But all the free stuff does not come without risk. Here are some vulnerabilities your WordPress sites may be exposed to:
- Malicious hackers often offer free plugins & themes as a way to gain ‘backdoor’ access to your site. They can take advantage of your website anytime they want as long as you’re using their plugin or theme.
- There’s no licensing board for web developers. This means that as a website owner you have to decide for yourself whether the plugin developer you hire is the real deal, or you’re leaving your site in the hands of a hacker.
- Because it’s free and very easy to use, a lot of online entrepreneurs who aren't tech savvy attempt to build their sites on their own, which, as you guess, are can be very vulnerable to hackers.
So if it poses major security risks, why do people keep on using it? Because with a few simple steps, you can secure your WordPress sites.
1. Don’t use one-click installers. You probably heard of a tool that lets you install WordPress in just a click of a button. Very tempting. But if you want a secure website, avoid one-click installers like a plague.
With one-click software, you can’t choose secure database details because these installers will do the job for you. Plus, they may install an outdated version of WordPress. Not to mention other ‘complimentary’ plugins and themes that you don’t really need.
Install your WordPress manually. Get your hands a little dirty. The instructions are simple and you’re good if you just follow them step by step.
2. Secure your password. Security and peace of mind can be achieved by just changing your password. Avoid using words on the dictionary or passwords like ‘buttercup123’. A secure password should:
- Be at least 18 characters longs
- Be a mix of uppercase & lowercase letters
- Contain numbers or special symbols
- Be unique for every account
- Be hard to remember – if you can easily remember your passwords, others might, too.
3. Limit user roles and capabilities. WordPress is built so that you can grant access to a member of your team. However, access should only be limited to let a user do what he/she needs to do. Example, if you have a writer whose sole task is to add blog posts on the site, only grant him/her the “Author” access. This allows the Author to log in, add, edit and delete his/her own posts.
4. Avoid putting all your eggs in one basket. Meaning, if you have multiple sites, avoid putting them all in one cPanel or hosting account. If one site gets compromised, all your other sites will be easily accessible.
5. Only install plugins & themes from trusted sources. While most plugins and themes are safe, there are still some rotten apples out there, like this one. Wordpress.org is a very rich repository of safe-to-use plugins and themes.
6. Install security plugins. Plugins like WordFence and BetterWP Security exist to help website owners secure their WordPress sites. They prevent automated and forced login attempts, block IP addresses of known hackers, and perform other functions to keep your site safe.
7. Update and backup regularly. New versions of plugins and themes are released by developers to improve functionality or address issues that exist on the older version.
You should also make regular backups. If, despite all precautions taken, your site is still hacked, you’ll thank yourself for making a backup.
Michelle Christie is a business consultant based in Westchester, New York. She focuses on helping small business owners harness the power of social media to build and strengthen the relationship with their customers online. Michelle is the founder of Motivators and Creators Women's Group a professional membership organization for new and established business women interested in business networking, learning and achieving positive business results. Schedule Your Free Consultation here!