1. Secure your website by moving from HTTP to HTTPS before July 2018.
Failing to make the necessary changes will result in Google marking your website as “Not Secure” in the URL. To secure your website one needs to create a SSL certificate. There are a number of companies out there providing these certificates, some for a small fee, others such as website hosting companies are including SSL certificates for free as part of their hosting package.
My hosting company Fastcomet.com is one such example. They are offering free SSL certificates, which is great as my website is now secure. Happy days!
If you are with Fastcoment.com and don’t have a SSL certificate installed against your website, go to the control panel and do a search for “Let’s Encrypt SSL“. Everything you need to do is on the page and it is very easy and FREE to set up.
2.Don’t forget to change your General Settings.
If you don’t update the WordPress Address (URL) and Site Address (URL) your dashboard and login page will still appear as HTTP:// and thus be insecure, so remember to change it here (see above highlight).
3. Let Google Webmaster Tools know of your HTTPS website URL.
There are other steps to follow to ensure proper security, one of them is by visiting Google Webmaster Tools to verify your secured domain. One needs to add the new https:// website URL as well as a new sitemap. There is plenty of information on the website on how to do all of this.
4. Don’t forget to secure your headers.
Another area one needs to focus on is HTTP Strict Transport Security (HSTS), a bit of a mouthful and yes it starts to get a little technical here. Basically one needs to secure the headers. One can read all about it here at the SSL Store as they cover the topic pretty well, suffice to say all I did was search WordPress for a plugin, which sorted it out for me. The plugin is called Security Headers.
5. Remove the login screen (/wp-admin.php or /wp-login.php) from your WordPress website.
There is a great WordPress plugin called WPS-Hide Login, which as the name suggests, hides the default login page. One is able to create a new path to the login page in the Settings > General page. It can be anything you like. It prevents someone other than you from accessing your login page.
6. Set a strong password for your WordPress website.
Hackers these days are a sophisticated bunch, so setting a good, strong, long password is crucial. Avoid names, birthdays and words that are super obvious, instead go with a randomly generated password that contains a mixture of letters (A-Z, a-z), numbers (0-9) and punctuation characters (!%@#*). Obviously remembering a long, random password is tricky and that is where password managers such as LastPass come into their own. I covered LastPass in a previous post so do have a look and read. Go Premium or Families if you can spare the $2 or $4 per month, it’s worth every dollar.
7. Two factor Authentication (2FA) is an absolute must have.
This Two Factor Authentication WordPress Plugin by David Nutbourne and David Anderson is absolutely brilliant. As their website says;
By default, WordPress is protected only by a password. Once somebody guesses your password, they have all access. “Two Factor” security is about adding a second factor. This plugin uses the most popular implementation of TFA: one-time codes that are shown on your phone/tablet/other device, but which do not require you to be connected to a network (i.e. you don’t need to be online/receiving SMSes, etc.).
It is a paid plugin with a lifetime of updates, but worth every penny. Visit the plugins website to see the benefits.