How to Ensure Your WordPress Site’s Web Host is Secure
WordPress has an unfortunate reputation for being incredibly easy to hack. Before you switch over to Drupal, however, there are some easy steps you can take to prevent a hacked WordPress site and keep your data safe from intruders.
Choose a Good Web Host
Every web host will advertise itself as “secure,” so the trick is to see how many layers of security your host actually offers. Things like daily malware scans, access to 24/7 support, and automatic updates can make a big difference in terms of the safety of your data. If you’re a first-time WordPress site owner, you may want to consider going with a managed hosting package. In a managed package, it’s up to the provider to maintain the technical aspects of your WordPress site, including security. This may sound like you’re giving up the controls, but in reality, it almost guarantees that your site will be kept safe. In a managed situation, security breaches are the responsibility of the provider. If they fail to protect your site, they are 100% accountable. Because of this, managed packages often go to the greatest lengths to ensure the security of their sites than unmanaged packages.
Use WordPress Security Plugins
Installing a security plugin gives your site an added layer of protection above the measures already put in place by your web host. Any malware or other security threats that your web host misses will be picked up by the plugin in enough time for you to alert your host to the danger before it’s too late. Security plugins offer a number of detailed services that web hosts simply can’t manage for logistical reasons. Beyond regular malware scans, most security plugins will conduct security audits, file integrity monitoring, blacklist monitoring, security hardening, 24/7 notifications, and even put up a website firewall. In addition, many security plugins offer post-hack security actions. If your site does get hacked, you can rest assured that your site is still safe while you start looking for a better web host.
Use a Strong Password
The best passwords are ones that are hard to guess. Unfortunately, those also tend to be hard to remember. Auto-generated passwords that contain nonsensical strings of letters or special characters are always the best. However, if you find yourself constantly locked out of your own web hosting account, you don’t have to resort to an easy password and hope no one steals it. Names or words from invented languages in fantasy novels or RPGs can actually make fairly secure passwords, as they won’t show up in any dictionaries. For someone who’s never read Lord of the Rings or is unfamiliar with the specific Dungeons & Dragons campaign you typically play, choosing a password in Elvish is pretty close to choosing a nonsensical string of letters. If you’re not a fantasy nerd, spelling words backward, replacing certain letters with special characters (for example, replacing every “e” with a %), or eliminating all of the vowels from your password (for example, “pleasedonthackme” would become “plsdnthckm”) are all tricks to improve your password’s integrity.
Disable File Editing
The ability to edit your theme and plugins is a big advantage of using WordPress as your CMS. However, if you don’t plan on doing any intense editing in the near future, it’s recommended that you actually turn this feature off. If someone does manage to hack into your site, they can easily inject malicious code into your themes or plugins without you being aware of it. Worse, since editing is a permitted function on your site, your web host’s security measures or even your security plugins won’t detect that something is amiss until it’s too late. To disable this feature, head to Appearance>Editor. This will open up your wp-config.php file. Type the following code into the file to disable file editing:
Use SSL Certification
If your web host doesn’t offer SSL certification, don’t even bother. SSL, or Single Sockets Layer, encrypts all of the data that passes between a site user’s web browser and your web server. Without an SSL certificate, that same data will all be delivered in plain text. This means that sensitive information like passwords and credit card details will all be there in plain text for anyone who wants to read them. Once upon a time, SSLs were only used by business sites, but now their importance is practically universal. Google even gives SEO preference to sites with SSL certifications, which is an additional reason to get one.