The Top 10 WordPress Security Tips For 2019 That May Just Save Your Site

Paul Stratford, Creative Director

Locked out by the red screen of doom? Threatened with removal by your ISP or pinpointed for hosting malicious content?

If so, you’re familiar with the pain that goes with managing your online security. Thankfully, our own list of proven techniques will help protect you from future problems and also show you how to repair your reputation with Google. It’s packed full of our highest impact recommendations and built from our own experience – often painful, so we know better than most how to arm yourself against attack. Read on to discover what we’ve found.

Have you spent days, picking through thousands of infected files? Repairing suspect files individually hoping it’s fixed your issues. Or submitted countless forms to Google asking to be re-indexed, only to find the issue still returns? That’s because up to half the core files in your site may have been injected with tiny Trojan programs and it’s almost impossible to determine where they are. Sound bad, it is, so you need to make the security of your site a priority and get it nailed down.

If you’re on WordPress the good news is that these attacks affect all types of sites, not just ones using WordPress. The BBC site was taken down back in December 2015 and CNN suffered similar attacks and outages in early January 2016. Moonfruit who run a simple but very powerful SAAS Website platform, had users locked out of their websites for nearly 2 weeks while they defended against ransom attempts threatening to infiltrate every one of their 5,500 websites. In fact, in a report by Forbes there are nearly 30,000 attacks every day across all platforms. That’s not all.

According to Information Week‘s recent article, up to 7% of the visits to your site are likely to be malicious attacks rather than the valued prospects you’re hoping for. In another article from Sucuri, every site on the internet is under attack by an average of 300 times a day.

So before you consider scrapping your entire WordPress site and moving to a new platform, consider first if there’s anything better, or robust enough to offer 100% security against attacks. It’s unlikely, so here is why being part of the WordPress community is so rewarding – there are hundreds of security options to protect your site, some are even free! If you’re not yet on WordPress consider you’ll get this level of support and piece of mind. Ready to find out the best approaches to WordPress security?. Great let’s go:

Our recommended approach to WordPress Website security is broadly divided into three main areas:

1. Monitoring & Protection

  • The first and perhaps the easiest step to take is replacing generic WordPress username of Admin. Go into ‘Users’ and create a personal username with unique password – Check out this list, to avoid the weakest passwords!
  • Delete the username ‘Admin’. Sounds obvious, but this is the clearest signal to would-be attackers that there are few security procedures in place
  • If you’ve opted to use a theme, do some due diligence beforehand. Check the popularity (number of downloads), positive comments, frequency of updates and responsiveness of support – make sure it has a solid roadmap and thriving community to support it
  • Ensure that you use as few plugins as necessary. To stay safe, each one will need updating regularly and if left alone, in time, could become a security threat in itself
  • Install tools such as Wordfence or iTheme Security to alert you of malicious attacks as they happen. The free versions will pick up 95% of most attempts and keep a detailed log showing usernames, country of origin etc.

2. Scanning

  • Install virus scanning software that indexes your website. iTheme Security does this pretty well, as do many other solutions such as Vaultpress, Sucuri or Exploit Scanner
  • Run a test on Google’s Safe Browsing test. This will identify if Google detects any harmful activity or scripts on your website. If you have any SEO considerations, you’ll want this to be completely clear
  • Run a test using MacAfee SiteAdvisor software. By installing a script on your browser you can run a test for your website and quickly see if it’s identified as safe or unsafe
  • Consider installing Hotjar Analytics. Not only is this a fantastic analytics tool, through the use of behavioural videos, but it will also identify how the site might be being used differently.

3. Repairing and maintenance

  • Rather obvious, but update WordPress, theme files and plugins.  Not just when you fancy it, but regularly to keep weaknesses minimised. We recommend monthly at least. However, take note that Updates can cause incompatibility between plugins and themes, rendering some features or pages unusable, so be sure to manage this carefully.
  • Consider switching on ‘auto-updates’. It can cause incompatibility issues, but if you’re a small team, as long as you regularly backup, it could be a safe, simple answer
  • Backups. Not just downloading the database on an ad-hoc basis though. Set up a ‘mirror server’ and replicate the same environment as the main site. Each month, prior to updating the theme files, plugins and core database files, recreate the entire site on this development server and test all the updates work. Iron out any issues with new scripts/code to overcome any issues before rolling out on the main site
  • Build a backup team and create a baseline version of the site whilst it’s running perfectly. Familiarise your preferred team with the websites functionality, CSS and structure when it’s fully functioning and use this baseline version as a reference point for any issues that might arise.
  • Finally, if you have been subjected to these type of attacks then Google, McAfee etc need to be notified. Any penalties or notifications in place need to be removed or repaired if you expect SERPs to be reinstated. This is time-consuming, but once repaired, you should receive a confirmation email (shown below), and see traffic return to normal levels again.

The irony of website security is that as our clients climb search engine rankings, and perform higher in paid advertising, driving more and more visitors to their sites, they also attract the wrong attention. Hence we take website security seriously and consider it to be a subset of SEO and conversion rate optimisation.

We’ve seen the impact a malicious attack can cause on clients’ websites and developed the above approach as a response to the growing responsibility placed on website owners.

Related Services

Digital Assessments
Branding & Design
Website Design & Build
Demand Generation
WordPress Security