We talk a lot about website security on our blog, because it’s so important for website owners to be knowledgable about it. More websites are getting hacked every day and are losing potential business from their websites because of downtime or are showing malicious content so users leave. The best way to fight a potential attack on your website is to be diligent about maintenance and to be proactive with preventative measures. We’ve compiled a WordPress security checklist that includes items we think will help keep your website up to date, secure, and hopefully free from attacks.

Right Now

• Make sure all WordPress user passwords are strong. Store passwords in a secure place, and if you have to share them, share them securely, not through email.
• Delete any users that aren’t needed any more.
• Install and set up a security plugin like Wordfence that will be tighten WordPress security. It’s important to have features like locking users out when they enter in the wrong password too many times. Wordfence will also regularly scan for malicious content on your site and notify you about it as well.
• Delete plugins or themes that aren’t needed.

As Needed

• Update the WordPress core within a day or two of it coming out. These updates usually fix security holes so it’s important that these are done fairly quickly. You can set this to be done automatically for you, or if you’d like to do it manually so you can check the site afterwards, make sure to stay up to date on when the new installs come out. The WordPress blog is a great place to stay informed.
• Some plugins or themes will come out with updates that they recommend doing quickly as well, usually for the same reasons. Hackers will sometimes notify WordPress developers about security flaws that they’ve found and give them a short timeframe to fix it before they start exploiting it and attacking vulnerable sites. The Wordfence blog is a great place to find out about these types of updates.

Monthly

• Make a backup of all your website files and the database, and then update all plugins, themes, and the WordPress core.
• Click through your site after it’s updated to make sure everything looks correct and all is functioning well.

Yearly

• Change all WordPress user passwords to keep them fresh. Delete users that aren’t needed.
• Do an inventory of your plugins. Delete ones that aren’t needed and replace ones that aren’t being supported anymore (like if the developers haven’t updated them in over 2 years).

If your site has been compromised

• Change all WordPress user passwords. Delete users that have been added by the hackers or aren’t needed anymore.
• Change passwords on your hosting login, ftp, database and email.
• Make all WordPress updates (plugins, themes, and WordPress core).
• Install Wordfence if it isn’t already and have it scan for malicious content. Delete and clean up all malicious content, which can be anywhere on your site: posts, pages, plugin or theme files, or new files that have been added to your ftp.
• Set up Google Webmaster Tools and clean up any additional malicious content that it might find. Webmaster Tools will also notify you about any malicious content in the future as well.
• Run a virus scan on all computers that you’ve logged into the site on and clean that up as needed.

WordPress is an excellent tool for maintaining websites, but it must be kept up to date and maintained in order to keep it safe and secure, and being proactive about it is your best bet. Don’t wait until your site is compromised, get started on making your site safe today, and make a plan to keep up with maintenance. We would love to help with cleaning up a hacked site or keeping your site maintained for you. Get in touch with us today!