It seems obvious, but many WordPress users overlook this vital security measure. Your password is to WordPress what locking your front door is to home security – and it doesn’t matter how good your security system is if you leave the door open for anyone to walk through.
It’s not possible to overstate this crucial point:
If your WordPress password is short, if it’s something readable, if you use it on multiple sites, or if somebody who knows you well could potentially guess it, then chances are it should be stronger.
If you have a site with several WordPress users or allow visitors to create their own accounts, you can add the Force Strong Passwords plugin to make all users keep their passwords beefy.
This is another obvious one, but themes and plugins can occasionally have security vulnerabilities, which are patched by the developer as soon as they’re discovered. It’s important to update regularly, because many malicious bots specifically search for out-of-date plugins and themes with known vulnerabilities.
We take care of WordPress core updates for you, but if you’re not also updating your themes and plugins regularly, you risk leaving your site exposed. Plus, updates often patch other bugs and enhance usability, so it’s a win all around.
Even deactivated plugins and themes can have vulnerabilities, and for that matter, can still take up your server’s resources, so they can sandbag site performance. It’s best to simply uninstall any plugins or themes that aren’t consistently active. You can always reinstall them later if you need to.
This is less important than having a strong password, but it’s still helpful. A generic WordPress username like “admin” will be one of the first things any hacker or bot will try. If somebody could guess your username just by looking at the site, it’s not a bad idea to update.
Unfortunately, WordPress doesn’t allow you to change your username by default, but if you’d like, you can create a new WordPress user and then delete your old one from the ‘Users’ area in the WordPress admin sidebar. (You’ll have to use a new email address to do this, since two WordPress users can’t share the same email address, but you can always change that later.)
There are several variants of Captcha out there, but the idea is the same between plugins and methods: force any site visitor who tries to fill out a form to first prove they’re human.
While it was once a troublesome and inconvenient option, Captcha has improved greatly in recent years. Plus it protects all kinds of forms on your site, so it does double duty by helping to stop hackers and prevent spam. Google reCaptcha is the least intrusive option, and there are several plugins available to implement it, including Google Captcha (reCAPTCHA).
Many WordPress hacks come from malicious bots that are programmed to crawl the web looking for WordPress sites. Once they find one, they’ll add “/wp-admin” to the end of the site’s URL to get to the login screen and try to force their way in.
Flywheel already protects against this kind of behavior, but you can add an extra layer of security by making your login screen harder to find in the first place.
The WPS Hide Login plugin allows you to change the location of your login screen from “/wp-admin” to whatever you want. You could use something like “/mysitelogin” or “/open-sesame” or anything else. Whatever you choose, any user who tries to use the old “/wp-admin” link will just see an error message, stopping bots and would-be hackers in their tracks.
More targeted and secure on login screens than Captcha, two-factor authentication allows you to verify your identity through any number of methods: by scanning something on your smartphone, by receiving a code via text message and entering it on the site, and others.
Whatever the method, two-factor authentication is generally much harder to fake than traditional login credentials – and doing so while also logging in with a password is virtually impossible for a hacker, so this is an extremely powerful security solution.
Popular two-factor authentication plugins include Google Authenticator – Two Factor Authentication (2FA), Unloq, Duo, and Authy.
While this isn’t necessary for all sites, it’s essential for any WordPress site collecting sensitive user information. But even if that’s not the case, an SSL certificate still helps to secure your site’s transmissions. Plus, Google ranks secure sites higher in search engine results, so you get a little SEO boost with a secure site as well!
To enable this, head to the ‘Add-Ons’ tab of the site’s Flywheel dashboard and click the “Add SSL Support” button. More on SSL here.
This is more of an advanced option, and certainly not one that everyone needs, but Cloudflare is an external service that acts as a sort of “filter” between our servers and your users. Cloudflare offers many security and performance options, several of which are available on their free plan.
While most sites don’t need to worry about DDOS attacks, Cloudflare is excellent at preventing those, since your server’s IP address will be effectively masked. Cloudflare also offers a variety of other security options, including blocking IP addresses or specific regions. Plus, getting it set up is a breeze thanks to their simple walkthrough.
Everything you need to know about managing your team with our Organizations feature.8 Articles
Learn everything there is to know about what Blueprints are, how to create them and how to make the best use of them.5 Articles
All there is to know about our free, automatically installed and activated SSL certificates.8 Articles
How to get the most out of Staging, which allows you to duplicate a site, make changes, and then push those changes to the live site.6 Articles
Everything you need to know about our amazing, free local WordPress development software for Mac and PC.5 Articles
Everything you need to know about our Whitelabel subscriptions for branding and reselling Flywheel.4 Articles
Everything you need to know to get your first Flywheel site up and running.8 Articles
The most commonly asked questions, and a few we just think you should know.24 Articles
Questions that don't fit elsewhere, or those about Flywheel in general.56 Articles
Questions relating to payments, billing and managing your account on Flywheel.12 Articles
Details about how to manage DNS and point your domain names at Flywheel.10 Articles
How to access your WordPress database to make changes and update content.3 Articles
Details about everything Flywheel does to makes your site so secure.12 Articles
Which plugins work best, which plugins work worst, and everything in between.7 Articles
Here's a free ebook!