Disclaimer: Any products/services mentioned or recommended below are suggestions based on our own experiences. We have no affiliation with any of the products or services mentioned, and you should always thoroughly and independently research your options to decide what is best for you.
With new exploits hitting popular website software every minute of every day, few people can truly afford to leave their website vulnerable to attack. We’ve collated a comprehensive set of steps that, when enacted on your website, can give you a high level of protection against the vast majority of WordPress exploits and hacks.
Wordfence is one of the leading security plugins for Wordfence. With over 3 million users, you can rest assured that you’re in capable hands when using their firewall protection features. Better yet, Wordfence offers a premium option, which will push out exploit patches to your website as soon as they become known, ensuring optimal protection from the vast majority of core, theme and plugin exploits. At $99 USD per year, it’s a fairly affordable plugin if you’re trying to protect a particularly high-value site, such as one running an online store or collecting important user data.
Wordfence’s premium option has the added benefit of offering two-factor authentication protection for your WordPress administrator accounts, which can significantly reduce your chances of vulnerability against a range of exploit types.
The main reason we recommend ManageWP is that it is capable of automatically managing your WordPress core, theme and plugin updates, with a built-in safe update feature to ensure updates run smoothly, and can be easily reversed should something go wrong. This takes the manual work off your plate in having to remember to log in and install your available updates every other day. ManageWP also offers a vulnerability scanning feature which we would recommend activating on your website too, for an added layer of external checking.
Reinforce Your Passwords
It might seem basic, but you’d be surprised (or maybe a little horrified) by how easy it is for basic passwords to be exploited by malicious parties, and how often basic passwords are still used to protect sensitive website administrative areas. Check out our recent blog post on setting up a password manager, which can greatly assist you in using strong, unhackable passwords, without the need to remember a thing!
Some passwords to ensure you reinforce would include your MySQL user password, your WordPress administrator account password, your cPanel password and your OnePanel password.
Tidy Up Your WordPress Dashboard
A very quick and effective way to reduce your chances of exploitation is to completely delete any themes or plugins you are not actively using on your website. For every theme or plugin you have installed, your chances of being affected by an exploit increase. Many websites are running more plugins than they really need, or are not using at all, so it’s a good idea to check through your dashboard to see if there’s anything there you can cut loose.
To check what themes and plugins you have installed, simply open your WordPress dashboard and navigate to Appearance > Themes, and then Plugins > Installed Plugins, respectively. Be sure to completely delete anything not in use where possible, rather than leaving deactivated themes and plugins laying about.
Make sure you’re using SSL!
If you still haven’t got an SSL certificate installed and in use on your website, this should be your main priority above all else. These days, SSL protection is extremely simple and easy to install. Check out our recent blog post, “SSL Certificates: If You Think You Don’t Need One, You Should See This” to get a comprehensive rundown on what to do to ensure you’re protected.
Update Your PHP Version
Newer PHP versions typically come with not only massive performance improvements but enhanced security for your hosting account and everything stored within it! Check out our blog post on how to check and update your PHP version to the latest stable release, which at time of writing, is version 7.3.
If you can check off all of the points above – it’s time to sit back and relax! Your online business is now well protected, and highly unlikely to be at risk during most WordPress exploit events.
That’s it from us for this week. As always, if you have any questions about this post or our shared hosting, VPS, reseller or dedicated server plans, simply call us on 1300 MY HOST (694 678) during business hours, or submit a ticket through our Support Portal and one of the crew will be in touch!