Question

How to make a wordpress website more secure?

Answer 1

Your business website will react like any object. At startup everything works fine, then over time you may encounter problems.

Having a 100% operational website guarantees that your visitors (or Google bots) will not seek their happiness elsewhere. This in turn reduces your ability to gain new customers on the internet.

I would add that the GDPR 2018 also requires the protection of all personal data that you request from your visitors. Therefore, you also risk fines in case of data theft, so better maintain a good reputation in your professional activities!

Many companies like Uber and even Apple have been hacked. No business is truly secure, but I'm going to give you some actions to make your business website as secure as possible.

Obviously, I'm going to focus on WordPress, the content management system (CMS) I'm most familiar with.

In fact, WordPress sites make up the majority of our clients. This is not surprising since WordPress dominates CMS with 44% market share (source Le Blog du Modérateur).

That said, if you use other CMS like Drupal, Joomla… the rules described below also apply.

1. Choose a secure host

Security is an important selection criterion for choosing your web hosting.

Why ?

Because your website and your data are hosted by this provider.

Hackers continue to use their imaginations to launch attacks:

• DDOS (or Distributed Denial of Service Attack) is designed to destroy the state of your website, or even cause it to malfunction,
• A ransomware takes your data hostage and demands a ransom to free it…

Unfortunately, there is not a single feature that protects the hosting platform. Instead, several “dams” contribute to the overall security of web hosting.

Security tools

The most common security tools used by web hosts are:

• firewall or firewall,
• Defense against DDos attacks,
• antiviral,
• spam filter,
• SSL security certificate…

So, to best protect your website, you might as well choose a host that has all these features.

This way, all barriers are in place before hackers can reach your server.

Based in Clermont-Ferrand, o2switch implements protection tools to stop hackers before they reach your website… For the curious, everything is detailed in their infrastructure and web page in a very transparent way.

My advice : check that your host has all the means to protect itself from attacks.

2. Install the latest versions of WordPress and your plugins

As you know, WordPress is a great choice for publishing your business website.

Indeed, this tool offers thousands of extensions, often free, capable of adapting your website to your communication needs on the Internet.

But WordPress and all these extensions are above all software. Like any software, they are updated regularly.

The updated version has new features with better performance. But some updates also include fixes for security vulnerabilities.

That's why my second security tip is simply to update all this software as soon as a new version is available.

My advice : Update all of this software quickly and regularly to strengthen the security and performance of your website.

How to install the latest updates

Gone are the days when you had to use a floppy disk or CD to update to a new version of software. Today, everything happens directly online.

For this purpose, WordPress has a standard alert system indicating available updates. The system shows notifications when updates are available for your WordPress plugins, themes, and core software.

Just go to your admin console and in the left column click on Dashboard > Updates.

Update an extension

From your WordPress admin console:

• Go to the “Extensions” section,
• Then click "Update Now" for each extension that needs to be updated.

My advice : Before updating a plugin, I recommend that you click on the link “View version details” to see the changes made by the author of the plugin.

If the update instructions highlight a security patch, install it now. Otherwise, please wait a few days before updating the extension, while the bugs brought by this version are reported and fixed.

Updating WordPress in the rules of the art

To find out which version of WordPress is used on your website, check your WordPress admin dashboard.

Note: As of this writing, the latest version of WordPress is 5.8.1.

Usually, so-called minor WordPress updates are installed automatically. They are unlikely to interfere with the operation of your company's website.

But this is not necessarily the case for major versions of WordPress.

In this case, many problems can occur during the update process.

So, you might as well apply some programs before hitting the "Update Now" button.

• make a full backup of your website,
• Copy your website to a dedicated development server. It can be hosted on the same server but with a URL like beta.yoursite.com,
• Update your site on the development server first to test and fix any issues.
• After committing this build to the development server, deploy it to the public URL.

This way and with careful testing, you won't have any problems.

Otherwise, you take shortcuts at your own risk.

