why WordPress speed is important

WordPress speed is more important than ever.

In today’s fast-paced digital landscape, users expect to get information quickly and will exit slow sites. So if your website isn’t loading rapidly, you’re probably losing a lot of website traffic.

In addition, site speed is also a search engine ranking factor. The quicker your site loads, the higher up it’s displayed in the organic listings on search engines such as Google and Bing. This again means that having a slow site will is likely to result in a loss of website visitors.

You can find out more about how to measure and improve your site speed for WordPress in our Google PageSpeed blog.

the top WordPress speed-killing plugins

Here are the most common speed-reducing plugins. We see these slowing down WordPress websites unnecessarily time and time again…

1. ReCaptcha

What the plugin is used for: ReCaptcha, and other similar plugins, protect WordPress forms – such as for logging in, commenting, or making contact – from spam entries. Users have to confirm they’re not a robot, thus preventing bots from submitting form responses.

How it kills site speed: It loads on every page of your WordPress site, whether there’s a form or not. This means that it slows down even simple pages that don’t need the ReCaptcha functionality for security.

What to use instead: We recommend Akismet. It performs the same spam-filtering role, but without loading on pages where it’s not needed.

2. Contact form 7

What the plugin is used for: Contact Form 7 allows you to add multiple contact forms to your WordPress site, including customisable form fields.

How it kills site speed: It loads unnecessary speed-reducing files across your whole WordPress site – even on webpages without contact forms.

What to use instead: Try a different contact form plugin, or simply prevent irrelevant files from loading with the Asset Cleanup plugin – see below for more information.

3. WooCommerce

What the plugin is used for: WooCommerce allows you to add an online shop to WordPress. This means you can showcase and sell both physical and digital goods through your site.

How it kills site speed: Again, this plugin adds files to pages where they’re not needed (such as pages that aren’t for e-commerce), thus slowing down your whole WordPress site.

What to use instead: There’s a reason why WooCommerce is most popular open source e-commerce solution in the world – and that’s because no other plugin works as effectively. However, with the Asset Cleanup plugin (discussed below), you can block extra files from loading on pages where they’re not needed.

4. AddThis

What the plugin is used for: AddThis, and other similar social sharing plugins, enable you to add social media buttons to your WordPress site. This makes it easier for users to share your content on social media and follow your social profiles.

How it kills site speed: As well as loading its own files, AddThis also loads various files from Facebook, Twitter and other social media platforms, thus increasing page loading times.

What to use instead: For social media integration, most WordPress sites don’t even need a plugin – a small snippet of code in your post template will do exactly the same job. You can get customised code for your site using Sharing Buttons or a similar tool.

5. MonsterInsights

What the plugin is used for: MonsterInsights, and other Google Analytics plugins, track website data and provide statistics and reports. This helps you understand user behaviour and make data-driven edits to optimise your WordPress site.

How it kills site speed: Tracking files are loaded on every page of your WordPress site, significantly reducing speed.

What to use instead: Unfortunately, there’s not much you can do about this as the files to track visitor data are needed across all WordPress pages. However, if you implement cookie consent correctly then all data tracking functionality will be blocked until a user accepts cookies. This makes your first website load much quicker – a rather unexpected benefit of GDPR and cookie notices!

6. WPBakery

What the plugin is used for: WPBakery, and other visual builder plugins, allow you to create different page designs and layouts on your WordPress site.

How it kills site speed: Most visual builders load JS and CSS code that is not needed, thus slowing down page loading times.

What to use instead: Keep the plugin but try tweaking settings to block unnecessary files or allow editing in the back-end only.

speed up by cleaning up

As mentioned above, one great solution to get your WordPress site loading as rapidly as possible is by installing the Asset Cleanup plugin. This allows you to block plugin files that are not needed whilst keeping all of your essential functionality.

It shows you a list all files being loaded on each page and allows you to block anything that is redundant (and therefore slowing things down), either on specific pages or across your whole WordPress site.

