Over 20% of the web is now built on WordPress and this popularity makes it a common target for hackers. Read on for some simple useful tips to secure and harden your WordPress based website.
What’s the worst that can happen?
Whichever way you look at it your website is an extension of your business. It’s usually how your potential customers get their first impressions of your brand. Hacks can include defacing your website (and ransoming the fix !), causing visitors to download malicious code and sending out dodgy emails that look like they have come from you. All these things can harm your reputation.
Thankfully there are a few things you can do to protect your website:
Don’t use ‘admin’ as a username
This username is as common as it gets, and hackers know this. A technique called a brute force attack is used frequently and if they already know the username this makes it easier for them. We run security audits for many sites and the logs are filled with automated bots trying to log in using admin. As we don’t use ‘admin’ as a username we just ban them as its obvious they are up to no good.
If you are have admin as a username in WordPress the steps are simple to fix. Firstly create a new user with administration rights, then remove the user called admin.
Use strong passwords
The best passwords are complex ones. I realize these can be difficult to remember but the point is they are also more difficult to guess. Most users of WordPress will choose a weak password based on a dictionary word, and some even use the word ‘password’. Couple this with the weak ‘admin’ user mentioned previously and hackers could easily gain access to your site.
Thankfully, because of services like last pass, you can make your passwords as complex as you like, and you don’t need to remember them. Last pass has browser extensions and even mobile apps to auto fill the fields making logging into sites simple – and secure.
Keep word press up-to-date
WordPress sites often rely on plugins for functionality, and these plugins are usually updated regularly, not only for improvements but to close security holes. WordPress core is much the same. I have noticed a trend of websites being built and then left at the versions they went live with. You should check for updates regularly, set them to auto update, or get your favourite web developers to maintain the site when it goes live.
Security should be a regular routine for all WordPress site owners, and hopefully this post has given you some tips to start securing yours. There are of course many other (not so simple) steps you can take such as:
- Blocking all but your own IP form accessing admin screens
- Using ban rules on your server to block people who try and guess passwords/usernames
- Enforce strong passwords for all users of your blog
- Change the table prefix from wp_
- Change the login URL from /wp-admin to something a little more secret
- Add two-step authentication
- Limit login attempts
Why make it easy for hackers when it is easy to protect your WordPress website.
All sites we build come with security hardening as standard. We also offer WordPress maintenance services for managed updates to the CMS and plugins.