Other tips

• Update all extensions before installing a new version of the CMS,
• Check that the new version of WordPress is compatible with the PHP version installed on your server. In fact, WordPress requires PHP to run,
• If applicable, make sure your WordPress theme is compatible with the new version of PHP required for WordPress updates.

3. Migrate your site to https to secure it

Every day we share our personal information on different websites, whether to shop or log in.

To protect the data transmission, a secure connection must be created. This is where the HTTPS protocol comes into play.

HTTPS is an encryption method that protects the connection between a user's browser and your server. As a result, hackers find it harder to monitor connections.

Given the restrictions imposed by the GDPR since May 2018, it is better to avoid data breaches.

Additionally, Google announced the use of HTTPS and SSL as ranking criteria in its search results. This means that using HTTPS and SSL can help improve your website's SEO.

Migrating your website to HTTPS is not very demanding. All you have to do is get an SSL certificate. It's usually even offered for free by your web host.

Then, to set up this certificate and save technical time, please contact your developer to ensure a smooth migration.

To learn more, read my article: Migrating to HTTPS, a must for the security of your website.

4. Secure access to your company's website administration

Your website administrator login page is a prime target for hackers.

You have to be very careful not to complicate the life of a hacker.

Here are 3 simple actions to implement on your WordPress login page:

• Choose a strong password,
• change the login ID,
• Edit the login URL.

Choose a strong password

To protect your connection, be sure to choose a strong and unique password for all your platforms.

It would be silly if a benevolent person could access not only your site under WordPress, but also your list of subscribers under MailChimp, your prospects in HubSpot…

In the end, you will have a hard time remembering all those passwords. Since it's also not recommended to write them down on paper or on your phone, here's how to do it:

• Start by choosing an easy-to-remember “master” password.
• Then create a rule to "adapt" this password to each tool you use.

Concretely, choose your “master” password:

• The character sequence in the title of your favorite movie (Kill Bill),
• Add personal information hackers can't guess, like your eldest son's birthday (23),
• Add special characters (£).

Example: Kill2£5Bill

Then, to set a different password for each tool, just append characters to the name of the tool you're trying to connect to.

For example, take the second letter of the tool and insert it in capital letters in the third position of the main password. Given in my example and WordPress: KiOll2£5Bill

Not clear? Read my 3 tips for choosing a password!

What if you share access to your WordPress site with your team?

But you can share access to your site's admin console with your team.

In fact, content marketing, organic referrals (SEO), and all other digital marketing activities depend on your team's ability to easily update your website.

So make sure all users you share access with know the importance of having “strong” passwords.

Also ask your users to change their password regularly.

To change your password or the password of one of your users, log in to your WordPress admin console:

• In the left column, click on “Users” to display the list of your users,
• hover over a user and click the Edit link to view that user's files,
• Scroll down to see the "Generate Password" button, click on it, then after generating or entering it, remember to use the "Update Profile" button at the bottom of the page .

Tip : Use a password generator like LastPass or Dashlane. They generate strong passwords, but also store them in your browser so you don't have to remember them.

Change WordPress Default “admin” Login

During installation, WordPress adds the first administrator, whose name is “admin”.

Of course, hackers know that. Thus, if you authorize your users to use the “admin” login, they only need to know your password.

Follow the instructions below to immediately delete this “admin” user.

Create a new user with the administrator role

• Login to your WordPress admin,
• Go to the “Users” tab and click on “Add”,
• Fill in user information,
• Click on “Add User”.

Comment :

• WordPress will require a different email address than the "admin" user,
• Select "Administrator" as the role for this new user,
• Choose a hard-to-guess username. For example, I don't use "audrey" or "toto",
• Choose a strong password as described previously.

Then quit WordPress.

Delete the administrator "Admin"

• Login again with the admin credentials you just created,
• Click on “Users” in the left menu,
• Hover over "Administrator". Edit and Delete action links appear. Click "Delete".
• To not remove anything assigned to "Administrator", select the "Assign all to" option on the next screen and choose a name from the list,
• Click on the “Confirm deletion” button.