This means more streamlined webpages, faster speeds, better user experience and happier website visitors!

Are you aware of any other WordPress plugins that kill site speed? Or would you like expert help to boost speed or optimise your WordPress site? Please get in touch.

For more expert WordPress tips, make sure to read our Ultimate WordPress Optimisation Guide and other WordPress blogs.

1. choose relevant topics

Whether you’re writing blogs, creating new webpages or adding other content, our number one tip is to ensure relevance for your target audience. This means targeting your priority keywords.

Keywords are the main words and/or phrases that your website is about. They should align with the things that your audience is searching for on search engines.

For example, if you run a bakery business, there’s no point writing about floor cleaners! Instead, you should focus on the keywords that are of interest to your users – in this case, probably about bread and cakes.

The keywords in your content affect how search engines understand and rank your website. This in turn affects who finds and visits your site.

Make sure your both your content’s body text and URL contain your target keywords and any other relevant words/phrases. This will maximise performance on search engines and help you reach the most relevant readers.

For more info on maximising your website’s search engine performance (SEO), check out our Ultimate WordPress Optimisation Guide.

2. include links

Linking to other content keeps users reading and engaged. It’s a good idea to link to other blogs or pages on your website to help people find relevant information and stay on your site for longer.

Linking also shows search engines how your content relates to each other, which aids in SEO.

External (or outbound) links are often helpful too, and can be used to direct users to other sources of information, such as social media profiles or related articles.

They tell search engines that the external content is similar to yours and may also encourage other websites to link back to you (which is also beneficial for SEO). But bear in mind that external links should be used sparingly as they direct users away from your site.

3. think about design

To maximise engagement, content needs to be both well-written and laid-out effectively and appealingly.

A great way to help people enjoy reading your content is by using headings, short paragraphs and lots of white space. This breaks up the text and makes it easier for people to skim through and find what they need.

Imagery is important too. As the saying goes, a picture says a thousand words! Just make sure your images are compressed for fast-loading – an image optimisation plugin such as Smush is well-worth installing for this purpose.

Finally, don’t be afraid to go bright and bold with your content. Researchers have found that coloured visuals increase people’s willingness to read by a massive 80%!

4. add search engine data

Search engines display a limited amount of information on their results pages. It’s a bit like a ‘teaser’ for your content, and it needs to be optimised to encourage people to click-through.

We recommend installing Yoast, a free WordPress plugin with loads of SEO features to enhance your content. One of these is an SEO toolbox which Yoast adds for all blogs and pages – find it underneath the text for each piece of content in the back-end of your WordPress site.

Make sure to fill-in the toolbox information for optimal search engine performance. Your content’s meta description is a snippet of 150-160 characters which gives a summary of what users can expect if they click-through.

Your SEO title should explain what a particular piece of content is about and include the main keyword you’re targeting. Google is only able to display 50-60 characters for title tags, so make sure to stick to this limit.

It’s important to add SEO data for imagery too. Alt text describes what’s in each picture and helps search engines understand how to categorise and rank them. You can add alt text either when you upload an image or at any time afterwards in your Media Library.

With the Yoast plugin, you’ll also find that all pages and blogs are given a coloured SEO dot indicating search engine performance. You can see these in the ‘Posts’ and ‘Pages’ areas of your WordPress back-end, with different colours indicating the following:

• Red = poor
• Green = good
• Orange = room for improvement
• Grey = no SEO information available (eg. where no target keyword has been entered)

These can be used to indicate which content need prioritising for further search engine optimisation.

5. proofread

There’s little more annoying than content that doesn’t make sense, with missing words, poor spelling or incorrect grammar.

So, this tip is sweet and simple – make sure to proof your content and correct any errors before publishing. Ideally, proofreading should be done by someone other than the person who wrote the content as they will then have ‘fresh eyes’ and be more likely to spot mistakes.

