Since its inception, WordPress has grown to become the world’s most popular self-hosted CMS solution.
Because of this popularity, WordPress is a favourite target of hackers and it is vital to ensure that your account is secure and that you maintain it properly.
There are some simple things you can do to secure your account, whatever your level of expertise:
Use strong passwords and non-standard usernames
If your user name is easy to guess: admin, or your company name, then you leave yourself wide open to hacking. Choose a username that is entirely unrelated to you or your business. Strong passwords are essential. Use a combination of upper and lower case, numbers and symbols. It’s worth changing your password periodically and making new passwords part of the process for your business if a team member leaves. If you can’t come up with something unique, try https://strongpasswordgenerator.com/. If you struggle to remember passwords, try a password storage service such as LastPass or Dashlane.
Check for any unauthorised admins
Make a habit of periodically checking the admins and users on your account. Immediately delete any you don’t recognise.
Updating regularly will install new security features as well as ensuring you’re running the latest version. Make sure you also update all themes and plugins.
Completely delete unused themes and plugins
Delete themes or plugins that aren’t being used. Just disabling them is not enough to prevent them from being compromised by hackers.
Some great security plugins:
Wordfence https://wordpress.org/plugins/wordfence/ is a highly rated and very efficient cache plugin which protects from hacks and malware.
WP Super Cache https://wordpress.org/plugins/wp-super-cache/ is a slightly quicker alternative cache if speed is your thing. Don’t use multiple cache plugins at the same time.
Disable XML-RPC Pingback http://wordpress.org/plugins/disable-xml-rpc-pingback/ XML-RPC Pingback is regularly abused to attack other websites so EvoHosting block all activity to it, but if you want to use certain plugins like Jetpack or blogging software on your device then we require this plugin to be used before we allow this activity.
Heartbeat Control https://wordpress.org/plugins/heartbeat-control/ – the Heartbeat API in WordPress can sometimes cause problems on busy websites due to the frequency of requests it makes, this may be particularly apparent in the Admin dashboard and you can use this plugin to disable or change the frequency of requests.
Delete Expired Transients https://wordpress.org/plugins/delete-expired-transients/ – Transients are part of WordPress’s own caching mechanism, the problem is they are stored in the database and it seems that some plugins may not clear these regularly, if at all. Once you get millions of rows of transients in your database this will severely impact your website performance. Use this plugin to manually clear any that have expired.
Please comment below with any hints and tips you have for securing WordPress and any great plugins we’ve overlooked.
Submit your review