What’s the first thing you do after you return home? You shut the door, and lock it. You may also place your house keys in its usual spot so you can find it easily again, and then wash your hands with soap for at least 20 seconds.
These are habits – good habits that help keep you safe, efficient and healthy. Keeping your website safe and working smoothly relies on good habits too. Here are a few habits that we practice at ClickWP and encourage you to do the same.
Use Strong Passwords
You hear this all the time, but using a strong password is the easiest habit you can adopt to increase your website’s security.
But strong passwords are so difficult to remember!
Yes, but only if you use the “traditional” long passwords. These are passwords that look like F%+SVD#Tu7XusTh4. Nobody can remember that!
But the following passwords are just as strong, and much easier to remember:
epic obtainable scratch phobia spiffy exercise available trick determined son abrupt quiver thankful gabby kick wipe
Yes, passwords can have spaces in them. And they don’t need to have letters or symbols in them. All they need to be is long enough.
I made the passwords above by combining random words from the Random Word Generator. You can make these “passwords” even stronger by adding some nonsensical words among them, e.g.
thetchry houtal philitzes hooppler
I also strongly recommend using a password manager. These will generate strong passwords for you and even fill in the password when you need to login. Some options for you to explore: 1Password, Dashlane and LastPass.
Delete the ‘admin’ user
Most WordPress “hacks” and attacks don’t do anything more sophisticated than guessing your username and password over and over and over. Avoiding using common words (like admin or webmaster) for your usernames can make brute-force attacks much less effective.
If your username is currently “admin”, change it to something else. Learn more: How to change your WordPress username
Limit user privileges
The principle of least privilege (POLP), an important concept in computer security, is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work.
For example, if you only need your VA to format and publish your blog posts, they don’t need the license to activate or delete plugins and themes. In this case, you only need to assign the Editor role to your VA.
| Allowed Actions | Administrator | Editor | Author | Contributor | Subscriber |
|---|---|---|---|---|---|
| Login to website | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create & edit own posts | ✅ | ✅ | ✅ | ✅ | |
| Publish & delete own posts | ✅ | ✅ | ✅ | ||
| Upload images & media | ✅ | ✅ | ✅ | ||
| Edit & delete any posts | ✅ | ✅ | |||
| Edit categories & tags | ✅ | ✅ | |||
| Moderate comments | ✅ | ✅ | |||
| Modify website settings | ✅ | ||||
| Install & manage themes | ✅ | ||||
| Manage widgets | ✅ | ||||
| Install themes & plugins | ✅ | ||||
| Update WP, themes & plugins | ✅ | ||||
| Add & manage users | ✅ |
Learn more: Manage Users (Authors) in WordPress
Minimize the number of plugins on your website
We know that the most common way a WordPress website gets hacked is attackers gaining entry through bugs in plugins, especially if they’re not updated. So, it also makes sense to reduce the number of plugins on our websites, which minimizes the number of potential entryways for hackers.
So login to your WordPress dashboard and take a look at the plugins that are installed on your website. Deactivate any that you don’t need. Don’t forget to delete them too because even inactive plugins can allow hackers into your website.
Pro tip: Keep a record of why you installed each plugin on your website in a notebook or Google Doc. This will avoid the situation where you’re left scratching your head wondering what the plugin is for. Yes, it’s happened to us many times before!
If a notebook or Google Doc isn’t suitable for keeping track of your plugins, you can (ironically) install the Plugin Notes Plus plugin. It will allow you to add notes to the plugins on your site, so you can record their purpose.
Install plugins and themes only from reputable sources
In the seedier neighborhoods of the WordPress ecosystem, you may find sites advertising nulled or cracked plugins and themes. These are essentially pirated software – they may have had the licensing functionality bypassed.
Because of that, you won’t be notified when new versions of the plugin or theme is released – the updates won’t appear in the WordPress updates screen. You may be using outdated versions of the plugin with bugs or unpatched security holes.
While the $0 price tag is tempting, nulled plugins and themes may be modified to send spam from your website or worse, allow hackers to access your website. All of your hard work to secure and tune up your website could be undone with some pirated software. Don’t risk it.
Visit your website regularly
Here’s something we notice quite frequently. Some website owners almost never look at their own website, especially when they have VAs and support staff maintaining their website for them.
However that is a recipe for disaster because any bugs and problems on the site are not caught and can go unnoticed for days or weeks. As the website owner, bugs and problems are much more apparent to you.
And if you already visit your website regularly, be sure to also look at it while logged out AND on different devices. This will allow you to view your site as a visitor does, and quickly spot problems with the design, layout and much more.
