I’m going to give you three very easy ways to drastically reduce your chance of having your WordPress site hacked.
Lots of folks who aren’t really technical at all have WordPress websites and blogs, and that’s one of the beauties of WordPress. Once you’re set up, you don’t have to be technical person to make content changes. One of the challenges of WordPress, though, is keeping it secure.
You might think you have to be a developer to tighten up security on your site, but that’s just not true. While a developer can make configuration changes to lock down WordPress (and I recommend doing so), that’s not where I recommend starting.
The biggest reduction in risk, in my opinion, can be found through three easy, non-coding steps that even beginner WordPress users can handle.
Top 3 Things for Beginners to do to Make Their Site Secure
1. Choose Secure Hosting
When you’re choosing hosting, if you’re a beginner, you don’t necessarily think about security. You’re likely looking for lowest price or possibly speed. I understand why of course – you assume that all the big names are going to be secure – they have to, right?
Well, some of the more advertised hosts aren’t actually the most secure. I recommend doing a bit a research online, both on hosts’ sites as well as review sites, before signing up for a web host. You want to find hosts that rate highly for security, but also rate well for customer service. No site is going to be 100% secure if it’s connected to the Internet, so you’ll want to know what happens if your site is hacked.
If you’re just beginning, too, you may be looking at a shared hosting plan. They’re where a lot of folks start because they’re cheap. You’re sacrificing speed and security with shared hosting because your site files are living on a machine with files from many other sites. If one of those other sites gets hacked, you’ll want to know how much protection is between you and that other site.
Beginners don’t often think about managed WordPress hosting because it’s a bit more expensive, and you may not know what you’re paying for. Better security is one of those things – managed WP hosting specializes in WordPress, so they are great at locking things down and keeping sites secure and clean. WP101.com has a great article about why you might want to choose managed hosting.
Recommendations: If you need inexpensive shared hosting, I currently recommend A2Hosting – they are security minded, quick, and the customer service is fantastic. For managed WP hosting, I’m now recommending A2Hosting again. I’m using it now, and really liking the service for the price. Antother great option is WPEngine.
*Note: those A2Hosting links are affiliate links. That means that if you use that link to purchase from them, I will receive a small commission, no hassle or additional charge to you, of course.
2. Administrator Username
When you’re setting up WordPress, you have to come up with an administrator account name and password. Don’t be tempted to use the standard username, “admin.” Can you imagine how many other people choose this same username? Well, if you can, so can hackers who are trying to get access to your site.
The password isn’t the only string of characters that puts up a barrier to unauthorized access to your website. Make the username work to keep your site safe. Pick something unique that isn’t obvious to someone trying a brute force attack. Don’t use “admin” or the name of your site.
Ah, the password. How many of you use “password” or a version of “123456”? For hackers trying to access your site, those are like a free pass. Unless you want adult themed popup ads (without getting the resulting revenue even!) on your site, try to make it a little harder to access. Here is a fascinating list of the top 100 bad passwords that SplashData has been compiling each year.
The trouble is that passwords are hard to remember if they’re long, random, use non-letter characters, and have to change every month. They’re more likely to keep you out than a persistent hacker. A solution that I use is to use a password manager such as LastPass (others are KeyPass and Password1). That way, I really only have to remember one long, crazy password. I also try to make the seemingly random characters mean something to me, but something that would be hard to guess based on the info that’s floating around the Internet.
But, in an interview with NPR, Paul Grassi, senior standards and technology adviser at the National Institute of Standards and Technology has come up with new guidelines for creating passwords that are very different from the standard advice. According to the guidelines, if you can come up with a story or experience that you can remember, but that wouldn’t mean anything to others, you can use that as a password. You can eliminate the special characters that are hard to remember, and make up that complexity by making the password very long.
I think for me, I’ll continue to recommend using a password manager, but will think about a long phrase or description that I could use for the one complex password for the password manager.
Although these 3 steps are really just the tip of the iceberg when it comes to WordPress security, I think they’re often overlooked. A client just recently complained to me about being hacked, but was still using the username “admin” and a short, non-very-random password. This is where I think everyone should start, and these are three items that are entirely under your control, no matter how technical you are.
Start today with your WordPress password – it’s the easiest to change if you already have a site. Make sure it’s not on the “worst” list and make it unique to you and very long.
You're a business-owning mom, so you use this guide to prioritize your tasks in 2 minutes, and have 41 minutes left to knock out a task.