'It is done!

Let's move on to connecting the URL.

Change the WordPress admin login URL

A security flaw in WordPress is the login link, which by default:

www.lesite.com/wp-admin

By leaving this link as default, you can simplify the hacker's job.

Changing this link from your WordPress login page immediately puts an additional barrier to securing your site.

So, to change your login URL, I recommend the free WPS hidden login extension.

After installing and activating WPS Hidden Login:

• Go to “Settings” in the left column of the administration console,
• Click on “General”
• At the bottom of the page, you'll find the "Connection URL" field, where you'll enter a creative term that's easy to remember and hard to guess.

Check out our article “Secure WordPress with an Alternate Login URL!” " for more details.

Obviously, share this URL with the rest of the team.

Limit the number of connection attempts to your administration

Unfortunately, if a hacker guesses your login page URL, they will try to log in by looping the username and password combination.

Security experts talk about brute force attacks.

So, to further protect your website, install an extension that blocks access after a few failed attempts.

Kind of like having your credit card blocked after entering your PIN incorrectly a few times.

Again, without calling the developer, there is a free WordPress plugin: Limit Reload Login Attempts .

As the name suggests, it limits connection attempts. But don't worry, this extension is also available in French.

After installing and activating Reload Restricted Login Attempts, you will find its settings under Settings.

• Check the option to make the extension GDPR compliant,

Default :

• After 4 login attempts, the user cannot login for another 20 minutes,
• And after 4 blocks of 20 minutes, it's blocked for 24 hours.

If these values ​​don't work for you, it's up to you to configure them.

Below you can also filter by IP addresses and/or usernames for which extensions are not enabled or blocked by default.

In fact, an easy way to prevent people from breaking into your WordPress admin or hosting server is to block all IP addresses except those used by your team.

No one is infallible.

That's why these additional access tweaks can really boost your site's overall security.

There are more technical tips, like hiding the HTML tags that indicate your version of WordPress. For that, I recommend reading the article on securing WordPress on wpchannel.

But it's not done yet.

5. Regularly back up your entire website

Many entrepreneurs imagine that their web host backs up their files.

In addition, the backups provided by the hosting are usually kept on your server. So if your server “crashes”, you lose everything.

Here are 2 special cases:

• A virus has installed itself on your server and cannot be eliminated,
• Your website is hosted on a shared server. The website that shares your server has been hacked. Such an attack can negatively affect the entire server.

Either way, having a security redundancy strategy always works.

My suggestion: Install the “UpdraftPlus” WordPress plugin. Then configure it to perform daily backups and back up to external services like Google Drive.

Regularly check your backups to make sure they're working properly. Regularly check your backups to make sure they're working properly. There's nothing scarier than realizing your backups aren't set up correctly the day you really need them.

Redundancy contributes to the continuity of the site. Continuity means availability, which means more opportunities to win new customers.

Conclusion on the 5 “insurances” to secure your business website

Here are 5 “insurances” to avoid any disaster:

• Choose a secure host,
• Install the latest version of WordPress and your extension,
• migrate your website to HTTPS,
• Administration of secure access to your company's site,
• Back up your website regularly...

These 5 things to protect your data and internet activity can be put in place in a matter of hours. Then you can sleep peacefully.

Obviously, when it comes to security, no method is infallible. But with these 5 security measures, hackers will be more inclined to visit sites that are easier to attack.

Now that your site is secure, take the time to regularly consult the recommendations posted by Google Search Console.

Not only will your Search Console warn you of possible security risks, but it will also provide a complete x-ray of your site, as Google sees it.

Your website is the cornerstone of your communication with your customers and prospects.

Take care of it like the jewel in your palm. Your digital marketing success depends on it!

Do you put these barriers in place to protect your website? do you know anyone else?