There is no way to guarantee your WordPress site will be 100% secure. But there are some essential measures that every responsible site owner should take to secure their site. This goes double if you have an e-commerce site.
This list is meant to be a basic guide, and I don’t recommend you implement each of these tasks piecemeal. There are plugins like JetPack, Sucuri, and iThemes that will incorporate many of the below items in one package. WordPress managed hosting with companies like WP Engine, and LiquidWeb will automatically update the WordPress core, themes, and plugins safely, without crashing your site. You’ll need a combination of the two elements to really ensure your site isn’t overly vulnerable.
But even if you have the best managed hosting and are paying for a premium security plugin, it’s best to partner with a team you can turn to when something goes wrong. If your site goes down in the middle of the nite while you’re sleeping, you need to have someone available 24/7/365 to start work immediately to get your site secured and back online. And if you have backups but no idea of how to access them and perform a restore, you might as well not have them.
That’s why we offer Care Plans where we ensure your site is secured, properly maintained, and brought back online as soon as possible if the worst happens. We also offer unlimited edits on the Premium and Elite plans so that you don’t have to worry about logging into the WP Admin to add or delete content. To learn more about our care plans, click here.
On to the list:
Ten Essential WordPress Security Tasks
- Perform Daily Cloud Backups
Store daily back-ups of your core files and database on a remote server (AW3, DropBox, Google Drive). It’s not enough to rely on your hosting provider’s backups unless you have full access to them, they are done regularly and you can easily perform a restore.
- Force Secure Passwords
Use a trusted plugin that will ensure all new users will be forced to create a secure password, audit existing users and send them all a password reset email.
- Perform Daily Malware Scans
You site should be scanned daily for malware, malicious code and backdoors. Companies like iThemes, Sucuri, and CleanTalk are all reputable and have different plan levels depending on your needs.
- Install an SSL Certificate
A good hosting provider will include one free of charge, and there are other options such as Let’s Encrypt that provide them free as well. SSL ensures all data on your site is encrypted and sends a message to visitors that they are on a safe and secure site.
- Protect Your Database from SQL Injection
Install malware scan software to alert you to any vulnerabilities on your site. It’s also important that you use reputable, actively maintained plugins and keep your site updated. A good WAF (web application firewall) will also add protection.
- Set Up Real-Time Monitoring
Services like FreshPing, PagerDuty, and Super Monitoring ping your site and alert you if it goes offline.
- Set Up IP Blocking
A good security plugin will track repeated attempts to access your dashboard or files more than once and block that IP.
- Implement a WAF (Web Application Firewall)
Firewall’s protect against a number of types of malicious traffic (DDoS, cross-site scripting, SQL Injection and web session hacking) by analyzing http and https requests. While there are no guarantees that your site will be 100% secure, 3rd part WAF companies specialize in knowing the latest threats and how to prevent them.
- Block Comment Spam
CleanTalk, Akismet, and Spam Destroyer are all solid choices for combatting comment spam.
- Optimize your SQL Database
Purge deleted data and perform a general clean up of the database. If you know your way around PhpMyAdmin, you can perform the optimization via some SQL queries. Plugins like JetPack and WP Optimize also offer database optimization options.