UPDATED: April 7th 2022
Security is top of mind these days for us with the recent invasion of Ukraine by Russia. In fact, we were first alerted to the attack on Ukraine by a security plug-in we use on many of our client websites.
Now, I don’t think we need to worry as website owners that the Russian government will attack our websites but the truth is, our websites are being attacked all the time. You just don’t know about unless your host alerts you about a hack.
In this post we’ll talk about WordPress specifically and how you can best protect your site including security, backups, changing your passwords often, user names and whether staying logged into your website is safe.
Best Tips to Protect Your WordPress Website
To Log Out or Not to Log Out
I get notifications all the time from security plugins about nefarious login attempts on websites we manage and our agency website as well.
Millions of bot attacks happen every day on WordPress websites and not always from countries you might expect. A few of the nasty peeps and/or bots that tried to login to our website recently were from France and the UK but the last one was from around these parts. And they used my login username.
So what did I do?
First of all, I changed my password lickety split. The next thing was to log into the WordPress Admin dashboard and promptly logout.
And then I reminded myself, because I AM GUILTY, to log out of sites I no longer need to be logged into i.e. shopping websites or Skip the Dishes.
It’s not enough to exit out of the window; it must be an intentional ‘log out’. If browser windows are left open there is a chance that information can be stolen right out from under you. And if you’re concerned with site speed, unlogged users can slow your site down.
The criminally inclined are getting smarter every day so your best defence is to protect your private information in every way possible. Log out AND change your passwords often.
WordPress User Accounts
In order to protect yourself in case the worst happens it’s best practice to have two user accounts set up in your name. You’ll need two email addresses to do this so register another gmail account for this reason. Ensure both user profiles have Administrative access and not just Editor or Subscriber.
The last thing you want is to lose access to your site and not be able to register another user because the hacker has blocked you from getting in.
I know, scary right? If that ever happens to you, we can help though so not to worry.
Use Password Keepers
Another important way to stay secure online is to use an App that saves passwords for you. Bitwarden, LastPass, 1Password are all good options. With a master password used to login to the app, you can access your database of saved passwords across all your browsers. Now you only need to remember one password!!
Just remember to save your master password somewhere safe. If you forget your master password you can say goodbye to your password database.
I must have thousands of passwords and change them often so these applications are a lifesaver. Logging into a site is a breeze and because I’m no longer typing them in manually it is supposed to be more secure as keystrokes aren’t detected.
Keep in mind that if you use more than one Google Chrome browser profile, it’s best to log out of other ‘personas’ and stick with one profile as password keepers can lose track of you.
It’s also important to disable browser and device password autosave functions. They aren’t the best way to save passwords securely anyways. I’ll be making a video about this soon, so check back!
Installing a security plug-in on your WordPress website is critical to its security and safety. Some servers will automatically install them but make sure it’s properly configured and/or contact your host for more information. Installing one of the plug-ins below will give you peace of mind, just make sure to follow the instructions for set up and enable email alerts so you keep on top of suspicious activity.
Wordfence – Free and Paid
The free and paid versions of the Wordfence firewall and security scanner protects over 4 million WordPress websites worldwide from attackers targeting wordPress. Wordfence free version receives firewall rules and malware signatures after a 30 day delay.
If you’re OK with that the free version is the way to go but the paid version at $99 US is well worth it.
MalCare – free and paid
MalCare free will keep your site secure without slowing it down. Get automatic daily malware scans, real time firewall, vulnerability scans and login protection.
The basic $99 US per year plan also includes instant malware removal, real time firewall, bot protection, vulnerability scans, uptime monitoring and personalized support.
There are two more expensive tiers if you want to add automatic daily backups, an integrated staging site, activity logs and visual regression testing as well.
Don’t depend on your host to backup your site for you, please. It is not in their best interest to do this for you as it is a service they charge for. Most hosts will backup your site if you know how to set it up yourself or you contact support yourself.
It is best practice to have at least three backups in different locations:
- on your host server
- Google Drive, Dropbox
- Your home or office computer, or both
Using one of the back up solutions below can automate all of this for you.
UpDraftPlus – Best Free plugin with Premium option
We use UpdraftPlus for almost all of our client websites. It has been reliable, efficient and it’s pretty easy to set up. It is a cloud-based plug-in that lets you schedule back ups and save them directly to Google Drive, Dropbox, Amazon and other cloud-based servers.
Updraft free version ensures you have full access to your website files should your website be hacked, the server crashes, or you get the white screen of death should you update plug-ins without testing first.
UpdraftPlus Premium starts at $42 US per year gives you more options for back ups, multiple storage destinations, automatic backups before updating anything on your website and more.
BackUp Buddy – Best Paid plugin, more robust
Back up Buddy make sure you always have the latest backup of your site. It provides you with a .zip file you can access to quickly upload and restore your site if it breaks. Its easy to follow instructions get your site up and running whether it’s for a full website restore or a partial restore. The interface is a bit complicated but once you get the hang of it, it’s fairly simple.
Choose from monthly weekly, biweekly, daily, or hourly back ups. Connect Google Drive or Dropbox to have your backup files automatically sent to remote storage.
BlogVault – all in one back up solution
Used by over 4 million websites, BlogVault is trusted by businesses such as cloud Waze, the server we currently use to host our client websites. They provide 90 day archives as well so that should your site go down your back up still shows to users. This plug-in takes incremental backups so that your site doesn’t slow down when the plug-in is backing up your site.
Using one or a few of these security and backup plugins will be your new best friends when it comes to site security and backups, aside from us, of course! So do yourself a favour. Update your passwords, logout from every site you’ve visited including your own, and install security and backup plugins to prevent hacks and loss of data.
Some of the links above may be affiliate links.