6. enable caching

Having faster-displaying content is better for both user experience and search engine algorithms. And one of the simplest and most effective ways to improve website speed is by enabling caching.

Caching involves storing your website data in a temporary storage space called a cache. A ‘snapshot’ of your content is made when it’s displayed initially, and then this ‘remembered’ information is used for future website visits to speed-up loading times.

We recommend enabling browser caching on your WordPress site with a plugin such as Cache Enabler. You can select the type of caching, and which webpages are cached, in the plugin’s setting.

7. publish comments

Most WordPress themes allow your site visitors to add their own written responses to your blog posts and webpages.

Whenever such comments are submitted, they’re held in moderation until they’re checked and either approved or deleted. Therefore, make sure to check the ‘Comments’ section of your WordPress dashboard regularly to remove any spam and publish and reply to useful comments or feedback.

8. enable AMP

By enabling AMP, special, fast-loading versions of your pages become available. This is particularly beneficial for mobile-users, who typically expect content to load instantly and will exit slow websites.

You can enable AMP by installing the free WordPress AMP plugin on your site. However, a brief word of warning – this plugin is incompatible with some other WordPress themes and plugins and can therefore cause website problems.

So, make sure to backup your site before installing and conduct thorough testing afterwards to ensure everything is still functioning correctly. If you encounter any issues, ask your WordPress agency for advice.

9. check analytics

Another great way to optimise your WordPress content is by tracking analytics data. With Google Analytics (or a similar tool), you can find out which blogs and pages on your site are most popular, and then create related content to encourage further engagement.

Google Analytics also collects a range of other information which can help in enhancing content. This includes:

• When people are visiting your site
• Which devices/browsers are used to view your site
• How site traffic varies over time
• User demographical information
• How people navigate around your site
• And, how people find your content

Ultimately, collecting and using this information to make data-driven decisions gives you the best chance to create relevant, tailored content and maximise engagement.

If you don’t already have Google Analytics on your site, make sure to follow our step-by-step ‘how to add Google Analytics to WordPress’ guide.

10. publish regularly

Our final WordPress content tip is to publish regularly! By adding new blogs and articles, you signal to both users and search engines that your website is active, fresh and worth visiting.

We recommend creating a content plan and scheduling publication in advance. This means you can plan content around particular times of year, organisational events and your availability.

For more expert tips, read our ultimate WordPress optimisation guide, in which we explain everything you need to know about how to improve and maintain your WordPress website.

Or, for on-demand WordPress support from an agency with more than two decades of experience, please get in touch.

In this blog, we cover why you should add Google Analytics to your WordPress site, and show how to do it – both with/without a plugin. All you need to do first is set-up a Google Analytics account.

why add Google Analytics on WordPress

Google Analytics is a free web analytics service which tracks your website data and provides various stats and reports.

Google Analytics collects a wide range of useful information including:

• How people find your site (for example, via organic search, social media or paid advertising)
• When your site is busiest and quietest
• Which webpages are most popular
• How long people spend browsing your site
• Which devices and browsers visitors are using
• … and much more!

By collecting this information, you can base any decisions about updating or improving your website on real data. This gives you the best chance to increase your traffic and engagement, and therefore to maximise your WordPress website’s success.

how to add Google Analytics to WordPress with a plugin

Whether you’re a WordPress beginner or just like to keep things as simple and straightforward as possible, adding Google Analytics with a plugin is a great option.

With a Google Analytics plugin, you can also rest assured that your WordPress website data is always being collected, even if you change your design or theme.

Used by more than a million WordPress sites, MonsterInsights is the most popular Google Analytics plugin. The basic version is free, but you may want to add paid features such as tracking e-commerce sales.

Before installing MonsterInsights, make sure to back-up your site – just in case anything goes wrong! We explain how to back-up on WordPress in our Ultimate WordPress Optimisation Guide.

