4 steps to keep your website safe

I know security isn’t the most exciting subject, but think of what would happen if your website was hacked. Would you know what to do? Do you have a backup or would everything be lost? I don’t want you to waste time worrying about it, so take these steps to keep your website safe.

1. Use strong login credentials

Don’t use an obvious username

Most login attempts are done with the admin username, but after that it’s usually the site name (in my case, anouskarood and anouskarood.com are used often). When those usernames don’t even exist, it’s just that little bit harder for hackers to get into your site.

If you don’t know if users like admin or your site name exist, you can check that under Users > All Users.

If you are using those usernames, unfortunately you can’t change the usernames. But you can fix it by deleting it. Before you can do that, you need to create a new user. If you want to use the same email address you’re using for the existing account, you’ll first need to change the email address. Click Edit under the username and change the email address to something else.

To create the new user, hit the Add new button on the Users page. Make sure you’re making it an Administrator so the new account has the access you need.

After creating the new user, log out and then log in with the new user account. Go to All Users and delete the admin (or site name) account.

Use a strong password

You also need to use a strong password. When creating a new user, WordPress already generates a strong password for you. Don’t change it to a weak password or a password you’re using everywhere else. If you didn’t have to create a new account, you can simply change your password in Your Profile under Account Management.

It’s best to have different passwords for different sites, but let’s be realistic, you can’t remember strong passwords for all your accounts everywhere. That’s why I use LastPass. You have just one strong password to remember, LastPass will remember all your other passwords for you. It can generate strong passwords, and also allows you to let it check the strength of your existing passwords, so you can go through all your accounts and make sure you’re using strong and unique passwords everywhere.

Enable two-factor authentication

Two-factor authentication creates an extra step during the login process. When you enter the correct username and password, you need a code you get from an email, text message or app on your phone. So even if a hacker somehow gets the username and password right, they can’t get in because they don’t have access to your email account or phone. You can set this up with the free version of Solid Security, or get Solid Security Pro for more options, including logging in with a passkey (passwordless login)

2. Install a security plugin

I recommend Solid Security or Sucuri. Both have free and paid versions and are easy to set up.

Solid Security does a one-click security check when you first install it. It enables the most important features and settings, such as blocking people who try to login with a wrong username and/or password too often. Apart from those features, it can also detect changes to your site’s files and block people snooping around your site looking for vulnerabilities (404 detection). The pro version also includes Two Factor Authentication (so you don’t need a separate plugin for that), automated malware scans, password expiration (to force you and other users there might be on your site to update their passwords regularly) and more.

Sucuri also has a short list of the most important settings you can apply with one click. It monitors all security related events on your site and also includes a list of steps to recover your site if it does get hacked. The premium version includes a firewall to protect you from all sorts of vulnerabilities and attacks.

3. Set up automated backups

What would you still have from your site if it crashes or gets hacked? Even if you haven’t had either happen before, you never know when it might happen, so this is definitely something to be prepared for. Better safe than sorry.

Your web hosting company might make backups for you, but some don’t even guarantee the backups are up-to-date, so you might still lose files or data. It’s much better to have your own backups to restore.

If you’ve configured backups long ago, it’s important to check every once in a while if it’s still working properly. If you have a backup plugin that’s doing what it needs to do and you’re happy with it, there’s no need to change!

But if you haven’t ever configured backups or you find it’s no longer working as it should, I recommend the UpdraftPlus Backup and Restoration plugin. It’s easy to set up automated backups and will back up both your database and files. Some backup plugins only backup the database, which means you’d still risk losing your theme, plugins, and uploaded files.

UpdraftPlus can save backups to different cloud-storage services, like Amazon S3, Dropbox, and Google Drive, as well as email. I’ve heard from readers setting it up to save backups to Google Drive is quite complicated, I personally use Dropbox and recommend it.

Whatever you do, don’t save backups to a separate folder on your site – or at least not as the only place; you should also have backups elsewhere. If your site ever becomes compromised, you could lose all folders and files on your site, even the backup folder, so make sure they’re saved somewhere really safe. I can’t recommend it enough to save your backups to a cloud storage service.

4. Keep WordPress and your themes + plugins updated

WordPress is updated regularly to address new security issues that may come up. You need to regularly check to see if there are any updates waiting to be installed. And, of course, if there are any, install them!

You can also enable automatic updates for your site, so you don’t even have to think about it anymore. Or switch to a hosting company like SiteGround, which will automatically install updates for you.

Finally…

Don’t panic! All this might sound pretty intimidating, especially if you’re just starting out. I don’t want to scare you, but it’s important to think about how you keep your website safe. WordPress is actually a very stable and secure system to use, but as with any system, if you don’t keep it updated, security issues will come up.