Uncontroversial statement: website hacks are a pain! Now you that you've built it, they will come. So website security is your next task. (If you haven't built it, or are in progress, my 3-part "Insider's Guide to Author Websites" series will help: Part One, Part Two, Part Three.)
In my day job as a web designer, we deal with them regularly, and they are no fun to clear up. It's even less fun to restore website content in the aftermath. We find websites whose posts have been hacked to redirect to less-than-legit movie download websites, comments sections hacked and spammed with countless "cheap viagra" links and the ubiquitous porn links. These make you look unprofessional at best, and your site unsafe for users to browse.
A Fan of WordPress
In previous posts, I've made it no secret that I love to work in WordPress and think it's the best author website platform out there, so this post will deal mostly with securing self-hosted WordPress sites—but you can use many of these very simple steps to better secure any system. Also, this is by no means an exhaustive list. There are a number of outstanding, comprehensive and up-to-date posts with information that if you're serious about web security, on WordPress in particular, you should take time to read. I'm presenting what I see as the first essential, non-negotiable steps to securing your website against most intrusions. No security regimen can prevent all unauthorized access, but a pinch of security can prevent a pound of problems down the line, as many hackers/bots will move on to easier targets—and there are plenty.
With these four easy (I mean it!) steps, you can harden your site against most attacks, and not have to deal with the headache of cleanup and restoration.
Website Security Step 1: Avoid Default Usernames & Weak Passwords
In WordPress, when you create a new site, the default user created by the system is named "admin." You must change this! Since most sites do not take this step, a bot or hacker mounting a brute force attack has one piece of information and can work on the other—your password. By changing this to something unique to your site, you have just doubled the barrier to entry for intruders.
If your site already is using the "admin" username, it's time to change it. By default, WordPress doesn't allow usernames to be changed once set. However, employing a plugin like Username Changer can allow you to update your insecure username quickly and easily. Just remember to deactivate and delete the plugin when you're done—no reason to have plugins installed that you are not actively using on your site.
Username Changer in action on a WordPress website. With passwords, the idea is similar. If you are employing an insecure password, you are putting yourself and your work at risk. It doesn't get more basic than this. Most people use a highly-insecure password because they are easier to remember. But with services like LastPass, a browser app for Chrome, Firefox, and Safari that stores and autofills your password information securely, you can have properly secure passwords and not worry about having to remember a long string of letters, numbers, and punctuation.
To create a secure password, I rely on LastPass's easy-to-use password generator. Select a couple of settings and you can get secure passwords generated for any service that you're using.
Website Security Step 2: Stay Up-to-Date on Core Files & Plugins
This is so easy, and so, so important. YOU MUST UPDATE. Always, whenever the updates become available, ASAP, post-haste, etc., etc.
WordPress (and most commercial Content Management Systems) provide simple ways to update your software from inside your admin suite. In WordPress, there is a link at the top of your admin panel simple marked "Updates" which will show you the core software and plugin updates that are pending. It will allow you to make single-click updates to all of them quickly and easily.
There is no excuse for not updating your software because out-of-date software is one of the best items on a website that an intruder can exploit. Often the update that you are sitting on is a patch that resolves security vulnerabilities specifically. Would you leave your home with broken door locks when you could easily change them? I think not. But letting your updates languish in the queue is the website equivalent.
Do yourself a favor and check your Updates notifications now—don't wait for something to happen. For more info, see the WordPress Codex on Updating.
Website Security Step 3: Absolutely Use These Key Plugins
Limit Login Attempts - Free Plugin
This one is really straightforward. If an attacker attempts to run multiple login attempts on your admin login, they will be shut down by this plugin, and not allowed to attempt another login until a specified time has passed. This confounds brute force attacks, which rely on many login attempts. Without this plugin, an attacker can try with impunity until they get it right. Get Limit Login Attempts plugin
Wordfence - Free Plugin with Premium Options
Wordfence is a key player in WordPress security. This all-in-one plugin allows you to have a malware scanner, a website firewall, brute force attack blocking, comment SPAM blocking and more—all 100% FREE. If you opt for the Premium Version ($8.25 per month at time of writing), you get a host of advanced and automated features that are well worth the price of admission. However, you can do a lot of damage with the free version, so don't hesitate to add it now. Get Wordfence free plugin
UpdraftPlus Backup - Free Plugin with Premium Options
Back up your site with one-click or automatically with UpdraftPlus for WordPress. This handy plugin lets you instantly and easily send a back up of your site to one a number of cloud storage services, including Dropbox and Google Drive. No matter how good your security is, you can't completely eliminate the threat of intrusion. Take a proactive step to have a recovery copy of your site available should the worst happen. Get UpdraftPlus free plugin
Website Security Step 4: Use a Reliable WordPress-specific Host
A number of hosts offer WordPress-specific hosting these days, including major players like GoDaddy and BlueHost. There are differing opinions on the value of WordPress managed-hosting, but for ease of use in setting up or transferring a WordPress site, I love these services. Some, like GoDaddy, also have easy staging and backups included, which make managing and securing that much easier.
Most of the time, I use GoDaddy's WordPress Managed Hosting product, but I've been getting a lot of recommendations for WP Engine lately, and have been checking it out, and can report it looks like a great service.
For an extensive breakdown of the options and which you may want, check out this excellent WP Beginner article: Best WordPress Managed Hosting Compared
WP Beginner event has a Best WP Managed Hosting quiz that can help match you with a service that's best for your website. It only takes a few minutes and is well worth a try.
So there you have it—4 simple steps to ensure website security that can be executed by any WordPress site owner in less than an hour. You have no excuse for making it easy for intruders to get into your author website. Take the time today to protect your site, and be thankful later when someone else is dealing with the headaches post-hack.
If you aren’t already a member of BookWorks, please visit check us out for more great content like this and join our community of indie authors, editors, coaches, designers, marketers, bloggers and other self-publishing pros.