Once MonsterInsights has been added to your site, you’ll find ‘Insights’ appears in your WordPress dashboard menu. Click on this to start the setup wizard and connect MonsterInsights with your Google Analytics account. You’ll also need to select your preferred settings – the default option is suitable for most websites.

It’s that simple – Google Analytics is now installed on your WordPress site! You can visit Insights > Reports in your WordPress back-end at any time to see and analyse your data.

how to add Google Analytics tracking code on WordPress

If you’d prefer to add Google Analytics to your site without a plugin, you can manually add tracking code instead.

As always before making any major site edits, make sure to back-up first; we cover how to do this in our WordPress Optimisation Guide.

To set up Google Analytics tracking, log into your Google Analytics account. You’ll need to click on ‘Admin’, then ‘Tracking Info’, and then ‘Tracking Code’. Under ‘Website Tracking’, you’ll find a box containing your Global Site Tag (gtag.js) – highlight and copy this code.

Now go back to your WordPress website dashboard and find your header.php file. Paste in the Google Analytics tracking code, after the <body> tag and before the closing </head> tag.

Finally, click ‘Update File’ to complete the process. Google Analytics will now be recording your website data – just visit your Google Analytics account to see the latest stats.

It’s also worth remembering that if you change your WordPress theme or site design, you may need to re-add the tracking code into your header.php file to ensure data is always being collected.

a note about GDPR compliance

To comply with the UK’s latest data protection laws – also known as GDPR – your WordPress website users MUST agree to have their data tracked BEFORE Google Analytics code is loaded.

You can ask users for permission with a cookie notice. This is simple and easy to add to your WordPress site with a plugin such as Cookie Notice for GDPR & CCPA or similar.

Your cookie notice plugin will produce a popup message linking to your privacy policy and asking users whether or not they consent to data-tracking. Google Analytics will then only be loaded when permission is granted.

thanks for reading

We hope you enjoyed this blog about how to add Google Analytics to WordPress. For more great WordPress tips and advice, check out our ultimate WordPress optimisation guide, which covers all aspects of how to maintain and improve your WordPress website.

Or, for on-demand WordPress support from an agency with more than two decades of experience, please get in touch and we’ll be happy to help.

why you need a WordPress audit

Is your WordPress website performing at its best?

Conducting a WordPress audit allows you to check how your website is functioning across key criteria, so that you can improve things and make sure you’re achieving the best possible online results for your company.

Our ultimate WordPress optimisation guide covers everything you need to know to get your WordPress site up-to-date, secure and perfoming brilliantly, but in this blog we focus specifically on what to check in a WordPress website audit.

WordPress website audit checklist

1. Check software & plugin versions

Both WordPress itself and any plugins/themes you use need regular updates to fix bugs, patch security issues, and maintain performance. It’s for these reasons that checking and updating your software version is task one on our WordPress audit checklist!

You can find out whether you’re using the latest version of WordPress in ‘Updates’ in the left-hand menu of your dashboard. This page also shows whether your plugins and themes are up-to-date.

If needed, updating to the latest WordPress and plugin software versions is simple. Just click the relevant ‘update’ button(s). Make sure to back-up your site first, just in case anything goes wrong!

2. Check site speed

Speed is a vital component of website performance, with faster sites having better user experience and more conversions. Speed also contributes to search engine performance, with slower sites penalised and appearing lower down on search results pages.

You can check the speed of your WordPress website using Google PageSpeed. You’ll be given scores for desktop and mobile of between 0 and 100 – aim for scores above 90 for optimal performance.

Once you’ve checked your scores, head over to our blog where we’ve got loads of tips to improve your WordPress website speed.

3. Check blogs & content

By adding new blogs and content to your site, you signal to both users and search engines that your website is active, interesting and worth browsing. In the ‘Posts’ section of your WordPress dashboard, you can see when you latest blogs were published, and if any further articles are scheduled.

