WordPress has become the leader in web publishing, with over 72 million sites using their Content Management System, which is estimated to be more than 25% of all websites operating on the Internet. As a result of this success, it has become a favoured target for hackers, so it’s crucial that if your business uses WordPress, your site is well protected.
In order to make a WordPress site more secure, there are a number of things to watch, plus before making any changes it’s essential to back up everything:
1) Update the admin user name. Surprisingly many people don’t change this from the default “admin”, or use other very common ones, such as “administrator,” “test” and “root”. So ensure the one your site uses is different. This should ideally be done during the initial set-up, or subsequently by going into mySQL and updating the user name, in the wp_users table.
2) Use a strong password. Not only should the username ideally be unique, but the password should also be very strong and includes letters (upper and lower), numbers, special characters, with over eight characters in total. (There are free programs, such as Keypass, that can create and remember which passwords are associated to which of your accounts).
3) Change the wp-config Security Keys: Tucked beneath your WordPress database settings in your wp-config file are your site’s unique keys and ‘Salts’. These are a random array of letters, numbers and special characters you’d likely never run across unless they were pointed out to you. Making a new set is easy with a tool within the CMS that WordPress provides. More details about this can be found here.
4) Limit Login Attempts: WordPress provides a free plugin to do this. It’s surprising how many attempts, mainly by hacking bots are locked out by this useful tool. It’s very configurable and has helpful features like logging offender’s IP addresses and emails you when a lockout happens. These emails may be slightly disconcerting, but serve a reminder that the site is well secured.
5) Use “Secure WordPress”: This is another essential, free WordPress plugin that patches many holes that exist in the basic WordPress install. It will do things like removing the version number of WordPress throughout the site or blocking malicious URL requests. The plugin allows you to toggle these options on and off to customise the settings for your security needs.
6) Backup, Backup and Backup: This can’t be emphasised enough! The best defence is to ensure that there is a complete, up-to-date backup of the site. It’s possible either to download the files to your local machine, or ask your web host about backup options. The latter can sometimes be flawed, so if you want total peace-of-mind, it’s best to regularly do that yourself on a scheduled basis. Ensure that you’re also backing up your database, with one of the numerous options that are available, such as the WordPress Database Backup.
It’s possible to alleviate many attacks just through these 6 steps that will ensure you’re not any easy target, like 99% of the sites that don’t take these precautions. Prevention is much better than cure and usually a lot less time consuming that trying to recover from an attack after it’s too late. Just imagine how you’d feel if the site and database was lost, so be pro-active beforehand, as it can happen.
You can view more in-depth details about this here:
If you’d like to know more about how we can help to secure your WordPress website, contact us now.