WordPress is so popular many hackers have decided websites built with it are an easy target. Luckily WordPress is open-source which means many people work on, and update, it ... continuously.
Here are 6 steps to help you secure your WordPress website. It should take less than 30 minutes, so do it now and avoid having your website hacked.
1. Back up your website
You should be backing up your website regularly. How often depends on how often you add or edit your content.
At a minimum you should back up after adding or editing your content and before you update the WordPress software, theme or plugins. I like to back up immediately before updating any software so I have a working copy to restore if anything goes wrong.
Be sure to store your backup copies away from your website. It wouldn't help very much if your website gets hacked and your backups are also affected.
Some hosting companies provide backup services or you can install a back up plugin. I like All-In-One WP Migration because it's easy to use and can backup your entire website, including content, databases and settings.
2. Remove old WordPress installations and backups
If you've set up a practice WordPress installation or saved your backup files on your hosting account, you should remove them. Other software you may have installed, but aren't using, includes Drupal and Joomla.
Any files that aren't being maintained and updated can be a doorway to hackers.
You can get to these files and folders using cPanel, if it's provided by your hosting company. After logging in, scroll down to link called 'File Manager' or something similar. By clicking on it you should see the files and folders within your hosting account. If you don't have access to cPanel, you can access the files using an FTP program.
If you don't have an FTP program, download a free copy of FileZilla.
If you're not sure what might need to be deleted, contact your hosting company for help.
And be sure to make a backup of your website before deleting anything. Just in case!
3. Secure your cPanel and admin accounts
While you are in the cPanel, update your cPanel password. Don't use something generic or easy to guess, such as your address or birthday. Try for at least 8 characters (20 is better) and use both upper and lower case, plus numbers, punctuation and special characters. Keep your password somewhere safe.
By the way, if you like playing the fun little quizzes on Facebook, be careful of giving out too much personal information. Answering harmless seeming questions like 'what's the name of your first pet?', or 'where did you grow up?' or 'what was your first car?' or 'what was your mom's maiden name?' can give hackers the tools they need to get into your website and even your bank account.
Next log into the WordPress dashboard by going to yourdomain.com/wp-admin/ (substitute your actual domain name for 'yourdomain') and enter your username and password. Go to Users > All Users and check all the 'Administrator' accounts. Delete any you don't recognize. If the passwords on the remaining accounts are weak, update them as above. Notify your administrators of the change.
4. Delete all themes and plugins you don't need
WordPress generally comes with several themes and plugins already installed. For themes, go to Appearance > Themes and for plugins go to Plugins > Installed Plugins. Delete any that you're not using or that you don't recognize.
Check the remaining theme and plugins for the most recent update version. You will need to click on the author's link for your theme and the 'Visit plugin site' link for each plugin to check.
If there are some that haven't been updated within the last year or two, you should find a replacement and delete the old one. Old code can hide vulnerabilities. Another option is to contact the author and ask why it hasn't been updated recently.
5. Update your WordPress installation, theme and plugins
If you haven't made a backup already, do so now.
If your WordPress installation, theme and/or plugins are not up-to-date, update them. Check after each update that nothing was broken.
If there are any problems, restore from your backup and try again, deactivating one plugin at a time to find which one is causing the problem. You may need to contact the author of any theme or plugin that causes a problem.
6. Add security software
Now that your website is up-to-date and tight, you can add some security software to keep it that way.There are plugins that limit log in attempts to stop brute force attacks and other plugins that scan for unusual activity.
One plugin that does a good job is called Wordfence. After installing it, go to the Firewall menu and enable 'Extended Protection.' Then go to Wordfence > Scan and click to start a scan. This will check for any infections and notify you of any problems for you to correct.
Congratulations! Your website is now more secure than most other websites. Keep up the good work!