6 step guide to a secure website

Will my website be secure? I don’t want my website to get hacked.

This is a question new clients ask me and they are right to be concerned. Security breaches are regularly in the news. This article provides simple steps for a secure website.

I follow security best practices. This includes using strong passwords, installing an SSL certificate, secure hosting, and firewall protection with a WordPress security plugin. While I am not a security expert, I do follow website security news and implement new practices promtly.

Everyone needs to know how to stay safe and secure on the web. As a website owner, you can show your website visitors their information is safe through an SSL certificate. Adding information about your security measures to a privacy policy page is another way to show your website visitors that you take security seriously.

Here are the detailed steps I take to make sure you have a secure website:

1. Strong and unique passwords

Data breaches are frequently in the news and there is a good chance that your email address has been exposed. This is the new normal and is why unique passwords for each account are important. I used to try and memorize passwords or write them down, but the more secure they are, the more difficult it becomes! I highly recommend using a password manager. You will have one master password to remember. Password managers make it easy to generate strong passwords. Using a strong and unique password for your WordPress and hosting accounts will help to keep them secure.

The following table shows just how easy a brute-force attack is. Secure passwords now need to be 16-18 characters long!

If I haven’t convinced you yet, watch this video:

Overview of why you should stop memorizing your passwords (video) — 3 minutes

2. Add another layer of security with 2FA

Multifactor authentication, or 2FA, adds extra security by requiring a second login step. The extra layer of security may be a text message, a code from an authenticator app, or a push notification to your smartphone. 2FA is available for WordPress and your hosting account.

What is Two-Factor Authentication (video) — 2 minutes

3. How WordPress is secure

WordPress has a dedicated security team. They work to identify and resolve security issues in the core software. In addition, they recommend and document security best practices for third-party plugins and theme authors.

The Open Web Application Security Project (OWASP) has a Top Ten list of the most critical security risks to all web applications. The WordPress security team works to strengthen core software against these risks. Download the WordPress security white paper for a deep dive.

WordPress plugin and theme security

A plugin or theme undergoes a review process before inclusion on the WordPress.org website. They must pass a set of security guidelines before inclusion in the directory. If a plugin vulnerability is found, the WordPress security team works to fix and release a secure version.

WordPress user accounts

There are five levels of user accounts for WordPress. Here is a summary of the roles:

  • Super Admin – The highest level of access. This role is an administrator of a network of websites
  • Administrator – The highest level of access for a single website.
  • Editor – Allows for publishing and managing all posts
  • Author – Allows for publishing and managing your posts
  • Contributor – Can write and manage their posts but can’t publish them
  • Subscriber – Can manage their profile and read content

Limiting the number of users with administrator capabilities keeps a website more secure.

Change the default “admin” username for WordPress

WordPress websites start with an administrator account. The default username is “admin.” Automated bots commit a large percentage of WordPress hack attempts. They often use the admin username with a brute force attack to guess the password. To avoid this type of attack, choose a different username.

Regular WordPress maintenance

Major updates to WordPress come out frequently and include new features and changes to the underlying code. Minor updates are released when they are needed to fix bugs and patch security problems.

WordPress themes and plugins also release updates that contain new features, bug fixes, and improved security. These should be updated as they are released for the most secure website. Plugins that are old or abandoned should be removed from the website.

4. Use a security plugin

My favorite security plugin is Wordfence and I install it on all websites I build. It provides the following security measures:

Firewall protection

A Web Application Firewall (WAF) identifies and blocks malicious traffic. A malware scanner blocks requests that include malicious code or content. Login security limits login attempts and requires strong passwords.

Security detection

A scanner checks core files, themes, and plugins for malware, bad URLs, malicious redirects, and code injections. It also checks your site for known security vulnerabilities and abandoned plugins. Content safety checks ensure that your files, posts, and comments don’t contain dangerous URLs or suspicious content. In addition, the scanner will repair or delete corrupt files.

Threat intelligence

The Wordfence plugin has the newest firewall rules, malware signatures, and malicious IP addresses needed to keep your website safe. The plugin protects over 3 million WordPress websites! This gives them access to information about how hackers compromise sites, where attacks originate from, and the malicious code they leave behind.

5. Website hosting company security

Another way to protect your WordPress website is right where it is hosted. Good website hosts prioritize best practices for security. My preferred hosting company, Siteground, has a page of information about how they secure your website:

  • Servers with the latest version of PHP
  • Intrusion detection and prevention systems
  • Protection against common attacks on shared servers
  • Up-to-date databases with the latest software and security patches
  • Continual monitoring for vulnerabilities
  • Firewall protection for the server
  • Encourage 2FA to log into the hosting account

HTTPS and SSL certificates

I install an SSL certificate on all websites. This enables websites to use hypertext transfer protocol secure (HTTPS). SSL certificates are installed in the hosting account. This allows for an encrypted connection, also called Transport Layer Security (TLS), from the browser to the website. TLS keeps online interactions private even though they travel across the public internet. Secure websites will show a lock in the address bar. I gave a talk about migrating websites to HTTPS at a Boston WordPress Meetup.

How SSL certificates work

SSL certificates verify the authenticity of websites. When a user visits a secure website, their browser downloads the SSL certificate to verify it. If it is verified, a secure connection will be established. If the SSL certificate is not valid or expired, the browser will display a warning.

6. Website Backups

If your website becomes infected with malware or hacked, you may need to restore it from a backup. Daily backups give you the ability to go back to a point before the website became infected to restore a healthy website. Once the backup has been deployed updates can be made to secure the website from future attacks.

Website backups can be scheduled from your hosting account. Backups can also be run and stored through a third party. I schedule backups and monitor security with ManageWP, a WordPress website management dashboard.

Wrap up

In summary, a secure website can be achieved with this 6 step guide, which includes these benefits:

Every website I design and build follows this 6 step guide for a secure website. If you have a question about website security, please contact me.

About Amy Kvistad

Amy has 15 years of experience as a graphic designer and 10 years as a web designer and developer. She is a co-organizer for the Boston WordPress meetup group and WordCamp Boston.