WordPress is considered one of the most popular CMS (Content Management Systems) today, powering nearly 24% of the websites on the internet. But because of its popularity, it is prone to security attacks and hacks. Nearly 60% of websites that use a CMS are on the WordPress platform because of its ease of use and overall strength in search engine optimization features. Since it is an open source platform, it has a large community of web development contributors that continually enhance the platform with new WordPress plugins and WordPress themes.
Using WordPress as the basis for building your website requires maintenance and great security measures to guarantee protection from malicious hackers. Having WordPress security plugins, such as Sucuri, Shield WordPress Security, iThemes Security, does help in maintaining overall WordPress security, however additional steps should be taken. We will detail the best ways to secure your WordPress site from malicious attacks, as well as how to maintain them.
Undergoing a WordPress website hack can be stressful and time consuming. Not only does it affect traffic and sales revenues, but it can also have a negative impact on Google search engine rankings. Recovering from a hack takes a significant time commitment and money, therefore it is important to take the necessary precautionary steps to keep your website healthy.
Prevention costs are far less expensive than recovering from a full-blown security hack.
WordPress websites commonly get hacked through WordPress security vulnerabilities, such as in the hosting platforms, non-secure WordPress themes and plugins, or weak passwords. Hacks can come in several ways:
- Hackers can use your site to infect your visitors’ PCs with malicious software to gain information. It can also infect your website with malware such as key trackers, back doors, and ransomware.
- Redirect your visitors to other websites.
- Server takeover and use your hardware for sending spam emails.
Below are best practices in maintaining and securing WordPress websites:
1. Use a unique table prefix: When you are setting up a new WordPress website, make sure to change the Table Prefix to something unique. The default is “wp_”, and hackers will use this knowledge to beginner WordPress designers to make your website more vulnerable to SQL injections. You can change the Table Prefix using the iThemes Security plugin.
2. WordPress version: Keep your WordPress version up to date. WordPress will provide updates with new features and address any security issues in previous versions.
3. Theme updates: Remove any themes that are not needed to help speed up your website. A few great resources that you can use to see if plugins and themes are trustworthy are: WordPress Plugin Vulnerabilities, Theme Check, and Plugin Check.
4. Plugin updates: Remove any plugins that aren't being used. This can also improve the speed of your website. If a plugin hasn’t been updated by the developer for more than a year, then it’s better to search for an alternative plugin. Regular theme updates and plugins aid towards making your WordPress website more secure.
5. Tools for website scanning: If you suspect that your website has been compromised or hacked, be sure to use tools to scan or check your website:
- Viruses: AntiVirus, WP Antivirus Site Protection plugin, VirusTotal web service
- Malware: Sucuri SiteCheck.
- General: Unmask Parasites and Web Inspector.
- Spam: MX Toolbox.
6. Username and passwords: Delete the user account name “admin” and create a new admin account using a unique username. Keep the password strong by using a combination of capital, numbers, special characters, and small letters. Limit the login attempts into the backend which will prevent brute force attacks.
7. Backup your website: Backup your website on a frequent basis. Having backup files can come in handy, in case troubles do arise. This can be done through the hosting provider, downloading local copies through FTP, or via a plugin that can automatically backup your website: BackupBuddy, UpdraftPlus, BackWPUp, BackUpWordPress.
8. Optimize your database. The database is where your website content is stored – this includes any images, videos, blogs, pages, and page settings. As your website grows, your database fills up, and can have a negative impact on your website speed (Google ranking factor). There are several good WordPress plugins that can be used to optimize your site database and MYSQL database tables: WP-Optimize, WP-Sweep, P3 (Plugin Performance Profiler), WP Clean Up, Optimize Database after Deleting Revisions, WP-DBManager, Optimize DB, W3 Total Cache, EWWW Image Optimizer, WPDBSpringClean, Revision Control, WP Performance Pack, NextGEN Gallery Optimizer, WP Database Cleaner, Wordfence Security.
9. Keep your website speed on point. Website loading speed is a Google ranking factor, thus, having a slow loading site can hurt SEO and website traffic. Use Google PageSpeed Tools and GTmetrix to gain insights into how you can optimize your website’s load time and performance.
10. Maintenance mode. If you are working on a live site, it’s better to take your site offline, so that your visitors don’t see or experience anything that they shouldn’t while you are making updates. There are plugins that you can use to indicate to your visitors that your website is currently in maintenance mode: WP Maintenance Mode, Maintenance, and Coming Soon Page & Maintenance Mode.
11. Test your forms. You’ll want to test your contact and order forms, to ensure that they’re working properly and that you don’t miss out on any lead conversion opportunities.
12. Index check. If you want website visitors, then it is important that people are able to find it on Google. You can check to see if your website has been indexed or listed in search engines, by typing site: 'yoursite.com' into the Google search engine field or by using the Screaming Frog SEO Spider Tool.
13. Monitor SEO. This is essential to ensure that your website gets indexed in search engines. You can monitor SEO using a number of tools, such as Google Analytics. You’ll also want to optimize for on-site SEO opportunities to help increase your website rankings.
14. Monitor offline status. You can monitor the uptime of your website using Pingdom. The quicker that you know whether your website goes offline, the quicker that you can address the issue.
15. Hire a website maintenance company. If time is of essence to you, and you don’t have in-house IT or a webmaster, then it’s ideal to hire a company that specializes in website maintenance. Some web agencies will specialize in WordPress maintenance, Magento maintenance, or both.
Below is a list of the features that are typically included in a website maintenance package. Some companies may have only a few or offer all of these features, and may also have different tiered pricing depending on the requirements, size of the website, and company size (e.g. SME vs Enterprise):
- Technical support
- Security audit & recommendations
- Full-site & database backup
- WordPress version updates
- Plugin version updates
- Content updates
- Uptime monitoring
- Malware and virus scans
- Changes to the website
- Spam comment cleanup
- Support marketing initiatives
- 24/7 Up-keep monitoring
- Available performance caching
- Strategy & planning
- Database optimization and cleanup
- Security audit
- SEO analytics report
- Speed up your website
- Tighten security
- Grow more traffic
- Fix broken links/codes
- Decrease cart abandon rates
- Mobile responsive on all devices
- Priority urgent request support
- Annual development hours
- Plugin or theme installs
- Site migrations
- Custom development of the website as per requirements
- Site performance check & recommendations
- Development on test websites
At Webilize, we have WebilizeCare Customer Success Services, offering support to companies at all levels from small and mid-sized to enterprise. Requests can range from simple security and maintenance tasks, to complex integrations. We offer support plans for WordPress and Magento websites.
Be sure to read our blog post on SEO called, “SEO Best Practices (2017 Update)”