Keeping Your WordPress Membership Site Secure
Does your WordPress membership site have sufficient security measures in place?
Many membership site owners live in fear of their website being attacked, and for good reason …
If someone manages to hack into your WordPress website, install something nasty or delete or steal your data, it could cripple your membership business.
That's why it's so important to be extra vigilant and make sure you take adequate steps to keep your site secure.
Does WordPress have security problems?
WordPress powers more than 35% of all websites in the world.
That’s over 455 million sites, including ours here at The Membership Guys.
It's a fantastic platform to use to build your membership site, but due to its popularity it can also be a target for hackers and malicious attacks.
That doesn't mean it's a less secure tool or platform than others, it just means you hear about problems a lot more because it's so popular.
On the flip side, that popularity means the WordPress community has very good support systems to keep its sites secure with huge network of developers updating and improving it all the time.
These developers are quick to respond to issues, and there are also a wide variety of plugins and services available to increase your site’s security.
But much of keeping your WordPress site secure comes down to you and how you use it.
So, here are eight different steps to take to proactively secure your WordPress membership site:
1. Keep your WordPress core, plugins, and themes updated
Ensuring the plugins and themes on your WordPress site are up to date will give you the best chance of avoiding an attack on your membership site.
WordPress now can automatically update your plugins and themes for you or you can do it manually or there are services you can pay for to do this for you.
We highly recommend ManageWP. This automatically manages updates of your WordPress core, plugins, and themes, so you don’t have to remember to update each part individually.
Security services like ManageWP can also perform backups, scan for security vulnerabilities, and are particularly helpful if you’re managing more than one WordPress membership site.
2. Use a security plugin
Security plugins will put several safeguards in place on your site.
They also alert you to any suspicious activity on your website, such as failed login attempts or altered files.
Our favorite security plugins are Sucuri and Wordfence. These also come with the paid option of using a firewall.
This is more complex and takes longer to set up but provides that extra layer of protection that blocks malicious bots, scripts, and more before they reach your website.
3. Ensure your hosting company uses security measures
Speak to your web hosting company about what security measures they have in place.
Some hosts will have security tools active, but they’re usually not very comprehensive.
You’re likely to get more security functions through a virtual private server, a dedicated server, or by using a managed service like WP Engine.
We use Liquid Web for our VPS. This service includes a firewall, brute force protection, and other layers of security, such as “ModSecurity.”
These functions pick up on security threats and take further preventative action, such as blocking IP addresses, to make sure your site stays secure.
4. Regularly backup your membership site
Being able to reset your website to an earlier version can be a life saver if you ever need it, so make sure you take regular backups of your membership site.
If you do get hacked or something malicious is installed, this will give you the option to restore your site to a version before the incursion happened.
Check with your hosting company as they should have an option for taking regular backups automatically.
Services like ManageWP and plugins like BackupBuddy also provide backup services that let you backup your site to a remote location, like DropBox or Amazon S3.
5. Practice good password protection
It seems obvious to say it, but make sure you’re using strong, unique passwords and don't use the same username and password combination you use on every other website.
Consider using a password manager like Last Pass.
A password manager generates very secure passwords and stores them for you, so you don’t have to worry about remembering them.
Ideally, you should also use two-factor authentication.
This is where you enter an initial password, then a code gets sent to your phone, which you have to enter to prove that you’re the person logging in and not an intruder.
It might sound like a hassle to do this, but anyone who’s had their membership site hacked will know that it’s a vital step to keeping your site as secure as possible.
6. Be careful who you give admin access to
Anyone who has access to your site should also practice good password protection and be using two-factor authentication.
But you should carefully consider who you allow to access your site and what changes you allow them to make.
It’s not just about trusting them…
While it's very unlikely that one of your team is going to go rogue and mess stuff up, if their account is hacked then that could spell trouble.
If there are any admin accounts that no longer need access to your site, remove them.
You could even consider using a role management plugin so that you have more advanced control over what your team can and can’t do in the admin section of your site.
7. Be sensible with plugins
Try to limit how many plugins you use and remove the ones that you don’t need.
Having more plugins doesn’t necessarily make your site more vulnerable to security issues.
However, the more plugins you have, the more you have to update. There’s also a greater risk of one being poorly coded.
Outdated or poorly coded plugins can leave your membership site open to attacks.
Another thing to be wary of are websites selling knock-off versions of premium plugins for a much lower price.
At worst, the versions they're selling may have added malicious code, and at best, they won’t include the original developer’s security updates necessary to protect your site.
It's important to make sure you research any new plugins and only download them from their original developer.
8. Beware of letting members upload content to your site
If your membership site allows members to upload files or add content to your website, you’re opening a pathway into your membership site that they could exploit.
Members could upload a malicious file that could do anything … from exposing your database, to deleting your entire membership site.
If this is a functionality that you want to provide, then there are plugins that you can use to safeguard your site against any unwanted activity.
Plugins like Gravity Forms for example, will perform security checks on any user uploads via the forms you create.
Community plugins like bbPress and BuddyPress will make sure any user content is screened too.
This emphasises the importance of using trusted, established plugins, especially if you're allowing members to add content.
What to do if the worst happens …
There’s always a chance that you can do everything right, and still something will slip through the net.
If your membership site does get hacked or compromized in any way, there are services that can help, even if you don’t have a web developer.
Sucuri created one of the most popular WordPress security plugins, and they also offer a service for fixing any hacking or website compromizing issues.
There are also services from WP Fix It and FixRunner who are reliable, reputable, and affordable.
Hopefully, from following these tips and staying vigilant and mindful of your website security, you won't find yourself in a situation where you'll need to use these kind of services.