With WordPress running over a quarter of the websites worldwide, it’s no wonder it is one of the most attacked content management systems.
WordPress is a very versatile tool that makes it unbelievably easy to create a website of your own (and on your own). It does, however, come with its own flaws, security is one of them – despite the best efforts there are number of ways to take your WordPress site down if you don’t take the necessary steps to prevent it.
So what are the quickest ways to ensuring your website has a long and ‘unhacked’ life?
Automated scripts usually install WordPress with ‘admin’ as the primary full access user account. And the bad guys out there know it, and if they know the user name, a brute force/dictionary password attack is imminent. Now, there are tools to enumerate user names by analysing the code, taxonomies, and other aspects of your WordPress install but it’s an extra step so why not make it a little harder for them? And if you use a complex password, and not the run of the mill ‘password’ or ‘Name123’ and other similar ones, you’re half way there…
If you want to keep one step ahead of anyone who means your website harm, you need to keep it updated. Update WordPress core files, themes and plugins as soon as updates are released. Do backup your website before you do so though. It’s been known to happen that poorly written updates break your website in a blink of an eye! Restoring it from a backup is much easier and quicker than repairing it.
There are plenty of security plugins in the WordPress repository both free and paid for. I like WordFence Security quite a lot. It helps block known attackers, provides an extra layer of authentication (two factor authentication), and much more. Most security plugins work out of the box, no complicated settings are required.
Good web hosts will provide you with something called WordPress Toolkit. Use it to fix directory browsing permissions, file and directories permissions, secure wp-content and wp-includes directories, change your database table prefixes, secure wp-config.php file, etc. It’s a (more or less) one-click action that only takes a few seconds of your time but goes a long way in making your WordPress website safe and sound!
With basic domain validation SSL certificates starting at just a tenner a year there is no excuse not to use encryption to secure connection between your (or your visitors’) web browser and the server on which your website runs. When using a secure transport protocol (HTTPS), all data you send is encrypted so nobody can intercept it and use it. That includes your user name and password you use to login to your website’s admin area.
Encrypting connection is also important to protect your clients’ personal information if you run an online shop on your website.
(There are hosting services out there offering a free SSL certificate as part of the package.)