3 Steps to Ensure Your WordPress Site is Secure
The Importance of Website Security
When you hear the term “WordPress security”, you might think of encrypting databases, taking action to password protect a WordPress site, or another way to “harden”, or secure, a networked system or site. Thankfully, a lot of the heavy lifting is already done for you by the creators of WordPress. If you have doubts about their dedication to security, take time to review the changelog showing the effort the team has put in to help keep your site secure.
However, since each site is different, I need to know how to make my WordPress site secure if I want visitors and customers to visit again, as the WordPress team can only do so much. We will go into the top three security concerns that webmasters leave unaddressed, as well as exactly how to fix them.
How to Make a Website Secure
Here are the top three action items you can complete today to make sure you have a safe website, for both you and your visitors!
Ensuring WordPress SSL is Enabled
Secure Sockets Layer (SSL) is a protocol that most websites use. It essentially ensures that information sent to and from your WordPress site is encrypted. This prevents “man in the middle” attacks from occurring, which is when someone on your WiFi network monitors your traffic and can tell what data is going out and coming in. While the importance of this can vary dramatically depending on the nature of your site, one thing is for sure: not using SSL can give your blog an unprofessional appearance and make visitors question whether it’s safe to use.
The test to see whether your blog has SSL enabled is quite simple. Just open a new browser window; we’ll use Chrome for demonstration purposes. Then, navigate to your blog’s main page. Look for the “lock” icon in the URL bar, to the left of the site’s URL as in the picture.
As you can see, I knew how to make my WordPress site secure, at least in terms of ensuring it was SSL-compliant. Let’s also take a look at an example in Chrome where the site is not secure. We have blurred out the URL, but it is one of the servers we use to concoct sequences of clever ideas:
So, why does my website say “Not Secure” in that red box? It’s because SSL is not enabled. This is fairly rare these days. However, if you have this situation, contact your host immediately. Almost every host provides an SSL certificate for free with a paid plan. If your host isn’t responding or is trying to gouge you for something that is necessary for any modern website, you can look at different options to host your content.
There are several ways I could manually do to demonstrate how to make my WordPress site secure in this scenario. However, the process is generally time-consuming and requires the administrator to own a certificate that is issued by an “authority” before you can begin. Since there are different methods that will work or not work depending on the hosting provider, our recommendation to resolve this issue remains the same: get your host to do it. Remember, you are paying them to host a website in the modern era, where this is essentially required!
Tip: This simple tool will help you find out what items of your website that are affecting its security. It will literally point them out.
Do a Review of Pages
While giving your WordPress HTTPS status (SSL) should be the first thing you do, the second thing I would do in my quest to learn how to make my WordPress site secure is take a look at all of my pages. First, I would access the Dashboard as the administrator. Next, I would click on “Pages” on the left-hand column, as shown below:
You should make sure that any Page meant for internal use is either “Private” or “Password Protected”, depending on who specifically requires access to it. So, what’s the secret of how to make my WordPress site secure in this instance?
Let’s take a look at one of the entries on my Pages list:
This is on the CleverSequence Test Server. As you can see, WordPress will clearly mark when a Page or a Post is Private or Password Protected. Look for this when you’re scanning through your entries. If you find something and are questioning whether it should be public or private, chances are that your website is not secure, and the fact that you are wondering about it means it’s very likely it should be Private.
Now, I wouldn’t be fully done with showing how to make my WordPress site secure without this final step that is often overlooked, even by people who are pretty experienced with WordPress and cybersecurity!
Carefully Utilize Password Protection
There are plenty of legitimate scenarios that warrant the use of password protection rather than making a Page or Post private. For example, say that you want a colleague to look over something before you publish it. You could make the password something simple, like the most commonly used one, “cookie123”. You could even make it blank, or just make it “password”.
Depending on how sensitive the contents of the Page or Post in question are, it may not matter in terms of keeping a secure website. However, if you don’t want the general public to be able to see it, you should use a pseudo-random password generator. That is tech jargon for “a tool that makes really long passwords that even supercomputers couldn’t guess in the next 100+ years”. It may sound like overkill, but I wouldn’t be showing how to make my WordPress site secure if I didn’t go over this!
Note that the password is technically generated on your machine, so it will not even be shared with the site administrator! Here’s an example of a password I generated for the purposes of showing how to make my WordPress site secure (and its Pages, of course):
Remember, you’ll need to click that “Generate Password” button, and then copy and paste your new password. The “Remember your password” field is automatically generated. It allegedly helps you remember the password, although I don’t know of a single person who would be able to remember this one!
If you want to go more into the technical stuff. Check out our article called how to protect your WordPress site from getting hacked.
Finally, let’s review the steps I took to demonstrate how to make my WordPress site secure:
- Know the factors involved in WordPress site security.
- Verify that my WordPress site uses SSL.
- If it doesn’t use SSL, contact my host and request it ASAP.
- Do a full review of my Pages and Posts to ensure that the correct ones are set to “Private” or “Password Protected”.
- For Pages or Posts that must be Password Protected, use a secure password generator rather than something I thought of.
In short, there isn’t much to ensuring I know how to make my WordPress site secure! I simply need to remain vigilant of threats, keep my SSL enabled, protect the correct content, and use secure passwords!
As a WordPress administrator, one of your main goals is likely to drive as much traffic as possible to your own website. One way to