Many website owners are rightfully worried about the security of their WordPress site. There a lot of manual hackers, as well as automated bots that are looking to break into your website, steal valuable user information, and push visitors to pop-up advertising. This is a guide for a website owner who is looking to increase the security of their WordPress website for free, without much technical know-how, and without much integration or configuration. We're going to discuss the best solutions to incorporate into the website, and how to do it.
Each solution is recommended by us because we've used them in past client websites, and have good experiences with them.
First, let's go over why you should actually secure your WordPress website. If you already understand why this is a necessity in 2020, feel free to skip to the next section using the table of contents feature at the top of this post.
First and foremost if your visitor ends up on your web page, and is immediately bombarded with pop-up ads and redirects, they will click away. Your business will lose revenue, as well as credibility. This is the most typical and least serious think that a website hack will result in.
If the hack escalates to a more serious level, the hacker can steal your user information. This means customer emails and contact information can be captured from the website. In a worst-case scenario, the hacker can log entries into the website, and gather credit card numbers and other sensitive data if you had payment processing on your site.
If you are processing sensitive customer information, then you can be legally liable if your website gets hacked.
People have realized how serious consumer data privacy and security is, which is why we're seeing a lot of regulation in this area. For example, if you serve customers in the EU, the GDPR applies to you. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. In the US there federal laws as well as state specific laws for data privacy. If you're interested in the legalities surrounding website security, go check out this impressive curated list of every law in the United States that could apply to your website: https://www.csoonline.com/article/2126072/compliance-the-security-laws-regulations-and-guidelines-directory.html
If you have secured your website, you can build consumer trust by showing the measures you've taken to protect their information. You can do this through a blogpost, through a dedicated security page, or through footer badges. Did you know that choosing the right badge / seal can actually increase your conversion rate?
65% of online shoppers felt that the Norton™ Secured Seal was reassurance that the site would not give them a virus and was safe to browse.
Of course, to get this badge, you need a secure website to start off with. Now that we know why having a secure website is a must, and the benefits that it brings, let's look at some easy to incorporate ways to secure your WordPress website.
Now that we know why security is a necessity, let's look at some solutions out there that you can incorporate into your WordPress website. We're going to be looking for the most cost-effective plugins, most of the ones in this list are free, but some are paid.
First, there are a few things that you can do to secure your website without a plugin.
Now let's take a look at some security plugins and solutions to add to your WordPress website, which will seriously increase the security of it.
First up on the list is WordFence, which is a free plug-in that offers a collection of security services.
The main features of this plug-in follow:
The plug-in is really simple and easy to install, all you need to do is add it from the plugin repository on your WordPress installation, and follow the quick wizard which will configure it’s settings to best protect your website.
You can also set up your website to be connected to Wordfence Central. This allows you to manage Wordfence on multiple sites from one location. It makes security monitoring and configuring Wordfence easier.
With the free version of this plug-in on a fairly popular website asset of ours, we're getting this level of protection:
That's pretty impressive for a free service. On all of our websites, the free or premium version of Wordfence is a core plugin.
The main two things we’ll go in and configure further are the reCAPTCHA & the 2Factor Auth for our login. Both are free and both are Google services that integrate with WordFence.
Another great plug-in with both a free and a premium version is called Hide My WP Ghost. This changes and hides WP common paths. No file or directory is changed, instead all the changes are made by WordPress redirects. Remember we discussed the automated WordPress Bots that will look up common WordPress paths to try to run Brute Force attacks? This changes all of those paths (not just the login one) so these bots become ineffective.
Other than these additions to your WordPress website, and the manual changes that you can make, that's about all you need to do to secure things. Wordfence is the main way you will stop attacks on your website, Hide My WP will help on the automated attacks side of things. Always make sure to be diligently checking the front end and the back end of your website for any file changes or forigen access.
If you find yourself in a situation where your WordPress website gets hacked, it's best to get professional help. You can consult with isotropic on how best to remedy the situation. We’ll either refer you to a specific remediation service, or we will secure your website ourselves.
If this is mission critical, take a look at Securi -- they’ll respond within 6 hours.