As part of our ongoing improvements to the system, we are removing the reCAPTCHA v1 service from our WordPress installations.
This was set up in 2013 and the security world has moved on from simple “Are you a human?” responses. As WordPress has become more popular, it’s more likely that hackers will write scripts specifically to attack WordPress sites.
If you’re wondering how secure your WordPress site will be, don’t worry – there are very simple things you can do to make sure everything runs smoothly.
Keep WordPress up to date
This is the most obvious one, and, yet, it’s the one everyone forgets to do. But now’s your chance. Stop reading this and go update your site.
Update your plug-ins too.
That was easy, wasn’t it?
Make sure your passwords are strong
This is another obvious one, but it’s also the one everyone falls down on. And it’s not a matter of adding in all the characters and numbers – it’s about having unique passwords for each site. No longer having the same email address/password combination for Netflix/Steam/WordPress/Google/DropBox/that tiny little forum you still hang out at.
And once you’ve sorted out your passwords, you can make logging in an even more secure process by adding two-factor authentication. Try miniOrange’s Google Authenticator.
Clean up your users
Have people left your company? Did you get guest authors in? How many users do you have on your WordPress installation? And what are their permissions?
This might not seem like a big deal, but the recent ICO ruling against Carphone Warehouse found that their £400,000 data breach was the result of someone using a valid WordPress login on an outdated site.
So what do you do with these unwanted users? If they haven’t posted anything, delete them. There’s no reason to keep them around and they’re just a risk.
If they have posted something, and you’d like to keep them as an author, you can set their role to “No role for this installation”. This means that they can try to log in, but then once they log in, it doesn’t let them do anything else, and they can’t access the Admin screen after.
Get a good plug-in
There are hundreds of security-related plug-ins available, containing everything under the sun, from firewalls and brute force testers to two-factor authentication and anti-spam measures. Luckily, most of them are free or have trial versions, so you can test them and see which works best for you. You can also judge the plug-ins by the number of downloads and the ratings.
We recommend Sucuri Security. It’s free and it’s a good addition to your overall security efforts.
And don’t forget that Jetpack comes with a lot of security features, and it’s automatically installed on your installation of WordPress.
You should also double-check all your existing plug-ins to make sure they’re still regularly maintained and kept secure. Just recently, thousands of sites, including the NHS and ICO, were turned into cryptominers by one third-party script that had been hijacked.
Back up regularly
Of course, no matter how much we lock everything down, no matter how many plug-ins or security measures we’ve taken, we can still get hacked.
This is where regular backups come in. Even if you do get hacked, you can just revert back to a previous version with a minimum of data loss.
You can use the backup feature in the eXtend Control Panel to take a backup of your entire site, but you’ll need to remember to take those backups, as well as remembering to back up the database separately.
Jetpack also has a backup feature, which you can set to do a daily backup.
Use a website security package
All these tips are helpful, but they might not be enough to stop a determined hacker. That’s why you should use a tool like Website Security from Heart Internet.
It scans for and removes malware, and the Deluxe and Ultimate packages include a firewall, which makes your site even more secure.
Because Website Security is powered by Sucuri, you get the piece of mind that comes with being protected by industry-leading security experts.