If you're reading this, chances are, your website is running on WordPress. As WordPress reaches approximately 35% of all websites, security experts consider it to be a large attack surface and a very high value target for bots and hackers.
Eversince I started using WordPress, I've heard of how insecure it can be, as well as the PHP language which WordPress runs on. According to Cal Evans, an Information Technology consultant based in Florida, a language itself is not insecure. There might be vulnerabilities that crop up but those get quickly patched. A language itself is not inherently insecure, it's how people use it.
A badly developed website, or plugin can have a code hackers can use to exploit and therefore take control of your site.
This is the single most important thing you can do to keep your site safe. There are a couple of things you can do to keep your WordPress core up-to-date.
1. Update Manually - Once you log into your WordPress dashboard, you will see a notification that you an updated version of WordPress is available.
Be sure that you have backed up your site before updating the WordPress core. Depending on the plugins you currently have, the core update may break some plugins and cause your site to go down. It's better to always have a backup ready.
More about backing up your site down the list.
2. Autoupdate through your hosting provider - Some hosting companies have the option to automate your WordPress core and plugins updates.
Attackers are looking at these codes for possible vulnerabilities. Keeping your WordPress Core and plugins up-to-date can prevent attackers from exploiting these plugins and taking control of your website.
According to Charlotte Empey, Marketing Director at Avast, "the best passwords will thwart brute force and dictionary attacks".
A Brute Force attack tries to guess every combination in the book until it hits on yours. While a Dictionary Attack tries a prearranged list of words such as those you'd find in a dictionary.
Another way hackers can get your password is by phishing. That is when they try to trick you into giving them your login credentials. You may get an email saying that your website requires you to change your password and provides you with a link. A website owner may click that link and enter their credentials thinking it is a legitimate site.
What NOT to use as passwords : admin, administrator, your birthday, your mother's maiden name, your spouse's name. Assume these are already common knowledge
To learn more about how to strengthen your password, check out Charlotte Empey's blog at avast by clicking the link below
Backing up your WordPress site is extremely important. This means you have a similar copy of your content and data with you.
In case When your website gets hacked, this data will be available to you and you can restore the entire site and database.
Depending on your web hosting company, this may be a service that you currently have with them and I suggest you take advantage of it. If not, there are a few WordPress plugins you can install to back your website up and database and save it to Dropbox, Google Drive or email it to you.
SiteGround has Automated Daily Backup for all their hosting plans. They backup your information on their servers on a daily basis for up to 30days back and restoring them are free.
A few WordPress Plugins that deal with backing up your websites are the following:
It is easy to identify if a website is a WordPress website. Simply adding "/wp-admin/" at the end of the URL would take you to the login page of any WordPress website. Moving your login page such that when anyone types your URL and added the wp-admin string at the end, can add another layer of security by hiding the way hackers can log into your site. This is caled Security by obscurity.
I would recommend WPS Hide Login plugin. With over 600K active installation, this is one of the most popular plugin to change your login page into anything you want.
WordPress comes with a built-in theme and plugin editor. This code editor allows you to edit your themes and plugin files directly from the WordPress dashboard. As great as it may sound, this poses a security risk when a hacker gains access to the back-end of your website. There's a couple of ways to do this.
The Two-Factor Authentication (2FA) adds another layer of security to your WordPress website. Even if the hackers were able to guess your username and password, the 2FA will still require them to enter a code that is either sent via text to your mobile device, email or through an app like Google Authenticator.
You can add a plugin called WordFence which protects your website from Brute Force attacks adn other threats.
Once you have installed the plugin, you navigate to the:
WordFence tab > Login Security > Two-Factor Authentication
You will also need to have Google Authenticator on your phone and sync the two together. Once Activated, everytime you login to your website, you will be required to enter a 6 digit code to ensure you are the person authorized to login.
Website Security is not a one and done deal where you install a plugin, set it and forget it. It involves layers upon layers of steps to stop the attacker from gaining access to your website.
Hopefully this article has provided you with some ideas on how to secure your WordPress website from attackers. There are other ways that you can secure your site, but the ones I've listed are easy, actionable, and something you can do right now.
The only, secure server out there is the one that you've unplugged from the internet... if you want to make it 100% absolutely secure, turn it off.- Cal Evans