How often you should post new content depends on your organisational capacity and goals; you may want to add blogs daily, weekly or monthly. Whatever your aim, we recommend creating a content plan and scheduling posts in advance. Checking your latest content and content strategy should therefore be included as part of your WordPress audit.

It’s also important to keep an eye out for comments on your site. WordPress comments are automatically held in moderation, so check the ‘Comments’ section of your dashboard to see how many comments are currently needing to be checked and published/deleted.

For more tips on optimising your WordPress content, read our Ultimate WordPress Guide.

4. Check WordPress security

It’s vital to scan your WordPress site regularly to check for malware, viruses and suspicious code. Having a hacked or infected site can cause massive problems – both financially and in terms of reputational impact.

We recommend installing the Wordfence plugin, which includes website security hardening, a firewall to block malicious traffic, and a scanner that checks for malware. To scan your site for any security issues, simply go to Wordfence > Scan and click ‘Start new scan’.

If there are any problems, Wordfence will suggest how to fix them and get your site secure again. We’ve also got lots of great advice for optimising WordPress security on our blog.

5. Check for broken links

A broken link is a link to a webpage that doesn’t work. It’s frustrating for users – who will be directed to a 404 error message and may then choose to exit your website – and it’s also a negative signal to search engines.

You should check regularly for broken links with an online tool such as Dr Link Check. If you have any, you can then go to the relevant page and update or remove the link.

We recommend conducting broken link maintenance at least every few months, or more often if you create a lot of content. You may find it helpful to install the WordPress Redirection plugin, so you can set up redirects for any old/changed URLs.

It’s also a good idea to create a friendly 404 error page to keep users happy when they encounter a broken link. If you don’t already have a 404 page, you can create one for your WordPress website with the 404page plugin.

6. Check functionality

Your WordPress audit should include checking your website’s design and functionality. This can be done simply and easily by looking through your site and testing any interactive features, such as buttons and contact forms.

Giving your site this type of ‘once-over’ will highlight if there are any code, formatting, design or operational issues that need to be investigated and/or fixed. For more details on getting your WordPress site performing optimally, read our Ultimate WordPress Maintenance Guide or contact your WordPress agency.

7. Review analytics

You can track your site’s analytics simply and easily with a Google Analytics plugin such as MonsterInsights. Once installed, just go to Insights > Reports in your WordPress back-end to see your site data.

As part of your site audit, you should review your analytics and consider what’s working well and what isn’t. For example, which are the most popular website pages, and which are the least popular?

Once you have this information, you can then make data-driven edits on your WordPress website to optimise performance.

8. Check SEO performance

It’s a good idea to give your site an SEO health check as part of your WordPress audit. You can do this using the free Ubersuggest SEO analyser or with various other, similar online tools.

On Ubersuggest, just type in your URL, select your language/country and click ‘Search’. A report will be generated showing your organic traffic levels, domain score and number of organic keywords – it’s worth recording this as part of your audit and then trying to improve your SEO stats over time.

If you go to the ‘Site Audit’ section in the left-hand menu, you’ll then see a more detailed SEO health-check for your site. This includes a list of issues needing attention, such as pages with low word-counts and poorly-formatted URLs.

To improve your site’s search engine performance, fix these issues and also read our Ultimate WordPress Maintenance Guide which includes loads more WordPress SEO tips.

9. Check mobile compatibility

There are two great tests you can use to check how your site functions across different screen sizes and devices – the Responsive Test and Google’s Mobile-Friendly Test. Together, these give a great insight into how your WordPress site appears on smaller screen sizes and whether you’re meeting mobile browsers’ needs.

If necessary, you can then improve your site’s mobile compatibility using the advice in our WordPress Optimisation Guide.

10. Check your database

The more you update your site, the more your database becomes clogged-up with old content, deleted comments, unused plugins and more. It’s therefore worth looking through your database to see what is there and check for surplus items as part of your WordPress audit.

