Securing WordPress isn’t a chore with the right tools. But before we get to the tools (I know, you were hoping for a cure-all plugin?) let’s start with the boring stuff.
Your WordPress Password
Yes, you’ve got to have a good one. WordPress makes this easy. It tells you how complex your password is when you enter it.
And everyone else has to have a good one. Don’t let the boss have the crap password just because they’re boss. All passwords must be secure. A good way to handle this is to install a plugin that forces secure passwords. See iThemes Security Pro mentioned below.
Clean Up Old WordPress Users
If you’ve got users you don’t need, get rid of them. It’s much easier to administer a tidy site. Rather than police old passwords, just remove old users.
Update Your WordPress
Updating WordPress files, your theme files and plugins is essential. Pretty much every WordPress site I’ve seen hacked has been seriously out of date. Keep your WordPress files, themes and plugins updated to avoid exposing your site to unnecessary risk.
If you have a single site you may wish to update it yourself. If you have multiple sites then take a look at Main WP. It takes the hassle out of managing WordPress by giving you central platform to secure, update and back up your WordPress sites. CMS Commander is another good options. It costs a few dollars a month for a subscription but requires less initial set-up than Main WP. Main WP can be bought outright but you have to host it in your own WordPress server.
Okay, Now The Plugins
There are tonnes of options and we’ve tried many. Rather than give you pros and cons of various plugins, we’ll list a few we use and recommend.
UpdraftPlus Backup/Restore
Backing up is essential. We advise you keep multiple offsite version of your website. We back up all WordPress websites to an Amazon AWS account. In a worst-case scenario (server is abducted by aliens and removed from the face of the earth) we can recover all websites from Amazon.
iThemes Security Pro
This is a good all-round security plugin. It starts with an audit to identify issues you need to address. It’ll prevent repeated attempts to login, notify you when there are problems, and the Pro version will do malware scanning. You can set options to force passwords, prevent access to files and folders, and get notifications when anything is awry.
Two Factor Authentication
Two factor authentication is a necessary evil. Sure it’s a pain in the arse but it sure beats getting hacked. We use this free plugin:
That Wasn't So Hard
There’s more to WordPress security than what we’ve mentioned here but follow these steps and you’re 99% home already. Of course, if you don’t want to maintain your own site, talk to you should contact us. We’ll do all of the above and more for $40 per month.