This “Fan Question Friday,” reader Andy Stewart from the UK asks the following…
”What are some tips for maintaining site security, preventing hackers, and how do can I backup my WordPress blog?”
Great question Andy!
It only takes ONE time to ruin your blog.
You probably don’t think about hackers like Neo cracking the vault to your blog on any given day, but the truth is there are SEVERAL different ways your WordPress site can be brought down in flames.
And it only takes one crash/hack with NO backup to make you curse Pat Flynn and the other blogging gods.
You don’t want to be that blogger.
The good news? You can rest your mind at ease easily (and for free) with a few certain plugins and tools to bump your site security and backup your site regularly.
This post will guide you through my simple recommendations for each category and provide some general tips for protecting your site along the way.
Come at me, Neo.
6 site security tips to learn how to backup your WordPress site:
Important note: You do NOT have to implement all of these ideas and install ALL these plugins.
For one, having more than 15ish plugins in total can actually affect site speed, which is bad news!
Second, depending on the size of your site (both in traffic and in database storage), you really don’t need to go 1,048% ALL-OUT to protect your site. Keep it simple with backups and one or two additional security methods
1 – Backup your site
Before we talk about tools…you should know this:
Keeping occasional backups is the SINGLE BEST TIP for site security on your blog.
Regular backups are your get out of jail free cards, and they can be useful for several reasons:
- Somebody hacks your site? Get control first then install a backup
- Site crashes because of a silly host? Install a backup.
- Content gets deleted because you did something stupid? Install a backup.
There is absolutely no excuse for not regularly backing up your site.
This includes money and time! There are most certainly free tools to automatically backup your site, and they literally take a few minutes of your time.
That said, let’s talk tools:
Updraftplus WordPress plugin (FREE to $70 lifetime)
Updraft is what I use, and is probably the widely-used backup plugin…for good reason: It has an awesome free version!
You can find install it by searching “updraft” in your WP plugins dashboard, or at The World’s Most Trusted WordPress Backup Plugin – UpdraftPlus.
Also, even the free version allows you backup to remote storage sites like Dropbox, Google Drive, etc. This is why they’re awesome.
Here’s a fun gif I made showing how easy it is to start a backup.
The pro version starts at $70 (not a subscription. Lifetime access), which not a terrible deal, especially if you’d like to automate daily backups.
Jetpack WordPress plugin (formerly Vaultpress)($39/year)
Many of you probably already use Jetpack for other stuff on your blog…it’s a huge tool that’s made by the same team that created WordPress.
Jetpack actually bought the Vaultpress plugin, which was one of the huge backup tools alongside.
Pros: Vaultpress is easy to use and effective. Also, the $39 a year is for the full Jetpack Personal plan, meaning there are other cool Jetpack features in addition to just Vaultpress
Cons: I personally hate Jetpack, and there’s no free version.
You can find more info about Jetpack Personal backups here.
(One last note on backup plugins: There are a TON more out there to choose from, but they don’t have the track record of the two above…and they don’t seem to be as cheap with as many features. I looked into about 7 others, and they were ‘meh’)
2 – Keep awesome passwords
You’d think we’d be able to file this under the “well duh!” category…but let’s face it: we hate complicated passwords, and we hate CHANGING passwords constantly, so most of us don’t do it.
So this still makes my list:
Make your passwords effective, and change them every fortnight or so.
Quite frankly, you don’t need to know HOW to do that, what you should do is grab a password manager.
Lastpass is absolutely amazing, and their
The free version is MORE than enough.
Lastpass is by far the most popular choice for external password managers, for several reasons:
- Seriously, their free version is more than enough
- Even then, premium is $2 / month (lol)
- Lastpass can auto-log-in to websites (so, so sweet)
- It generates super-tough passwords for you (and remembers them so you don’t have to).
Most of you have probably already heard of password managers, so if you’re not using one already, please do so.
It’ll help keep your blog log-in safe, and generally every website you log into on the internet 🙂 🙂
Lastpass baby. (But if you just don’t trust me, 1password and Dashlane also have great track records.)
3 – Use a security plug-in!
Tagline: If you really really want to. Most of the bloggers I know don’t actually use one of these, probably because an attack is actually quite rare (especially if you protect log-ins w/ authentication and awesome passwords).
That, and keep off-site backups reduces the long-term risk of losing anything (unless I’m missing something)
However, you’d like extra protection, WordFence is king!
Wordfence is the go-to free recommendation (the premium is roughly $99/year I believe).
It’s comes with a ton of stuff, BUT for the two factor authentication….you’ll need to upgrade to premium, which is why I suggest other plugins for that below 🙂
Also, iThemes Security Pro.
So I’ve never used iThemes…but their plugin suite looks awesome.
For a one-time $247 payment, you’d get
- BackupBuddy (also available separately)
- iThemes Security Pro (also available separately)
- A few other cool things.
This could be worth looking at if you’re seeking a backup plugin AND advanced security plugin.
4 – DO limit login attempts
This another easy “well duh” security tip for WordPress.
Simply put, there are loads of easy plugins for filtering out bots and hackers trying to log-in to your site.
Grab the Google Authenticator plug-in in your WP plugins dashboard. It’s free and awesome.
Another awesome site security tip is to change your login URL
There are a few plugins that do this, but let’s bring up iThemes again.
It’s part of their advanced security plugin 🙂 🙂
5 – ALWAYS keep WordPress up to date.
WordPress issues updates every few weeks, and it’s generally a great idea to go ahead and update whenever you see the prompts to update!
There almost always small security bugs and updates included in each release.
The “prompt” to update is always featured prominently at the top of your WordPress dashboard when you log-in.
(On that note, be sure to keep your plugins updated as well! Take the extra 15 seconds when you see one needs updating….and update it.)
6 – Get SSL like YESTERDAY
It’s not just for protecting sensitive customer data.
It’s about protecting ALL data sent between browsers and servers, making it extremely difficult for hackers to work their way in that connection somewhere.
(The icing on the cake? Google’s SEO algorithms prefer you have SSL as well! And who doesn’t want more traffic??)
You can literally buy a Namecheap SSL starting at $9 a year. That’s affordable folks. (Even if your blog is hosted elsewhere btw).
So that’s how to backup your WordPress site. Now it’s your turn…
What other site security plugins, tips, tricks, etc can you recommend? I’d be curious to hear about them.
Let us know in the comments!
Great resource Pete. Definentally going to check out LastPass. I can’t even explain the number of times Brittany has forgotten her password and it takes us 10-15 mins to log into one of her accounts hahaha. (I am guilty too just not as often)
Oh it’s so clutch. Thanks for sharing Kelan. Appreciate that 🙂
I use the free version of updraft plus after you recommended in a tweet 🙂
Working great for me so far
Right? So great 🙂
Hi Pete, I didn’t even think of backing up my blog (noob right!) until i read your post. No using the free updraft plugin and all is well. I’d be distraught if i lost all my hard work. In hindsight I can’t believe I didn’t think of it sooner!
More than welcome Paul. Prolly a good idea 🙂
Great Post!! Thanks for sharing pete
Great post, Pete. I didn’t care about protecting or backing up my site until seeing my short stories are shared for free on someone’s page. I’m using a plugin called Password Protect WordPress to secure my content.
Btw, could you please introduce some methods to track the downloads of a file/e-book? Thanks a lot.
Thanks for your useful tips. Although I’ve changed my WordPress login URL, some people still guess it and try to enter a lot of passwords to access my site. Do you have any solution for this?
Nice reminder, I need to do better at changing passwords. Especially considering how many login attempts happen as seen through the WordFence lockout feature…
haha scary stuff, right?