Security is a big thing these days, not least in the online world.
WordPress is one of the most used CMS platforms in the world, currently, around 29% off ALL websites run on WordPress. It’s no surprise then that it is also a big shiny target for hackers and those wanting to breach its security.
Sadly the more popular a platform to more of a target it becomes to those who have bad intentions.
Your WordPress websites security is something that should be taken very seriously in 2018 and our security guide should help you.
It’s no secret that online security is a chicken and egg scenario, where hackers find a hole then security firms and software developers patch the hole. This means the security of your website should be monitored all the time.
Below we outline some of the most important things to look at when securing your WordPress website.
WordPress Software Updates
The simplest thing you can probably do to take care of your website and its security is to ensure that you keep it updated.
With each WordPress software update comes bug fixes and important security fixes.
Many WordPress owners overlook this or worse don’t even know this should be done.
Most often because a web design company has created their site and dumped it on some hosting and that’s it. This is more common than you realise many hosts do not take any responsibility for keeping WordPress updated, managing backups or security. That is all up to you as the site owner.
These are the sites that will most often be hacked as they are left for sometimes years without a single update being performed. Easy pickings for the hackers out there!
Those using managed WordPress hosting or WordPress maintenance services will fair much better here as it’s the core feature of those services to take care of this and many other security features for you.
Another simple but important thing to do is ensure that you DO NOT use the default username admin or administrator on your WordPress site.
The most basic hacks and robots who want to breach your site’s security will look at guessing your admin username and password.
This is also known as a brute force attack. They will simply keep trying to guess your login details and will often start with those usernames. They will also try using your site name as the username so try to use something unique
Similarly, it is very important to use a strong password. Yes, we have all been told this over and over yet we still use the same password for our Facebook account and our email login and our website admin. This is really not a good idea!
It’s hugely important that you set a strong password that is not easily guessed.
Bare in mind bots can run through thousands of password guesses a minute so the harder to guess the better. Don’t use variations of your name, business name, website name, memorable dates etc.
This often leads us to another question though, how am I supposed to remember my 60 characters strong password?
Well, there are now many password management services and one we would recommend is something like LastPass this way you can set long and complex passwords without actually having to remember them.
Something often overlooked is the database prefix of your site.
For most of you who already have a website, it might be that yours is using the default wp_ prefix. Similar to the username bots and hackers will look for this and use potential vulnerabilities to hack your site.
Change or ensure before you set up your site that you don’t use this default is just another way to stop simple hacks.
A bit of housekeeping goes a long way! Many WordPress website owners will only have one admin account or one account overall but some business might need a few accounts.
You might want one for an editor, admin, contributors and so on. Over time, however, this could be a potential security risk.
After all the more accounts you have the more potential entry points.
Now we are not saying go and clear out all your colleague’s accounts, that’s not going to be a good start in the office on Monday morning! What we are saying is monitor this.
Over time people come and go. If you have old accounts no longer used, then delete them. Those that are needed ensure they are following the suggestions above with the username and password and maybe even get all users to update their passwords every 6 months or so.
WordPress plugins can add many brilliant features and functions to your website but can also in many cases be the weak point in security terms.
For many reasons, we would first suggest having as few plugins as possible. This is because the more you have the more it will affect your site’s performance.
Also the more code and plugins there is, the more opportunity to find a weak point.
We have already mentioned the WordPress core software updates and how they are important. The same goes for plugins. More than this though, plugins are made often by 3rd party developers and not all are trustworthy!
When looking for a plugin you should do your research.
Read the reviews, look at when it was last updated and how many installs it has. Maybe even do a quick Google search and see what conversations are happening on the internet about this plugin.
Plugins can be vulnerable in many ways.
Sometimes it’s just one of those things and updates will fix it other times its hackers buying up abandoned plugins and updating them with malicious code. This means those that already have the plugin and update it will be open to a security breach as well as those installing them.
This is where our last few WordPress security tips come into play.
If all else fails, at the very least ensure you have a recent full backup.
Even after doing all of the above, sometimes things can still go wrong for a variety of reasons and not always down to a security issue. Backing up your WordPress site on a regular basis is important in these situations.
This is your business after all and if your site is offline or does have security issues for any amount of time it could spell disaster. Not only to your reputation with customers but also with Google. Websites have at times been dropped out of rankings due to website errors and security issues.
A good backup system in this situation is literally a lifesaver.
There are many around but the most noteworthy are WordFence, Sucuri, BulletProof Security and iThemes Security. The idea of these WordPress security plugins is to add another layer of security and monitoring. Let’s look at the brute force login attacks as an example.
With these plugins you can, not only be notified if someone is trying to guess login details, you can also block them after a number of attempts or even block them for just trying the default admin username.
Most people don’t think of others trying to guess the login to the admin of their site but you will be surprised how often it actually happens.
You can choose how long you lock these attempts and how but be careful not to lockout colleagues who genuinely forget their password or simply make a typo.
Most people will use three attempts on a fairly regular basis due to typos and forgetting a password.
We hope this post has given you an insight into WordPress security and shared some valuable tips on the best practices and plugins for your website.