Though your website can never be 100% secure, there are lots of things you can do to minimize your risk. Sucuri named a big bunch of them in a free webinar. And though we recommend watching the whole 1.5 hour video, here’s a quick rundown of some of the highlights.
- Update (and keep updating) your website’s software. The #1 avenue for hackers and malware is outdated or unused software. This includes WordPress and plugins—so when you see those update notices, update. (But backup first.) And get rid of anything you’re not using.
- Use trusted sources. This goes for everything—from websites you visit to software you download, from plugins you use to WordPress themes you install. Make sure the plugins you use are still being supported. Make sure the WordPress themes you install aren’t loaded with malware (it happens more than you think!). And make sure your host is a good one. Do they publish their security practices? How often have their sites been infected with malware or blacklisted? Vet your host by using this URL: http://www.google.com/safebrowsing/diagnostic?site=typeyourhostingcompanywebsitehere.com (Note: We like HostGator, and this is just one reason why).
- Follow best practices. Change the WordPress admin user. Cancel any users that aren’t needed—on your site and your server. Use child themes (We do). Change your server file permissions—to at a minimum, 644 on files, and 755 on folders. (If your host requires you use 777 on everything, it’s time to get a new host.) Install the Sucuri monitoring plugin if you have Sucuri security (We use and recommend it on our sites). Continue disabling pop-ups. If you’re doing a fresh installation of WordPress, add a DB Table Prefix. Add secret keys into your WP-config file. Require SSL for all administrative logins. And, of course, use good passwords. (Did you know 123456 is the most common password followed by 12345?) Or better yet, use good passphrases complete with letters, numbers and other characters.