20 Jul 2023
Many people install Wordfence and then happily continue developing their websites. Voila! Security is taken care of, right?!
However, I still have a few tips if you want to properly secure your website. Here are some important steps to take:
- Review Wordfence settings: When you first install Wordfence, not all settings are configured optimally. This is because different servers or websites may not work well with certain restrictions. You need to manually review the settings to secure your website as effectively as possible.
- Use one security plugin, not three at once!: It’s important to use one reliable security plugin. Using multiple security plugins can lead to conflicts. They essentially perform similar functions, such as logging and blocking IPs and attacks. Multiple security plugins will interfere with each other.
- Ensure you have a complete data backup: Do you rely on your web host to handle backups? Well, not all web hosts provide complete backups (data + database), and some may only perform them weekly. There may also be storage limitations. Make sure you have the ability to choose backups from at least the past 3 days and have backups available for at least 2-3 weeks. At minimum! If your host doesn’t offer this, you can use a plugin like UpdraftPlus to configure backups. For example, set it to create backups once a day or every two days, with a retention policy of 10 backups and a minimum of 4 weeks. (Keep in mind that you’ll need sufficient server disk space or consider storing backups externally.)
- Update in a timely manner: No matter how good the security is, keep your theme, plugins, and WordPress itself up to date. Certain vulnerabilities can provide hackers with ample opportunities that security measures cannot counteract, risking the functioning of your website.
- Host one WordPress installation on a hosting package: It’s common for a test installation or an old blog to remain active. Hack scripts test your domain name for old installations to gain access to the server. Examples of folder names they search for include “old,” “new,” “blog,” “wp,” and “wordpress.” Additionally, WordPress sites can easily show up in search engines like Google, including old sites and test installations. So, don’t leave them unattended!
- Ensure you have a reliable web host: Some web hosts lag behind in maintenance or use outdated PHP versions. Hackers frequently discover vulnerabilities that require regular updates to server software. Make sure your host applies updates in a timely manner.
- Use a strong password: It goes without saying, use a strong password. But how often do people use passwords that are in the dictionary, like “fridge7” or the name of a pet? Even worse, some people use the same password to log in to multiple websites. Don’t do that! If a website, not even yours, gets compromised, those usernames and passwords will be exposed. Scripts will pick them up and attempt to use them on any website they can associate with the username. Use a long and unique password or consider using a password manager like LastPass or Dashlane.
A chain is only as strong as its weakest link, so make sure there are no weak links in the security of your website!