business, the more worthwhile a paid security plugin is.
There are a number of other free security features in the plugin not mentioned here - we recommend exploring and activating all of them to make your WordPress website as secure as possible.
(FYI: we don’t get paid by this plugin for recommending it - we just like it!)
SSL is a way of securing all of the data that goes between your WordPress website and a visitor's browser. They are crucial for websites handling secure data like personal information and debit card details.
The majority of websites these days use SSL, as many web browsers now show a warning on any websites that don't have it installed.
If your website doesn't have SSL, you will have to
1. Get an SSL certificate. Your web hosting company probably sells these, but you can also get one for free by using Cloudflare on your website.
2. Set up SSL on your WordPress website. Once your have an SSL certificate, just install & activate the Really Simple SSL plugin and it will set up SSL on your WordPress website.
Update your PHP version
PHP is the coding language that WordPress runs on. It is installed on all hosting packages that you can install WordPress on.
There are various versions of PHP available and it's important to use a recent one to improve your website's security and speed.
Currently, PHP 7.4 or higher is recommended for WordPress. You can update it in the 'PHP Version' settings of your website hosting.
Security is key
Security is key to keeping your WordPress website safe and stable. It can seem like it's not needed, as you could leave a WordPress website alone for years and not have any issues - but eventually they will sneak up on you.
WordPress security has to be proactive; just as fire alarms are no good once your house has burned down, improving the security of your website isn't any good if it has already been hacked (though you should improve it once the hack has been fixed).
If you don't have the time to implement these recommendations yourself, we can do a Website Audit for you to find all issues and give you a quote for fixing those issues.
Or, if you're tired of your WordPress website causing problems, get in touch below for a free call to discuss migrating your website to a much securer and faster alternative, such as Webflow or Jamstack.