4 steps to keep your website safe
Reading Time: 5 minutes
This blog post contains affiliate links. This means that I may receive a commission – at no extra cost to you – if you click on a link and make a purchase. I only recommend products and services that I use & love - whether an affiliate relationship is in place or not.
I know security isn’t the most exciting subject, but think of what would happen if your website was hacked. Would you know what to do? Do you have a backup or would everything be lost? I don’t want you to waste time worrying about it, so take these steps to keep your website safe.
1. Use strong login credentials
Don’t use an obvious username
Most login attempts are done with the admin username, but after that it’s usually the site name (in my case, anouskarood and anouskarood.com are used often). When those usernames don’t even exist, it’s just that little bit harder for hackers to get into your site.
If you don’t know if users like admin or your site name exist, you can check that under Users > All Users.
If you are using those usernames, unfortunately you can’t change the usernames. But you can fix it by deleting it. Before you can do that, you need to create a new user. If you want to use the same email address you’re using for the existing account, you’ll first need to change the email address. Click Edit under the username and change the email address to something else.
To create the new user, hit the Add new button on the Users page. Make sure you’re making it an Administrator so the new account has the access you need.
After creating the new user, log out and then log in with the new user account. Go to All Users and delete the admin (or site name) account.
Use a strong password
You also need to use a strong password. When creating a new user, WordPress already generates a strong password for you. Don’t change it to a weak password or a password you’re using everywhere else. If you didn’t have to create a new account, you can simply change your password in Your Profile under Account Management.
It’s best to have different passwords for different sites, but let’s be realistic, you can’t remember strong passwords for all your accounts everywhere. That’s why I use LastPass. You have just one strong password to remember, LastPass will remember all your other passwords for you. It can generate strong passwords, and also allows you to let it check the strength of your existing passwords, so you can go through all your accounts and make sure you’re using strong and unique passwords everywhere.
Enable two-factor authentication
Two-factor authentication creates an extra step during the login process. When you enter the correct username and password, you need a code you get from an email, text message or app on your phone. So even if a hacker somehow gets the username and password right, they can’t get in because they don’t have access to your email account or phone. You can set this up with a plugin like Two Factor Authentication or the pro version of iThemes Security.
2. Install a security plugin
iThemes Security does a one-click security check when you first install it. It enables the most important features and settings, such as blocking people who try to login with a wrong username and/or password too often. Apart from those features, it can also detect changes to your site’s files and block people snooping around your site looking for vulnerabilities (404 detection). The pro version also includes Two Factor Authentication (so you don’t need a separate plugin for that), automated malware scans, password expiration (to force you and other users there might be on your site to update their passwords regularly) and more.
Sucuri also has a short list of the most important settings you can apply with one click. It monitors all security related events on your site and also includes a list of steps to recover your site if it does get hacked. The premium version includes a firewall to protect you from all sorts of vulnerabilities and attacks.
3. Set up automated backups
What would you still have from your site if it crashes or gets hacked? Even if you haven’t had either happen before, you never know when it might happen, so this is definitely something to be prepared for. Better safe than sorry.
Your web hosting company might make backups for you, but some don’t even guarantee the backups are up-to-date, so you might still lose files or data. It’s much better to have your own backups to restore.
If you’ve configured backups long ago, it’s important to check every once in a while if it’s still working properly. If you have a backup plugin that’s doing what it needs to do and you’re happy with it, there’s no need to change!
But if you either haven’t ever configured backups, or you find it’s no longer working as it should, I recommend the UpdraftPlus Backup and Restoration plugin. It’s easy to set up automated backups and will back up both your database and files. Some backup plugins only backup the database, which means you’d still risk losing your theme, plugins and uploaded files.
UpdraftPlus can save backups to different cloud-storage services, like Amazon S3, Dropbox and Google Drive as well as email. I’ve heard from readers setting it up to save backups to Google Drive is quite complicated, I personally use Dropbox and recommend it.
Whatever you do, don’t save backups to a separate folder on your site – or at least not as the only place, you should also have backups elsewhere. If your site ever becomes compromised, you could lose all folders and files on your site, even the backup folder, so make sure they’re saved somewhere really safe. I can’t recommend it enough to save your backups to a cloud-storage service.
4. Keep WordPress and your themes + plugins updated
WordPress is updated regularly to address new security issues that may come up. You need to regularly check to see if there are any updates waiting to be installed. And of course, if there are any, install them!
You can also enable automatic updates for your site, so you don’t even have to think about it anymore. Or switch to a hosting company like SiteGround, which will automatically install updates for you.
Don’t panic! All this might sound pretty intimidating, especially if you’re just starting out. I don’t want to scare you, but it’s important to think about how you keep your website safe. WordPress is actually a very stable & secure system to use, but as with any system, if you don’t keep it updated, security issues will come up.
I help solopreneurs to stop struggling with code and Canva. You can spend your time and energy showing up for your clients and promoting your offers. Learn more.
Get the free
Course Launch Planner & Checklist
It'll help you create a plan, stop wasting time googling and avoid missing any of the million moving pieces so you can feel prepared & confident about your launch!
Everything you need to do for a launch – without burning yourself out before enrollment opens
Prepare for your course launch using my free Course Launch Planner & Checklist.
It'll help you create a plan, stop wasting time googling, and avoid missing any of the million moving pieces so you can feel prepared & confident about your launch.