6 easy ways to manage WordPress security

This past year, I became interested in and watched the TV series Mr. Robot on the USA Network.

Mr. Robot is about a hacker who seeks to take down the powers to be, mainly E Corp, which he always hears as Evil Corp.

Elliot is the lead character. He is a small, geeky hacker that, as the story begins, works for a contractor who helps monitor security for large corporations. E Corp is one of the clients.

Hacking has all kinds of connotations. What do you think of when you hear the term hacking?

Elliot’s type of hacking is one of at least three basic ideas of hacking that include coding (think Facebook Hackathons) and Growth Hacking.

The kind of hacking we are talking about refers to the ability of a programmer to hack into computer or network system. This is the dangerous kind of hacking, right?

Hacking into systems becomes news almost every day. The problem is these hackers can access personal data.

The threat is real which is why securing our WordPress websites is a critical part of our WordPress care programs.

Even the smallest business can be affected.

With WordPress powering 27% of the internet, these sites have become big targets.

Security is always about risk reduction, and WordPress is no different. The WordPress Codex discusses this on their Hardening WordPress page.

“Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”
WordPress Codex

Keeping your client information safe is a priority for WordPress Entrepreneurs. Here are six easy ways to manage your WordPress Security.

And the good news, you can do all of these from within your MainWP dashboard!

Choose a good host

When making sure your WordPress website is secure, the first place to start is with your host. Making right decisions with your host for security is imperative.

There different types of hosts with different philosophies. WordPress developers usually work with VPS, Managed WordPress, and Dedicated Servers.

Here is a good list of other types:

Your hosting should allow you to have a VPS, managed hosting or a dedicated server for a reasonable price. If they do not have these options, start looking elsewhere.

Don’t just go for the lowest price.

No.

Don’t go cheap.

Are you looking for a new host? Ask people you respect and trust. This is exactly what one user did in the MainWP Facebook Group. He got plenty of options to consider in just a few hours.

Change the admin

There are hundreds of millions of WordPress websites on the planet. A large percentage of them are self-hosted, and the owners leave their install with the default settings.

The first thing you should change is the admin password.

Why?

When hackers target a WordPress website, they often start with Brute Force Attacks. This means they will certainly try by entering username and password combinations to try to unlock access.

With admin being the default username for the first administrator, they will start with trying admin.

Additionally, force strong passwords. The absolute worst thing you can do for leaving your site vulnerable is leaving the username the default (admin) and create an easy-to-crack password like 123456 or your phone number or some other easy-to-guess password.

via GIPHY What did you say was your client’s password?

Install a reliable Security Plugin

A reliable security plugin will help many who are not comfortable with adjusting files and some server settings. To be sure, anyone who can make changes to a PHP file can handle the most basic security tasks such as the configuration of the wp-config, wp-includes and wp-admin.

While we all are comfortable installing and configuring WordPress and creating or configuring themes, we may not all be interested in making some of these changes.

The wrong tweak can cause a crisis.

There is a need for you and your client to have installed a reliable security plugin.

Two of the most popular security plugins are WordFence and iThemes’ Security plugin.

MainWP includes extensions for both plugins.

Additionally, the use of Sucuri to monitoring possible hacking is a good investment.

Here is a good list of various security plugins

Take advantage of Sucuri

Speaking of Sucuri, MainWP has a free extension for Sucuri. Implement that.

Sucuri will monitor your site files to make sure you have not been hacked.

Sucuri, of course, offers a service to fix any hacked website, usually based on a per month plan. Of course, prevention is much better than fixing something later.

This kind of scan is a value add for your clients.

“SiteCheck provides web-based malware scanning of your websites using the latest in fingerprinting technology. It gives you a quick way to determine if your web applications are out of date, exploited with malware, or even blacklisted by popular search engines all directly from your MainWP Dashboard!”
https://mainwp.com/extension/sucuri/

Keep everything updated

Previously, when I told clients they need to keep their WordPress website up-to-date, I would often use the analogy of a car.

You wouldn’t buy a car and not realize that you were responsible for oil changes and new tires, etc. Unless your auto dealership offered free oil changes for life, they are not going to do updates for free.

Of course, if you care runs out of oil, your car won’t last long before the engine goes boom.

All pieces of machinery need maintenance. All pieces of software do too.

The business owner has to keep his or her website up to date. Your host will update critical software components, WordPress will issue updates, the plugin developers will offer updates and sometimes, your theme developer will as well.

It is absolutely important that you keep your WordPress, your themes, and your plugins updated. The biggest reason is for security vulnerabilities.

If you are hosting the client’s website on your hosting or server, updating all the components should be a nonissue. Either make it a part of the hosting package or require them to sign up for your maintenance package.

Any site you should develop for a business owner should be a prime example of being an upsell for security updates and backups.

Most clients I had were happy to pay me more than they would a host to get this service. It is a peace of mind issue.

Here is a good guide for securing WordPress from Yoast

What do you say?

As the WordPress codex points out, no system will be foolproof, but we can utilize tools and tasks to reduce the risk and put some level of prevention into the mix.

Creating this in our WordPress build is an important value-add for clients.

Offering it as a package as part of a Care plan or a basics plan is another value-add.

There is something I didn’t address that bears mentioning. It is very important. Offer your thoughts in the comments on what that something is that I left off.

What tasks do you use to keep your WordPress installs secure?

Do you use a plugin or several plugins?

Do you use Sucuri?

Are your clients willing to pay for security services?