Knowing how to secure your WordPress site is just as important as knowing how to build it. WordPress sites are particularly vulnerable to security issues. However, there are things you can do to lessen the likelihood of attack. Plus, you can take additional steps to ensure that, should your website be compromised, you can get it back up and running quickly.
Let’s take a look at some of the things you can do right now to protect your WordPress website.
Step 1: Remove Admin Username
Probably the simplest way to minimize security risks is to get rid of the “admin” username within your WordPress CMS. Because this is so important, some managed hosting providers are doing away with the default “admin” username altogether when they set up WordPress. If this isn’t the case for your site, however, you’ll need to remove the “admin” username manually.
You will need administrator access in order to delete and create new accounts, so make sure you have that access (or someone who does have that access completes this step).
Create a new User
Sign into your WordPress CMS account. If you are signing in using the username “admin,” don’t despair. We’ll show you how to get rid of this username even if it’s the only way you have to sign into your account.
Once inside your account, navigate to “Users” and choose All Users using the menu on the left-hand side of the screen.
Now, here’s the tricky part. You can’t actually change a username in WordPress once it’s been created. So, you’ll need to create a new username with administrator access and then delete the “admin” username.
At the top of the screen, you should see a button that says “Add New User.” If you don’t see this, scroll all the way up to the top of the window.
Click on that button.
In the next screen, create a new username, and provide the additional information. But, heads up–you cannot use the same email address that you have “admin” registered under. So, you’ll need to use a different email address for the new user.
Make sure “Send the user an email about their account” is checked, and make sure the role is set to “Administrator.”
Click “Add New User.”
Login as the new user
Once the new user has been created:
- Log out of WordPress.
- Check your email using the email address you set up for your new account, and follow the prompts in the email to finish setting up the new account.
- Once you have set up a new password, log into WordPress using the new account.
Delete “admin” username
While you are signed in using your new account, go back to the “All Users” option on the WordPress menu.
Next, look for the “admin” user. Select it and choose Delete from the menu below the users list.
Once you have completed deleting the “admin” user, you can adjust the email for the new user you created for yourself.
Step 2: Update WordPress Version, Theme, and all Plugins
The next thing you need to do to protect your site from hackers is to update all plugins and the WordPress CMS.
Luckily, it’s really easy to see what does and doesn’t need to be updated.
Find list of everything that needs updating
In the WordPress backend, click on Dashboard in the left-hand menu. You should see a subitem called “Updates.” If you have any updates you need to perform, you will see a number in red next to the word “Updates.”
Click on Updates to see a list of everything that needs updating.
Now, before you should perform any of these updates, you should back up your website (if you have the capability to do so).
Update WordPress version
The most important thing to update in this list is your WordPress version. If you are not running the most current version of WordPress, make sure you update that right away!
(Note: if you are using managed WordPress hosting, your WordPress versions should update automatically).
Update Plugins
Next, look at the list of plugins that appear beneath the WordPress version. The easiest thing to do here is to check the “Select all” box and choose “Update Plugins.”
This is also a good time to go through your plugins and see if there are any installed that you are not using. If you have plugins installed that you don’t need or that you are not actively using, now is the time to delete them. Unused plugins can cause compatibility issues with your site, slow down your site, and, of course, just create more back doors for would-be hackers to gain access to your site.
Update your theme and remove unused themes
Next, you need to update your theme if it requires updating. Keep in mind that if you make changes to the code of a third-party theme, updating it will overwrite any modifications you made. Which is why theme-builders always advise you to create a child version of the theme and modify that.
To update your themes, click on “Appearance” in the left-hand menu of WordPress and choose Themes.
You should see the theme you are currently running, plus any other themes you have installed. Any themes that require updating will have a small yellow band at the top of them giving you the option to update them.
For the theme you are running, click on “Update now.”
Once you have updated your current theme, it is good practice to delete any themes you are not using.
To do so, hover over your unused theme until you see the button “Theme details” appear. Click on that button.
In the next window, you’ll see details about your theme, as well as the option to delete the theme at the bottom of the screen.
Click the Delete button.
Congratulations! Your site is now a little more bulletproof.
Step 3: Back up your website
Scheduling regular backups of your website is not just good practice; it is practically essential if you want your WordPress website to be irontight against invaders.
No matter all the steps you take to ensure your site is secure, things can happen. And if your site ever is compromised, being able to restore a backup of your site can save you hours of time and thousands of dollars.
If you have a managed WordPress hosting plan, your hosting provider should be conducting backups for you. For instance, we not only conduct nightly backups of all the sites we host; we also run manual backups before we make any major changes to your website, just to be safe. Creating a backup does not cause any downtime for your site, and restoring a backup only takes a few minutes.
Because every hosting plan is different, it’s important for you to contact your hosting provider to learn if and how backups are conducted for your site. If backups are not already being handled by your hosting provider, you need to have that provider set up automatic, regular (daily) backups for your site. And, make sure you understand the steps you need to take to restore a backup should anything happen to your site. If you host with The Concept Spot, that step is as simple as shooting us an email or giving us a call; we’ll make sure your backup is restored within a few hours.
In conclusion
A WordPress site is more vulnerable to attack than sites using other CMSs. However, a little bit of maintenance goes a long way to keep your site safe.
If you’re interested in talking to us about our hosting services, shoot us a message. We welcome the opportunity to provide you with stress-free, white-glove hosting services.
