I recently had to ask my hosting provider for some help regarding passwords on one of my other WordPress websites. After the call the tech asked or rather tried to up sell their malware protection service to me for around $100 dollars per year on top of the hosting I already pay them. I decided to decline by saying I would look into it in the future, however it got me thinking that if they are providing this service then there must be a risk to WordPress sites. I immediately went to Google and Reddit to find what other people were doing.
Firstly there are a few ways that you can protect yourself from hackers that seem obvious to me but perhaps they are not obvious to every WordPress site owner.
- Keep your WordPress site updated. I believe the latest update at this time of writing is WordPress 4.9 and this was very simple to update – just one click and it was done. I did not backup my site before updating but it is recommended you do that if you have a lot of content. Many hosting providers will update your site automatically for you.
- Keep your WordPress plugins updated. You will need to do this manually. But it is as easy as selecting all plugins and pressing update from the plugin menu.
- The third thing that you should do to keep your WordPress site secure is to delete any plugins or themes that you are not using. You might want to keep one theme – perhaps twentyseventeen or the default theme un-activated but installed for troubleshooting purposes. Also you should delete the plugins that you have uploaded to your site via FTP they will be sitting in one of the directories of your website, you will not be able to do this from your WordPress dashboard.
- Change your passwords to something more secure or use the suggested password from WordPress as that is super complicated and uses a mixture of different letters, numbers, special characters or cases.
- Use a reCaptcha feature on any forms used on your website to add further security, and also regarding forms make sure that the plugin or form generator is not subject to SQL injection attacks or some other input validation exploits, this is when data input can be used to exploit your data and gain access to your website.
After you have been through these steps there are some plugins that I would recommend that you can install today to give your site extra protection:
Lastly if you have a VPS and you are using a solution like Microsoft Azure or Amazon AWS you could invest in a web application firewall. This is a costly solution but if you have a 7 figure business its seriously worth the investment.