To keep your database tidy, you can schedule automatic database clean-ups with a plugin such as WP-Sweep. It’s also a good idea to go through your plugins regularly (in ‘Plugins’ on theWordPress dashboard) and delete any that are no longer needed.

11. Check backups

It’s vital to back-up your website regularly, so that if you get hacked, infected with ransomware or encounter any other major problem(s), you can get your site online again quickly.

As part of your audit, you should check and verify your site backups. Make sure that all relevant data is being stored, that backup copies are being saved securely in different locations, and that files are not corrupted. This will ensure you have the best chance of being able to reinstate your site if disaster ever happens.

It’s also worth checking your backup schedule – as the more regularly you backup, the less data you’ll lose if you need to revert to a backup version. Check backups are being made frequently enough for your needs, and also that backups are scheduled to take place during low traffic periods when they’ll have least impact on site speed and user experience.

Site backups are often included as part of your WordPress agency’s services or hosting package. Alternatively, they can be easily managed with a backup plugin such as BackupBuddy.

12. Check user accounts & passwords

WordPress allows you to add different types of users to your site, each with different permissions to make edits and changes.

As user profiles can pose a security risk, it’s a good idea to review your site users as part of your audit and check that people have only the level of permissions required. This can be done the ‘Users’ section of your WordPress dashboard.

It’s also a good idea to update and make a note of user passwords as part of your audit. Make sure to choose strong passwords, including a random combination of letters, numbers and symbols.

13. Check accessibility

With a fifth of the population experiencing a long-term disability and UK law stating that services (including websites) must be accessible for everyone, it’s vital to check how accessible your site is.

As part of your audit, we recommend evaluating your website’s accessibility with Wave or another, similar tool. If your site needs improvements to increase accessibility, ask your WordPress agency for advice.

14. Review admin tasks

Finally, your audit should include a review of the general, less frequent admin tasks required as part of website management and maintenance. We suggest checking:

• Domain renewal: Most websites require regular domain name renewal, so make sure this is on your audit checklist. Domain renewal can be done either directly with your domain provider or through your WordPress support agency.
• Disaster recovery: A disaster recovery plan details exactly what you would do if your site crashed or encountered a security problem. Make sure your plan is up-to-date with the latest legal requirements, website details and organisational procedures.
• Hosting provider: Most hosting packages renew annually, so it’s a good idea to review whether your current hosting provider is meeting your needs. Factors to consider include speed, security, reliability, hosting type and cost.
• SSL certificate: To keep your site secure, your SSL (Secure Sockets Layer) certificate needs to be renewed every two years. This can be done via your hosting provider or Let’s Encrypt.

Phew – your WordPress audit is complete!

This will give you a great overview of how your WordPress site is functioning and any areas that need improvement or maintenance. To action these, read our ultimate WordPress optimisation guide, where we explain everything you need to know about improving and optimising your WordPress website.

Alternatively, if you’d like expert WordPress website management or a more detailed audit of your website’s current performance, please get in touch and we’ll be happy to help.

how WordPress websites get hacked

Because of its widespread popularity as a CMS, WordPress is also popular target for hackers.

Hacking attacks are mostly opportunistic rather than about targeting (although big brand websites may be specifically targeted). Most attacks are automated, with bots searching high and low across the internet for security weaknesses to exploit.

Attacks are often made via:

• Insecure website hosting
• Login details – for example, by attempting multiple random username and password combinations
• Security weaknesses in CMS, plugin or theme software – usually when it’s not been updated

Hackers have a wide variety of different motives but often it’s about profit. Hacking sites to distribute malware, gain user data, send spam emails, or redirect website visitors can be extremely lucrative.

