11 Ways for Small Businesses to Secure their WordPress Website

WordPress Security Tips WordPress has become the de-facto content platform of choice for small businesses, so it comes as a surprise that recent reports indicate that there has been a distributed attack from over 90,000 different machines against WordPress installations. This means that your website, if powered by WordPress, could be at risk.

WordPress powers nearly two-thirds of websites that use a content management system, so you can probably see why hackers are motivated to attack them. You have to consider the fact that hacking these days is not so much an intimate attack, rather a widespread attempt to compromise WordPress installations for nefarious purposes. This includes publishing spam, sending email spam and even going so far as making you a part of a complex botnet.

Laughing aside, there are practical ways you can secure your WordPress site. If you take anything away from this post, realize that security requires your understanding and adoption of security practices. It’s not just a plugin or a patch that will secure you. That said, you don’t have to be a security “expert” to implement wise security practices. Here are 11 ways to secure your WordPress-based site from hackers.

11 WordPress Security Tips

  1. Update WordPress – WordPress is software and must be updated because the changes made to the core will often include security enhancements. WordPress updates (at least for the past year) have been automatic, seamless and easy to do. There are no excuses as to why you can’t be using the latest version of WordPress.
  2. Regularly Backup Your Data – By maintaining regular backups of your files and database, you can rest assured that your content is safe and secure. When trouble comes knocking, you can revert unwanted changes and get on with running your business. If you use Dropbox (free file storage), you will want to use WordPress to Dropbox to effortlessly maintain your backups. As another option, BackupBuddy is a premium offering that many users also enjoy.
  3. Update WordPress Plugins (and Themes) — Outdated plugins are a frequent target among hackers because they know that users are less willing to update them. Carefully update plugins (one by one) and if you’re not using them, deactivate and later delete them. Similarly, keep your themes updated because they, too, are targets among hackers because they know that users are even less willing to update themes due to fear of unwanted changes.
  4. Use very strong (more than 10 character passwords) – It’s been said for years, but it is absolutely critical to use secure passwords. Make sure that you use mixed casing, numbers and even symbols in your password to ensure automated attacks would not guess your password. For enhanced protection, use Google Authenticator to add two-factor authentication to eliminate the threat of compromised passwords.
  5. Limit access to Administrator privileges – Not everyone needs administrative access! WordPress itself offers the ability to change user types based on their overall roles. For greater control, consider giving User Role Editor a shot. If you only manage one user, create an additional user with author access, and use that for creating and editing your content.
  6. Set and enforce proper file permissions — On your web server, you want to make sure the files and directories have the proper permissions. Without getting too geeky, the permissions ensure that existing files (and new ones) cannot gain unwanted control and cause havoc later.
  7. Limit login attempts – To limit the use of automated attempts that compromise your WordPress site, consider limiting login attempts with the use of a plugin named Login Lockdown. Optionally, you can use Better WP Security for guidance on this and other security topics mentioned here, too.
  8. Consider using Cloudflare for DNS-based security — Cloudflare is a free service that protects your entire domain from malicious traffic and Distributed Denial of Service (DDoS) attacks intended to bring your site down. It’s not the easiest thing to set up, but if you follow their tutorials, you’ll be pleased with the results. In the event of imminent threats, Cloudflare is able to protect all users from being victims of an attack.
  9. Consider using IPVenger for IP reputation filtering – If you are unable to edit your DNS settings, a premium service from NorseCorp, IPVenger, allows you to filter traffic similarly to Cloudflare, directly within WordPress. From my own testing, it’s a solid service that can handle boatloads of traffic.
  10. Routinely scan your site for security issues – Assuming you have strong passwords, trustworthy themes, updated plugins, you can put your WordPress site to the test and see if it is secure by scanning it regularly with Sucuri or WebsiteDefender.
  11. Use SSH authentication & SSL – I’m happy to see that many web hosts default to using SSH encryption when users want to upload files to their web server. Likewise, you want to invest in an SSL certificate for your site and configure WordPress to force logins via SSL.

Admittedly, maintaining your own WordPress site can be a lot of work. (Hey, it’s one of my main responsibilities for Infusionsoft!) So long as you are informed of the on-going security risks, stay current on WordPress releases and make a concerted effort to harden your WordPress site, you should be okay. For more in-depth updates on the security front, be sure to subscribe to the Sucuri Blog.

Long-Term Recommendations

If managing the finer, technical elements doesn’t excite you, that’s okay. For a reasonable monthly price, look into Pagely or WP Engine for hosting your WordPress site. Both companies provide managed WordPress hosting, which means they maintain sensible security practices and provide helpful support. Essentially, they offer the performance of a dedicated host without any of the hassle.

When configured correctly, WordPress is a great content management system for small businesses. Thinking about your security now will save you time and hassle later.

Once you secure your WordPress site, it’s time to generate some hot leads! Here is a helpful e-book packed with ideas on how to use your blog generate traffic and leads from Infusionsoft.

Let us know what you think about these WordPress security tips. If you have suggestions, comments or even questions, give us a shout in the comments below!

Photo Credit: Sh4rp_i

About the Author

Joseph Manna is a contributor to the Big Ideas Blog and shares helpful insights about social media for small businesses. He's the Sr. Content Strategist at Infusionsoft. When he's not blogging here, he blogs for the Infusionsoft Blog and can be found on Twitter.

  • Igal Zeifman

    Hi Joseph,
    Very good list. I wanted to bring this (http://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos) to your attention. This describes how WP native pingback mechanics could be used to turn WP sites into DDoS machines. You may want to add this to the list.

    • http://blog.joemanna.com/ JoeManna

      Igal Zeifman Thanks, Igal. By default I disable pingback whenever I setup a WordPress site. Great suggestion and I didn’t know just the pingback mechanism can open the door to attackers. Thanks for contributing! :)

      • Igal Zeifman

        JoeManna Hi, Happy to help. One thing thought… As we’ve noticed, turning-off pingback won’t suffice. As long as xmlrpc.php is present and accessible (not renamed or blocked) the door remains open.