How to secure wordpress site?
WordPress is one of the most popular content management systems in the world. The bad news is that it’s popular with hackers as well as with legitimate users. The good news is that it's entirely possible to keep your website safe from them. Here are some useful tips.
Keep your WordPress implementation updated
It’s painful how many hacking attacks take advantage of known vulnerabilities for which there is a fix available. Applying updates can be tedious, but it’s likely to be a whole lot less tedious than getting your site blocked by the search engines (as a malware threat). Then you not only have to get it unblocked but also make your way back to your previous position in their rankings.
Be careful with themes and plugins
One of the many reasons WordPress is so popular is because it offers all kinds of templates and plugins. In the unlikely event that what you want doesn’t yet exist, you can go ahead and create it (or have a WordPress developer create it for you). The problem is that templates and, even more so, plugins can be a major security headache.
There are three basic rules to keep yourself safe from plugin issues (security and otherwise). The first is to use the minimum necessary to achieve your desired goal. The second is to do your research before you install them, especially if you’re looking at free plugins. The third is to keep them updated for the same reasons as you need to keep your WordPress installation itself updated.
Implement two-factor authentication
For clarity, two-factor authentication is not a substitute for strong passwords and a robust policy for making sure that they are updated frequently. It is definitely not an invitation to use the same password (or a close variation thereof) across multiple websites. In principle, you should be using a strong, unique password for every website you visit. In practice, if you really can’t manage this, then at least have a strong, unique password for your WordPress site and also implement two-factor authentication.
Only login from safe connections
Try to avoid logging into your WordPress site from a public WiFi connection at all, but if you absolutely must, use a connection from a reliable provider and even then use a VPN.
Grant access privileges as they are needed
Give the lowest level of access privilege needed for the user to perform their role and revoke it as soon as they are finished. In addition to this, be very careful about vetting anyone who has access to the back-end of your site, the more access they have, the more carefully you need to vet them.
Be aware that your security can be compromised through ignorance as well as malice. When you take any action on your website, you should keep security front and center at all times. If you need to employ someone else to take action on your behalf, then you need to be confident that they will keep security front and center at all times.
One of the challenges with WordPress is that it’s fairly easy to learn to use it at a basic level and to be able to create sites that look good. The problem is that there is a difference between looking good and being safe (and performing well) and unless you take great care about vetting the people who have access to the workings of your website, you may well only find this out when it’s too late.
Limit what users can do on your website
Harsh as this may sound, any access you give to anyone, even without logging in, can generally be used against you. For example, even an innocent-looking “Contact Us” form can be used as a means to inject malicious code unless you employ proper validation strategies. As with the previous point, limit what users can do to the absolute minimum necessary to achieve your goal and be very careful about doing everything possible to maintain your security.
Invest in a reputable website vulnerability scanning service
At a basic level, a website vulnerability scanning service operates as an anti-malware scanner and firewall for your website applications. This in itself is usually worth the money, but the best options will have added functionality such as security incident and event management and the ability to help you comply with programs such as PCI/DSS.
They may also have a content delivery network to help boost the performance of your website and some will even be connected to a cybersecurity operations center. This can be a major benefit to companies with limited, or no, in-house IT security capability (which is likely to be a lot of SMBs).
What does it mean when a website is suspended?