Such security breaches can have a hugely negative impact on your website and business – undermining user trust, causing legal violations, and potentially costing thousands of pounds. So it’s vital to protect your WordPress website against hacking.

the importance of reducing the risk of being hacked

Website hacks are becoming more and more frequent. The Covid-19 pandemic has seen an increase in online threats which are up six time compared with normal times. It is so important to be on top of your websites health and ensuring everything is running as it should be and the CMS and plugins are up to date. In 2019, it was reported that 56% of all CMS applications were out of date when the hack happened. A lot of these could have been avoided if the CMS was simply kept up to date.

is my WordPress site vulnerable to hacking?

WordPress beginners and small site owners often think that they don’t need to worry about security. They assume that their site will be too small and insignificant to interest hackers.

This assumption is wrong.

WordPress sites of all sizes are hacked. Hackers use automated bots to scan the internet for sites with security weaknesses and will hack wherever there is opportunity.

Another key thing to realise is that you may not even be aware when hackers are attempting to break into your site. Unless you get regular security notifications about hacking attempts, you’ll probably only find out when a hacking succeeds and something on your website goes awry.

The take-away message is that all sites are vulnerable to hacking – and prevention is better than cure. Make sure to install a security plugin and take other preventative security measures to keep your site safe.

how to beat the WordPress hackers

We now share the top 10 ways to keep your WordPress website secure and prevent it from being hacked. Follow our guides below to tighten up your website security and stop your site from being hacked. Some of these steps may seem obvious and simple but it’s amazing how quickly hackers will act if you are not on top of your WordPress security.

1. Choose a secure hosting provider
2. Get a security plugin
3. Choose a secure theme
4. Keep WordPress updated
5. Use secure login details
6. Add two-factor authentication
7. Disable file editing
8. Scan website and computer
9. Use HTTPs
10. Backup, backup, backup!

1) Choose a secure hosting provider

All good hosting providers will include security protection to ensure your website information is kept safe on their servers.

When choosing a hosting provider, make sure to check what security measures they have (such as firewalls and secure FTP), how they monitor their server network, and how they respond to any security breaches.

Your WordPress site may be particularly vulnerable to hacking if you have a shared hosting plan, as hackers can potentially use other sites on the same server to gain access to yours.

The most secure – but also the most costly – hosting option is a dedicated server. This is well worth considering if you have particularly high traffic levels or hold sensitive data on your site.

2) Get a security plugin

Having a high-quality security plugin is a must-have to prevent your WordPress site getting hacked.

Security plugins generally include:

• a firewall to block suspicious traffic
• brute-force protection against multiple random login attempts
• a scanner that checks your files, themes and plugins for security issues
• regular security notifications

We recommend Wordfence – an excellent, free security plugin. Once installed, ‘Wordfence’ will appear in the left-hand menu of your WordPress dashboard. You can click here at any time to scan your site, see the latest notifications and get recommendations to improve site security.

3) Choose a secure theme

Choosing the right theme for your site is crucial. Of course, it needs to have the right look and features for your organisation. But it also needs to be robust and secure.

A secure theme will:

• Be updated and patched regularly
• Follow good coding standards
• Not be associated with bugs or compatibility errors

With more than 7,000 WordPress themes available, it can be tricky to know where to start!

The best way to choose a secure theme is by looking on WordPress.org. There, you can browse theme reviews, check how many installations a theme has had, and see when the theme was last updated – all good indications of security.

You may also want to ask your WordPress agency for theme recommendations and maybe even support with WordPress design development that will meet your particular website and organisation’s needs.

4) Keep WordPress updated

Keeping WordPress up-to-date is another important security measure. WordPress software updates are made regularly to optimise performance and patch any security issues as they are discovered.

It’s possible to apply automatic updates for most WordPress core releases, so that your site is updated in the background without you having to do anything. However, you still need to manually action larger releases – make sure to backup your site first!

Update messages will appear on your WordPress dashboard as soon as they are available. Just click on them to action. It’s a good idea to update plugins and themes regularly too.

5) Use secure login details

As mentioned above, one of the key ways hackers can access your WordPress site is through automated ‘guessed’ login attempts. The more obvious your username and password, the more likely these attempts will succeed.

