Over 60 million websites run on WordPress, accounting for 23% of the Internet.
For many users, WordPress is a popular CMS owing to the huge community around the platform, plugins, managed hosting solutions, and thousands of good themes to choose from.
But you’d often see users getting frustrated with WordPress. When I started building websites, I’ve had numerous issues with WordPress too.
To the point that I wanted to abandon it and go for simple HTML/CSS options.
As a result, there’s a rallying cry on the Internet about how WordPress sucks (While there’s an equally passionate group of developers, WordPress enthusiasts, and WordPress users).
In the last 8 years that I had websites running on WordPress, three of our websites got hacked at least 4 times each. This particular website itself saw many iterations to this day.
I have to admit: I think it was our fault that it all happened. WordPress is what it is.
We neglected. We didn’t bother to make sure our WordPress websites load quickly, stay secure, and are built like fortresses.
We recently redesigned our website and just when we thought we were done (and that we could focus on content marketing), I had a view visitors giving me a heads up that this website had instances of Malware and that it was infected.
That was when we went into overdrive to secure the website. Here’s what we did (and we believe you should do it too, like right now):
Delete Old Themes & Plugins, Right Now
A basic scan (after I got the Malware alerts) revealed that almost all of the malware, vulnerable scripts, and potentially threatening files came from old themes and plugins that were just lying there on the server.
While we weren’t using any of those themes and plugins, we didn’t bother updating them.
As a result, those themes and plugins were like carcasses attracting all sorts of vermin, worms, and viruses.
Do yourself a favor: log into your dashboard and delete all plugins you don’t use. Plus, use FTP or SFTP and delete everything that shouldn’t belong there, off the server.
Thank you, Flywheel
Our Malware infection was clearly due to the old themes and plugins.
If it wasn’t for FlyWheel’s premium managed hosting that this site lives on, I believe I’d have seen a lot more disaster than what we experienced recently.
Thanks to FlyWheel’s battlefront setup and technology stack (using NGIX, PHP 7) along with their In-built Cache and Malware protection, it just saved our day.
Despite that, we sent them one email and they did everything they could to clean up our site with whatever remnants of unnecessary files that still lived on the server.
Read more about FlyWheel Now.
Cloudflare helps make your WordPress website load faster. Period.
In addition, Cloudflare acts as a mask between your main hosting account and your visitors’ server requests to your website.
Cloudflare automatically inserts its flagship CDN to help make your website load faster. Plus, it thwarts attempts by hackers to log in to your WordPress core, shows you stats on bad traffic, and reduces the file size that’s essentially dumped onto your visitors’ browsers.
Cloudflare, however, is very good at preventing DDOS attacks (and you may not need that just as yet). It also provides security options, traffic analysis, and helps you block traffic from bots and specific geographies.
Move the Login Screen
Most WordPress backend logins look something like this: httP;//yoursite.com/wp-admin/ and hackers know that.
As long as you don’t change this default setting, you are a sitting duck. Using a simple plugin like WPS Hide Login, you can rename the actual URL used for admin login (make sure you bookmark the URL or remember it).
After you activate the plugin, change the URL to something like
Change the database prefix
Note: It’s not recommended that you change the database prefix on a live site. It almost certainly kills your website. If you still have to, make sure you do a backup and get professional help to help work on your database.
Normally, when you install WordPress, the database name begins with wp_
Again, everyone knows that and that makes your database vulnerable. Ideally, you should start with a new database prefix before (or while) installing WordPress. Here’s a great explanation by Jef Starr on how to do just that.
SSL looks good on your site whether or not you do eCommerce. Google counts SSL as a signal of trust and so do your users giving you a little SEO boost as well.
Morgan Ryan of FlyWheel has a simple explanation for why you need SSL for your WordPress site.
Our hosting already provides SSL for free. We had to upgrade, and it was a no-brainer for us. While it might not single-handedly fight harm, it’s at least one other layer of security.
Draw up a Schedule for WordPress Maintenance
WordPress isn’t “Set it and forget it”. The onus of responsibility is on us. We learned the hard way but we now realize the importance of drawing up a schedule for WordPress maintenance.
WordPress hosting solutions like Flywheel and WPEngine already do some of the work involved. If you are with shared hosting, you are on your own.
Create a schedule for the following:
- WordPress core updates
- Theme and plugin updates
- Daily Backups (or least regularly scheduled backups)
- Security scans and checks
- Deleting any set of files that you don’t use
- Content upkeep and maintenance (deleting unused images, etc)
If you don’t, you’ll eventually pay the price. Thankfully, we insured ourselves against most of the points above and we still aren’t perfect.
We are still prone to mistakes. Our website isn’t really secure yet. We don’t know what’s coming next.
That’s why it pays to care for your WordPress website.
How well do you maintain your WordPress site?