You just spent a lot of money (or time!) on your shiny, brand new WordPress website. Getting your website launched and ready to go is only half the battle. Now that your website is running, it’s time to do your best to keep it updated as your company grows and changes. You don’t just want to keep your website updated though, you want to ensure that it continues to be secure and safe, right?
Website security is something that causes a lot of fear in many of my clients. It doesn’t help that WordPress literally powers 39% of the internet and thus WordPress websites can become hacking targets. There are, however, simple steps you can take to protect your WordPress website and to help keep it running optimally for the life of the site as well.
1. Use a Quality Web Host
Look, I’d love to tell you that you can get by with a website host that only costs $7/month, but there’s a reason they’re only $7/month. A lot of that is in the fact that they don’t provide a lot more than just a space for your website to live, but it’s also in their (lack of) customer service.
Skip the bargain hosts and go for a tried-and-true WordPress host like WPEngine. They’re a little more per month, but they literally help you solve 2 out of the 5 tips I’m going to give you below, plus their customer support is the best I’ve ever worked with. Hosting with them provides the fastest page loading I’ve had with a WordPress host, too, and they provide some extra layers of security. Frankly, they’re who I use for my own sites and my clients’, and I’ve never had an issue.
Migration is a simple process, too, that they’ll help you through if need be!
2. Don’t Make Your Username Admin
This was a rampant issue a few years ago, but it’s still one of the easiest ways to protect your WordPress website. There are multiple user types in a WordPress site, but the type of user that has access to it all is called an administrator or admin. Especially for companies that may have multiple people managing their site, they might find it easier to create one username and share that password. Unfortunately, it’s pretty common practice to make that user “admin”, which hackers can guess a mile away.
Just. Don’t. Do. It.
Instead, create users for single individuals and use either their names and/or email addresses as their username. Never name your username companyname-admin either, because that’s pretty easy to guess. If you’re a solopreneur with a personal brand, try to avoid having your username be just your first name either, as that can be easy to guess as well. It’s a first, easy step to putting up a blockade to potential hack threats.
3. Use a secure password
The second, and also very simple one, is to use a secure password. And no, I do not mean one where you’ve used your spouse’s name and their birthday with an ! at the end (or for the love of god, your company with 2021 in there). Remembering a secure password can be problematic, but if you use Google Chrome as your browser it offers to remember passwords for you when you log in for the first time. Other password keepers like LastPass or Apple Keychain can help you remember secure passwords as well.
WordPress now requires you to use a secure password when you’re setting it through their interface and will often suggest one. My best recommendation is to use their suggested string of nonsense numbers, symbols, and letters to create a truly unique, secure password and then save that into a password keeper. I know, it’s a pain in the ass, but worst case scenario is you have to reset the password from time to time.
4. Take a backup once a month
This is a glorious thing that WPEngine does on the daily (and keeps those daily backups available to you for awhile), but I highly recommend taking one of those daily backups and once a month downloading it and saving it to a third location. I have literally never had an issue with their backup system, but you never know when a tornado can hit their servers (they’re based in Texas) or something crazy happens.
Having a backup for your website also means that if you make an update and something goes wrong, you’re able to roll your site back to a time it worked.
I once had a client who was hosted at a, let’s call them a bargain but highly advertised on the Super Bowl ads, web host. This client, for whatever reason, didn’t tell his employees that he’d gone into his website’s file structure and accidentally deleted all of his site’s files. And then that host took a backup the next morning of the empty folder and had no other backups available, so this man’s website was gone. Thankfully, I take and keep backups whenever I launch a client’s website and was able to restore his website to as-launched condition, but it could have been much worse.
Good backups save you time, headaches, lots of money, and pain. Do it.
5. Update WordPress and plugins
I know a lot of people that aren’t so comfortable doing this, but WordPress itself and different plugin authors update their software in part to close security patches and to increase security. I highly recommend that you take a backup first (which WP Engine makes so simple) and then update WordPress and plugins about once a month at minimum. Test your website for a few minutes after updating to ensure that nothing went awry, then take another backup of your website with everything up to date. If you sync this up, you can knock out both the monthly backup and the updates at the same time and make it easy.
For those that are just not comfortable hitting that update button in case something does go wrong, consider investing into a WordPress care package that includes both updates and backup support.
6. Use an SSL Certificate
This is another one that when using WP Engine is super simple, but having an SSL or security certificate installed on your website is a must! It’s a must for SEO anymore, because Google cares that you’re secure, and it helps protect not only you but also your customers’ data.
An SSL certificate basically adds that nice little lock icon next to your domain and loads your site through that https instead of the http. While you can get certificates for as low as $9/year, they can be a little finnicky to install (which is why budget hosts typically charge you $70/year).
WPEngine on the other hand, offers them for free and helps them updated for you PLUS forces your site to use that https which is just another step into adding vital security to your website.