Securing WordPress Websites for the DIY Person
In the past, I have been involved with some of my clients running into that horrible situation where something went wrong, and suddenly realize there is no back-up. Or they tell me sheepishly they saw some warnings on their site but paid no attention. I’ve had clients ‘accidentally’ let their hosting plan expire, then realize too late that there is no backup. Hacked sites can be difficult to clean. Sometimes a complete re-build must be done to get a site back up, and this happens at great expense in both time and money.
Like most of us, we can get too busy to do all the things we know we are supposed to do. I know, there is barely enough time to either take care of business, or take of our home lives, not both!
Securing your website with updates and backups is critical
The most important thing we can do is keep our websites updated; this is critical. A website that doesn’t get all its updates becomes vulnerable to hackers trying to insert malware. Hackers do this for many reasons; to plant spyware, to plant ransomeware. To send out spam, or insert icky ads for pharmaceuticals, or worse. Maybe they’re just evil. Who knows? But it happens. Anyway, I’m getting off track.
The second most important thing website owners must do is keep consistent backups, and keep those backups secure. There is more that should be done, and thankfully, you have me, Kerri Marvel Services, to handle this for you. Go here for Pricing and details for KMS Website Care Plans. Read my Care Plan FAQs here.
Some of you may feel you want to be the Do-It-Yourselfer for these updates and more. Sure, you can. The following list gives you an idea of what’s involved.
Backing up prior to updating
Make sure you back up your database and all your site files prior to updating. Here are details on WordPress.org as well. I recommend using BackupBuddy or Updraft Plus. BackupBuddy is a premium plugin, which means you need to buy it annually. Updraft still has a free version. You need to make yourself familiar with not only backing up but also restoring your site. Always check with your hosting company to see if they offer a back up for you. All hosting companies vary.
Update WordPress Core
After you back up your site, first check your dashboard to see if you need to update WordPress. If so, do that update first.
Update Themes (Use caution!)
Update any themes that indicate from the dashboard that they need updating. Use caution. The exception to that rule would be your active theme. Under APPEARANCE, THEMES, it will tell you which one is active. Do NOT update or you will lose all your theme customization. Never update a child theme. If you don’t know which is what, don’t update – Contact your web person. All other themes can be updated. WordPress comes with some basic themes that need updating even though they aren’t active. It’s good to have at least one alternative theme in case yours is not working for some reason.
Next, update any plugins that require an update. If anything doesn’t work, you may need to deactiviate plugins one by one until you figure out which one is broken. Also, make sure you know how to restore from your backup! Plugins are where the most issues occur regarding updates. Make sure you have a back up of the previous plugin version.
Empty Spam Comments
Empty your spam comment folder. This can have all kinds of awful links in it. If you have comments active on your site, sign up for Akismet to help filter these. Make sure your comments are set to require your approval before appearing on your site. Better yet, if you don’t need comments, disable them.
Install a plugin for virus scanning. I recommend WordFence or Sucuri. Block any IP addresses that routinely try to attack your site as ADMIN or admin. Hackers always go after ADMIN/admin (never have these user names). You could also call your hosting company and ask what they offer for security. Make sure to ask not only what they offer to monitor and update your site, but also what they offer to restore it if it gets compromised! SiteLock is commonly offered, but the basic package only lets you know you’ve been hacked and doesn’t restore your site.
I recommend doing all of these steps once a week to reduce your risk of a site hack.
Other steps you can take
- Make sure no one on your site has the username ADMIN. This is HUGE! Read more about this here.
- Use strong passwords, that no one can guess.
- Sign up for a Google Webmaster Tools account and monitor your site there.
- Sign up for a WordPress.com account (user only) and install JetPack on your site (it’s a plug in). You can add BRUTE PROTECT and other security features with this plug in.
- Contact your hosting company and find out what they offer for backups, malware and virus scanning. Know ahead of time if and how they would be able to restore your website.
Lastly, you can ask me (KMS) for help if you update on your own and still get hacked or have something go wrong. Yes, of course I will help you, in any way I can. (Hourly rates will apply.)
If this to-do list looks too overwhelming or you don’t think you’ll be able to keep up week after week, month after month, please consider purchasing a WordPress Website Care Plan from KMS, and I will take care of all of it for you.