Now that the first quarter of 2021 is coming to an end, now is a good time to check your website security. You should take a minute and make sure your website is as secure as it can be. I wanted to take this opportunity and give you some quick steps to take to ensure your site is good to go for security.
Steps to ensure good website security
- Use a strong password in WordPress and different passwords on every site
- Install a WordPress security plugin, like iThemes Security or WordFence
- Enable WordPress two-factor authentication
- Lockdown the number of unsuccessful login attempts with Limit Login Attempts
- Keep WordPress and your themes and plugins updated
- Work with your host to make sure your file permissions are correct
- Run regular malware scans with sucuri.net
- Have an automated backup running
Passwords everywhere
The most basic method of securing your website is to use a strong password and to be sure that you use a unique password for different sites. We talked about this before for Password Day back in May. It’s a day set aside where you are supposed to review your passwords and make sure they are secure and strong enough. In case you missed that, here are a couple of tips.
- Include numbers, capitals, special characters (@, #, *, etc.)
- Be long (12 characters – minimum; 50 characters – ideal)
- Can include spaces and be a passphrase (Just don’t use the same password in multiple places)
- Changed every 90 days, or 3 months
I won’t go back over all of the tips from that article but you see read it here.
Security plugins
It’s also a good idea to install a security plugin like ithemes Security or WordFence. WordFence has a free and a paid version while ithemes is a paid plugin. Both plugins will protect against Malware and include other security features that we are going to talk about today including two-factor authentication, enforcing strong passwords and locking out people who are trying to login to your site.
Two Factor Authentication
Basically, this is almost like having to log in to your website twice, once with the strong password you created in step one of this review and the second can be one of several different things. One way is to use Google and install the Google Authenticator application on your phone. After you log in with your password, your site will then prompt you for a six-digit code that you can only find on your phone using the app. You open the app and your site will be listed with the six-digit code you need. This code will change every 30 seconds to add extra security.
Strong Passwords
These security plugins will force you and your users to make sure they have secure passwords in place using the tips we mentioned earlier. If you are someone else doesn’t include these in their password, the plugin won’t allow them to use that password. By default, WordPress will generate a really strong password using random characters.
Lock them out.
Another feature of the security plugins is the ability to lock out users who have entered a bad username and password after so many attempts. You can set these to however many attempts you want. For example, if someone is trying to login using the username of admin, the default administrator account for WordPress, after three unsuccessful attempts, the plugin will lock out that IP address trying to log in for a set period of time. Another tip is to not use admin as a username and set the plugin to lockout that IP address as soon as someone tries to use it
If you didn’t want to use a security plugin for some of these features, there are stand-alone plugins that will do this. They include WP Limit Login Attempts and Google Authenticator by Ivan Kruchkoff that uses the Google app for your phone I mentioned earlier.
Update I tell ya, update
Another way of increasing your website security is checking for updates. You also should be checking your site for any WordPress Core, theme and plugin updates. Once you log in to your website, if you see a red circle with a number in it, this is the number of updates you need to install. You should be checking this regularly for updates.
Run regular malware scans with sucuri.net
Every so often, you can go to sucuri.net and run a security check on your site for malware. This will scan your site and give you information about malware and if your domain is on a blacklist for spam. If it finds something suspicious, it will alert you to it and give you tips on how to fix it. Of course, Sucuri will fix it for you for a fee but if you are using the security tips here, the chance of being infected is low.
Have an automated backup running
The last website security tip is just as important as all of the others but you should have a good backup of your site. There are several plugins that will do this for you include ithemes which makes Backup Buddy. Most of these plugins will create a backup for you and save it somewhere like Google Drive or Dropbox. You want to make sure that you are not saving the backup to your site but somewhere else so that if a hacker does get into your site, they can’t hack the backups as well. By having the backups saved somewhere else, the quicker you can restore it to your site in case something goes wrong.
Good website security is important and if you need help in securing your site, sign up today for our Free Site Audit and we will audit your site for your security and maintenance and send you a report detailing what we find.