How to make your WordPress site more secure

Filed under:

In my previous post I talked about what to do to fix a hacked site. This post is about things you can do to make your WordPress site more secure so that something like that doesn’t happen again (or ever). The basic things were mentioned in the last post: change your passwords regularly, use strong passwords and always have the most current version of WP. Below are some other things you can do. I’ve started with the easiest options that anyone can do. The ones further down are for more experienced users who know how to use an FTP editor or file manager.

How to make your WordPress site more secure

Install A Security Plugin

I mentioned this in my last post but I’m going to say it again because it’s probably the easiest and fastest way to secure your website. Wordfence is the easiest and best option I’ve found but there are plenty of other good ones to choose from. You can read my previous post for instructions to install and configure Wordfence.

Add 2-Factor Authentication

2-Factor Authentication is a great way to make your WordPress site more secure since it makes it much harder for anyone else but you to be able to log into your WordPress dashboard. Instead of just logging in with a single username and password, you’ll have to do that plus provide additional authentication to access your site. Usually something like receiving an text or email with a passcode.

To enable this, go to Plugins>Add New and search for 2-Factor Authentication (or Two-Factor Authentication). There are a ton of options in the plugin database. For plugins I’m unfamiliar with, I usually start with the one that has the best rating and most installs. If you hate it you can always delete that plugin and try another.

Don’t Forget to Update Your Plugins and Themes

Security vulnerabilities can be just as much of an issue with plugins and themes so they need to be kept up to date, too. WordPress makes updating super simple. Go to Dashboard>Updates and you’ll see a list of plugins and themes that need to be updated.

If you have old themes that you aren’t using anymore, delete them. To do this go to Appearance>Themes. Click on the theme. In the bottom right you’ll see a link to delete the old theme.

Backup, Backup…and Backup Again

Updraft Plus

You are backing up your website regularly…right? If not, you need to be. I’ve seen hacks that completely decimate websites and in those cases, the only way to restore the site was from a previous backup. Your website is very important to you and I’m sure you wouldn’t want to lose it, so backup early and often!

Most web hosts have a backup option in your control panel but there are plenty of options to backup your site right in your WP dashboard. My preferred plugin is Updraft Plus. It’s easy to use and you can configure it to send your backups to any number of storage options like google, dropbox, FTP, etc.

Make sure to always keep a backup of your files and database (especially your database, it stores all of your posts, comments, pages, etc.) on your computer, a separate hard drive, cloud storage, etc. It does you no good to have backups saved on your server if that server becomes inaccessible.

Read the Rest »

Fix a hacked website and prevent it from happening again

Filed under:

A client emailed me because her browser had notified her that her blog had been marked as suspicious by Google and she didn’t know how or why that had happened. Further checking revealed that google had found malicious software being downloaded and installed without user consent. Her WordPress site had been hacked and the hacker had added malicious code to her templates. My client had no clue how to fix a hacked website. Luckily, she had me to ask, but not everyone has a trusted designer or tech support that they can email with these problems.

So to help others, I’m writing a list of the steps I take to fix a hacked website. Some of these steps are a bit advanced. You’ll need to know how to use FTP or the File Manager in your host’s cPanel. If that’s a bit too confusing for you Swank is always available to help!

How to fix a hacked website and prevent it from happening again


First things first, change your passwords FOR EVERYTHING. You’ll absolutely want to change your blog password and your FTP/control panel passwords (if they aren’t the same). But if you use the same or similar password for your email or anywhere else, you are going to want to change them as well. Even if you’ve never been hacked, it’s good practice to change your passwords regularly, at the very least yearly.

In my client’s case, the hacker was able to guess her password, which was a very simple name. DON’T DO THIS! Make your passwords as secure as possible and try not to use the same password for everything:

  • Use a combination of letters and numbers as well as lowercase and uppercase and possibly even some symbols
  • Try not to use recognizable names or dates/numbers
  • 8-10 characters is a good length (though the longer the better)

Here’s a password trick I learned a while back that has been invaluable to me. It’s a way to make every password for every site you visit different, but also something that you can remember. First think of a good base using the rules I mentioned above, like: Xd5ye8*K

It may be hard to remember at first, but you are going to be typing it over and over so you should have no problem memorizing it eventually. Next, you’re going to add an identifier of the site your password is for, so you need to come up with a system. Examples of this could be the first four letters of the site name or the first two and last two. It doesn’t really matter how you want to do it, just come up with a rule that can be applied to all sites. Once you’ve done that add the letters to front or back of the base password you already came up with.

So for twitter, you password would be: twitXd5ye8*K. For gmail it would be gmaiXd5ye8*K. For facebook, faceXd5ye8*K, and so on.

Read the Rest »

How to add Related Posts to your WordPress blog

Filed under:

Adding related posts to your WordPress blog is a great way to help your readers find more posts on your site that interest them. And in business terms that leads to more engagement and pageviews for your blog. Plus, adding links to other posts on your site is a great SEO practice.

There are several plugins that can add this feature for you, but the more plugins you have installed the slower your blog will be. So I always try to avoid unnecessary plugins if I can. Also, many of the plugin options are very basic and give you very little control over things like styling or where the list appears in your theme or even how they even figured out what was “related”.

Below I will show you how to add related posts by category, tag, or any other custom taxonomy. I’ll preface this by saying you should probably have some very basic knowledge about how to edit a theme in WordPress, but for the most part, you can copy the code directly and paste it into your templates. That’s it. For people that want to go further I’ll point out things that you can customize to your liking.

How to Add Related Posts to your WordPress blog

Read the Rest »

Web 101: Full vs Partial Feeds

Filed under:

Over at the Blog Herald, there’s a great article on why people shouldn’t be using partial feeds. The author makes a lot of good points, essentially boiling it down to the fact that there are no benefits to using a partial feed. It doesn’t deter sploggers from stealing your content and it doesn’t bring extra traffic to your site; you are basically just frustrating your regular readers and alienating new ones. Read the full article for more.

What I find funny is his rationalizing of why it’s okay for some blogs (*ahem* the one he’s writing on) to use partial feeds. The only instance in which I think it’s okay to offer a partial feed is if you offer a full feed as well. I have seen several blogs that offered a full feed with ads and a partial feed without ads. I have no problem with that, it even kind of makes sense. Although, I can’t imagine there are an overwhelming number of people that hate ads so much they would put up with the frustration of a partial feed. But different strokes, right?

You should respect your readers enough to let them choose how they want to view your site. Offering just a partial feed takes that choice away and more often than not, they won’t bother reading at all.