{"id":44803,"date":"2020-12-19T08:22:43","date_gmt":"2020-12-19T08:22:43","guid":{"rendered":"https:\/\/www.glassmountains.co.uk\/?p=44803"},"modified":"2021-01-30T11:26:12","modified_gmt":"2021-01-30T11:26:12","slug":"7-ways-to-protect-your-wordpress-site-this-christmas","status":"publish","type":"post","link":"https:\/\/www.glassmountains.co.uk\/campfire\/7-ways-to-protect-your-wordpress-site-this-christmas\/","title":{"rendered":"7 Ways to Protect your WordPress site this Christmas"},"content":{"rendered":"

With the holiday season quickly approaching, many of will be trying to watch what we eat so that we don’t need to tighten our belts come the New Year. In this article, I want to talk about how we can ‘tighten the belts<\/em>‘ of our WordPress sites in terms of security so that we don’t have any nasty surprises on December the 25th.<\/p>\n

Below are seven steps that may you want to consider. Some items are more technical than others and ideally, you will have some access to technical support who can assist you with these (if you don’t have access to such support, then why not look at our pay as you go WordPress support service?<\/a>).<\/p>\n

If you are not confident with any steps below, please don’t attempt them until you are satisfied that you have adequate technical support in place.<\/p>\n

Hosting<\/h2>\n

If you aren\u2019t familiar with hosting and servers, then ideally your WordPress website will be hosted on WordPress specialist hosting environments such as FlyWheel<\/a>, Pagely<\/a>, or WPengine<\/a>. Because such hosting is specifically WordPress only, <\/em>and as their network & infrastructure are tuned to the specific needs of WordPress, you’ll more than likely automatically be in a more secure environment just by using them.<\/p>\n

However, migrating hosting is not a trivial project, so I’m not going to include that in this list. If you need help with hosting migration in the New Year, please speak to us<\/a>.<\/p>\n

1) Remove Admin account<\/h2>\n

By default, WordPress comes with an Administrator-level user called Admin<\/em><\/strong>. You want to create your own<\/em> Administrator-level account (called whatever you like) and then delete this default Admin account.<\/p>\n

Why? Because every<\/em> WordPress installation gets this Admin account by default, so hackers will guess that account name first. Why make life easy for them?<\/p>\n

Next, take a long hard look at all the other WordPress Administrator level accounts set up on your website. Chances are, there are a few dead or dormant ones there associated to, say, people who have left your company or third party companies you no longer work with. Such dead accounts should be deleted. By getting rid of dormant accounts, you are reducing the number of doorways that hackers can find into your website. Again, let’s not make it easy for them.<\/p>\n

Note: sometimes your hosting company has their own Administrator account to your website, this should be kept. If in doubt, speak to your hosting company because, funnily enough, hackers know how to create accounts that look<\/span> legitimate!<\/em><\/p>\n

2) Change Passwords<\/h2>\n

Now you have whittled the Administrators accounts down to just those who do<\/em> need access to your site, I would encourage all of them to change their passwords; you can ask them to reset their passwords themselves or you can do this for them via the WordPress backend.<\/p>\n

3) Plugin Housekeeping<\/h2>\n

Whilst you are in the spring (winter?!) cleaning mood, you might want to consider removing any plugins that your website does not<\/em> need. The less code that runs on your website, the less opportunities for hackers to get in.<\/p>\n

Next you want to look at updating any plugins where possible. You have to be careful here though; plugins are executable program code, sitting on your website and interacting with other executable code & plugins. Any update can potentially<\/em> cause a problem. In fairness, reputable plugin vendors won’t release updates without testing them thoroughly first, but still, the risk remains. That being said, the risk of being hacked is probably greater – so keeping your plugins up to date is critical.<\/p>\n

Modern WordPress allows you to enable auto-updates, in general, that should be your preferred route.<\/p>\n

\"\"

WordPress plugins – Enable Aut0-updates<\/p><\/div>\n

4) Security Plugins<\/h2>\n

Ideally, you also want to install a security plugin such as iThemes Security Pro<\/a>, or Sucuri<\/a>, or WordFence<\/a> (your website host may also have some recommendations here).<\/p>\n

Such a plugin can help with many aspects of tightening up the security of your website. In truth, such plugins typically need additional configuration, and perhaps prior consideration of which options you wish to use, and which are right for your organisation (some we’ll touch on below).<\/p>\n

5) Multi-Factor Authentication<\/h2>\n

Ok, scary-sounding title I know – but this is fantastic when it comes to securing your site.<\/p>\n

Multi-factor authentication is where you need more<\/em> than just a username and password to login to your WordPress site. You also need a unique code which is sent to a device under your control (e.g. via email, or perhaps an app on your phone). This approach pretty much stops hackers from making a brute force attack by repeatedly guessing usernames and passwords (as they do not have access to your authentication device).<\/p>\n

Whilst not necessarily for the faint-hearted, there are a few ways to achieve multi-factor authentication. The iThemes Security Pro Plugin discussed above has this feature built-in, as does Sucuri. You can also look at Duo<\/a> or Traitware<\/a>.<\/p>\n

6) Locking down WP-ADMIN<\/h2>\n

iThemes Security Pro also allows you to implement security rules such as:<\/p>\n