To prevent hacking, make sure to choose an atypical username. This basically means not using ‘admin’, which is so common it’s usually the first username hackers will try.

Secondly, go for a secure password including a mix of letters, symbols and numbers. For maximum security, this should be at least 12 characters and not include any dictionary words.

As well as securing your WordPress dashboard login, make sure to choose secure usernames and passwords for your other website-related accounts, such as your custom email address. Otherwise, these could also be used to hack your site.

6) Add two-factor authentication

You can strengthen your WordPress login even further by enabling two-factor authentication. This is particularly useful if you have multiple users logging into the back-end of your site.

With two-factor authentication, users login in two stages. First, they enter their username and password. Then, they have to enter a one-time passcode to verify their identity.

With the Wordfence security plugin we recommended above, two-factor authentication is easy to enable. It uses an authenticator app to generate passcodes for users.

To set things up, go to Wordfence > Login Security in your WordPress dashboard, and copy the key given. Then download Google Authenticator (or another authenticator app), and enter this key.

At this point, the app will provide a six-digit code. Simply enter this back on your WordPress dashboard and click ‘Activate’.

Two-factor authentication will now be enabled. This means that every time you try to login on WordPress, you’ll be prompted to go to your authenticator app and collect a passcode.

7) Disable file editing

WordPress has a code editor which allows you to edit your site files through your dashboard. Whilst this is obviously a useful feature, it’s also a huge liability in terms of hacking. We therefore recommend turning it off.

To disable the code editor, simply add the following code into your wp-config.php file:
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

Another way to prevent file editing is by disabling PHP file execution in your /wp-content/uploads/ folders. For this, open Notepad – or a similar text editor – and paste the following:
<Files *.php>
deny from all
</Files>

If you save this as .htaccess and upload the file to the /wp-content/uploads/ folders on your website, it will also prevent hackers from making backdoor attacks on your PHP execution.

8) Scan your website and computer

It’s important to scan your website regularly to check for malware, viruses and suspicious code. If using the Wordfence plugin, this can be done by going to Wordfence > Scan and clicking ‘Start new scan’.

If there are any issues, Wordfence will suggest how to fix them and get your site secure again. We recommend scanning at least once a month – if you can do it more frequently, then even better!

However, it’s no good relying on having a secure site if the computer from which you operate the site is bugged or infected. So, make sure to scan your computer or device regularly as well.

You should use a good anti-virus software on your device, and ensure you update your system regularly. We also recommend checking the privacy settings on your browser to avoid being hacked while you’re browsing the internet.

9) Use HTTPS

Having an HTTPS site means that communications between your website and users’ browsers are encrypted. This is therefore another key way to prevent hacking.

If you don’t have a HTTPS site already, it’s very simple to transfer. You just need to get an SSL (Secure Sockets Layer) certificate, which is available to all websites, free of charge, from Let’s Encrypt.

If you already have an SSL certificate, then make sure to set a calendar reminder to renew it every two years. Otherwise, it’s easy to forget and let your site’s HTTPS status – and good security credentials – lapse.

10) Backup, backup, backup!

Whilst our final tip doesn’t actually prevent hacking, it’s probably the most important step to take just in case your site is ever hacked.

By making regular site backups, you can reinstate your site again quickly if ever needed. Without backing-up, you could stand to lose everything you’ve ever designed, posted or written on your site.

How to backup your WordPress site will depend on the type of hosting you have. Make sure to speak to your hosting provider; they may include backups as part of your hosting package.

Alternatively, talk to your WordPress agency or install a backup plugin. Whichever way you do it, make sure to backup your WordPress site regularly and store your backup files safely so you know they’re there if you ever need them.

For more expert WordPress tips and advice, don’t miss our ultimate 2020 WordPress optimisation guide. Alternatively, if you’re looking for WordPress support from a reliable, trustworthy and highly-experienced agency, please get in touch and we’ll be happy to help.