As a new WordPress administrator, you undoubtedly have a lot to think about and do. After all, WordPress websites are as fun and exciting as they are demanding. Even so, one thing that many new administrators do not think about enough is safety and security.
To be safe online, there are two things we need to think about – systems and processes. Systems refer to the security software and devices we install. Processes, on the other hand, refer to our behaviors. Both are important.
While securing WordPress is important, we must also remember to secure our personal accounts and devices. Equally, we must also be extra vigilant and be more strict with ourselves in how we view online security. This is how we can ensure that we and our WordPress website stay safe.
This article will look at best practices we can implement and maintain without too much effort. Doing so will not only help us stay safe, but also mitigate threats to the WordPress website itself.
Choose a strong password
When it comes to choosing a password, you need to be very careful. Always make sure that you use a fresh password that you’re not using on another website and make sure it’s of adequate length and has a healthy mix of upper and lower case letters, numbers, and special characters. Do not try to emulate a dictionary word by switching Is for 1s etc. Software that cracks passwords understands this and will try these combinations.
However, you should not worry much about being creative with passwords. Most modern Password Management software and services have very good password generators, so use them.
Once you have your password, you need to ensure that you do not share it with anyone. If you need to provide someone with access, creating a separate account is far better and safer. Sharing credentials can lead to many security issues. Here, use the principle of least privilege to ensure that you do not give unrequired access to the new user.
Best practices also tell us that we should not save passwords in our browsers. That’s another reason right there to use a reputable Password Manager.
Add a second layer of defense
Strong passwords are great as they make it way more challenging to guess or crack. However, this does not mean that someone with malicious intent will not get through with enough time and computing power. If you have the option, enable 2-factor authentication (2FA). This security measure is known to stop some 99.99% of attacks – leaving your accounts that much more secure.
2FA, which stands for two-factor authentication, adds another authentication layer to the login process. What makes it so secure is the fact that it uses different factors to authenticate, which makes it near-impossible to crack.
Pro Tip: You can even enable 2FA for your WordPress website users by downloading a 2FA plugin for WordPress.
Ensure websites you interact with use HTTPS
HTTPS is the secure version of HTTP – the protocol used to transfer web pages over the internet. When a website uses HTTPS, the traffic between your computer and the website is encrypted, which means that should anyone be eavesdropping, they will not be able to read the data being passed back and forth.
The same applies if you’re accessing your WordPress files via FTP. In such cases, SFTP is recommended, being the secure version of this protocol and hence the one that should be used.
Pro Tip: You should also consider getting an SSL/TLS certificate for your WordPress website. They are relatively easy to install and can help you inspire confidence in your website and also help you rank better in SERPs (Search Engine Result Pages).
Secure your devices & software
A report by ResearchGate estimates that the average person will have over nine connected devices. Many of these devices, which can include computers, laptops, tablets, and smartphones, need to be secured. Antivirus software and firewalls are basic solutions, but it doesn’t end there. Many Operating Systems also offer the facility to encrypt the hard drive. Enabling this option will help you ensure your data remains unreadable should the physical machine find itself in the wrong pair of hands.
Equally, you need to make sure that you install the latest updates on your machine as well as your WordPress website.
Whether it’s released by multi-billion dollar companies such as Microsoft and Apple or small software houses, software may have bugs and security holes – which are resolved through updates. In the same vein, when choosing a WordPress plugin, make sure that the developer releases frequent updates.
Pro Tip: You might also want to consider setting up a WordPress test environment. Test environments are a carbon copy of your website, but only accessible to you. They are used to test out updates and changes before rolling them out to the live environment. This helps you limit your interactions with the live environment to the least possible.
Many hosting plans come with a test environment; however, you can also build your own WordPress test environment using XAMPP.
Backup your data & computer
Whether it’s your personal computer or your WordPress website, taking backups is important. Backups help you minimize the loss of data should there be a catastrophic failure. Leaving the backup file on the same machine can be counterproductive. When backing your machine, make sure that you move the backup to an external location. Options can include cloud storage or an external drive.
The same applies to your WordPress website. Not only do backups left on the server take up valuable space, but they also risk falling into the wrong hands. Backup files, even sporadic ones, can contain a treasure trove of information, enabling a malicious actor to take over the machine or website and hold it for ransom.
Pro Tip: Read our WordPress backup guide & tips for more detailed information on how to backup your WordPress website, how to store the backup files and much more.
Do not open suspicious emails
As the proud owner of a new WordPress website, you will be inundated with unsolicited emails. Many of these will be offering services for anything you might imagine. While some of those emails might very well be genuine, a good portion of them will not be. A portion of those could also be harboring malicious code.
Delete suspicious emails straight away and do not attempt to open them.
Use VPN (especially on public Wi-Fi)
When it comes to connectivity, VPN is a mainstay staple that is as flexible as they come. From enabling corporate employees to work remotely to access the internet anonymously, VPNs create a tunnel between your machine and the VPN server, with information sent through this tunnel being encrypted.
While you should not be using public Wi-Fi (as much as possible), VPN does alleviate some of the risk associated with connecting to a network that anyone can connect to. Before connecting, make sure you first switch on VPN and ensure that any apps that communicate online (instant messaging, browsers, clients, etc.) are switched off. Once a VPN connection is established, you can safely switch them back on.
Research any software before installing it
As you get deeper into the exciting world of WordPress, you’ll find all kinds of software that can help you with processes and tasks. One thing that’s important to note here is that such software comes in all shapes and sizes. At the same time, while we have largely got rid of compatibility issues that plagued us in the past, they have not entirely gone away.
To avoid aches and pains, make sure you take the time to research software. If you would like to try out new software, and it comes with a free trial, take advantage of that and make sure you have a test plan beforehand to ensure it can help you fix or, at the very least, ease whatever problems you’re facing.
Pro Tip: Read our guide on how to choose the best WordPress plugins for your website to learn more about the things to keep in mind before installing something on your site.
Security is an ongoing process rather than a task that you tick off your to-do list. Passwords need to be changed every so often, updates installed, antivirus signatures updated, and so forth. As such, it is essential to schedule time regularly devoted to securing and maintaining your online accounts and machines.
Separately, securing WordPress itself is just as important. Here, we also need to recognize that hardening WordPress is just much of an ongoing process. And while the WordPress security process is different from that through which we secure our accounts, it is deserving of our attention as much.