Installing iThemes Security is a part of every WordPress website installation I set up. Below are some of the things I do. (I set up the plugin for free and put into practice many security practices, but it costs extra for me to do your updates, keep backups, and recover your website if hacked). See my packages page.
There’s Always a Risk. Your website can never be 100% secure. Hackers are always trying new things and discovering new vulnerabilities to exploit. The online world changes quickly and the same is true of security. Good security is about minimizing risk. You’ll never be completely safe, but there’s a lot you can do to minimize your risk.
Three Important Things
- Protect Your Website
- Detection. This enables you to see if a hacker found a weak spot and broke into your website.
- Backup and Recovery
The security plugin I use does all of these things.
Four Important Steps to Security
Keep It Current
One of the biggest security vulnerabilities in WordPress is old software. WordPress is updated fairly often and whenever there’s a new security issue they roll out an update immediately. But that doesn’t do you any good if you’re not keeping your installation up to date. You also need to keep your themes and plugins up to date—they can have security issues as well. Sometimes people put off updates for fear of breaking their site, but you’d rather break your site with an update than risk a break-in. So keep things updated.
Use Strong Passwords
Your security is only as good as your password. If you’ve got a simple password, you’ve got a simple site to hack. You need to use strong passwords. Your password should have numbers, capitals, special characters (@, #, *, etc.) and be long and unique. Don’t use the same password in multiple places. Yes, remembering different passwords for different sites is tough, but a hacked site is worse.
Your own strong password is useless if another admin has a weak one. You need to manage your users. The more people with admin access, the more chances to hack your site. Make sure you’re only giving admin access to the people who truly need it. And make sure those few admins are following good security practices.