It’s scary to think that your website could be targeted for attacks. Unfortunately, that’s the reality and it’s probably happening daily without you even knowing about it. WordPress is a huge platform and accounts for roughly 30% of all websites. This makes it an appealing target for hackers and automated scripts. However, there are several steps you can take to help secure your WordPress website and prevent it from being compromised.
1. Strong Passwords: This should go without saying, but always use strong passwords for your logins. I recommend using at least 12 character passwords that contain letters, numbers, and special characters. It’s tempting to use something simple just to make it easier to remember. The downside to this is it also makes it easier for brute force entry into your site. Using long, complicated passwords can make it tedious for logging into your site, but fortunately there are several password managers available today to take care of the remembering for you: 1Password, Dashlane, iCloud Keychain if you’re on a Mac/iOS device.
2. Don’t use “admin” for a username: Don’t use “admin” for a username with Administrator privileges. It’s easy to guess and as a result makes your site more susceptible to attacks. Instead, make your usernames unique. If you currently have an “admin” username, you can set up another account with the Administrator role and change the “admin” user account to Subscriber or delete the account altogether.
Additionally, if the name of your authors is exposed in blog posts you may want to post to your blog only from Author accounts rather than from Administrator accounts. This will help keep your Administrator accounts from being exposed to the general public.
3. Keep your plugins updated*: It’s extremely important to keep your plugins up-to-date and remove unused plugins. Outdated plugins are one of the easiest and most common paths for a hacker to gain access to your backend. They have scripts that search for WordPress sites that are using plugins with known vulnerabilities. Updating your plugins is as easy as clicking a button and goes a long way towards keeping your site secure.
4. Keep WordPress core updated*: The WordPress team does a great job of keeping WordPress up-to-date and free of vulnerabilities. However, as is the nature of software, vulnerabilities are bound to exist. Therefore, it is important to keep your WordPress installation up-to-date as security holes are patched. Like plugin updates, core updates only take a click of a button.
5. Make sure SSL is configured for your site: SSL (secure sockets layer) is how a connection between a server and browser is encrypted. This makes sure that sensitive information (ie. login credentials, credit card info, etc) is transferred securely between the web browser and server. Many hosts are now offering Let’s Encrypt, a free SSL certificate, and make it really easy to get it installed on your site. Check with your hosting provider to see if it’s available.
Having a site that’s been hacked isn’t fun. It can be time consuming, and costly (in more ways than one), to get it cleaned, patched, and back online. Adhering to the recommendations outlined in this article will go a long way toward helping to avoid this scenario. If you need assistance implementing
*Note: it’s important that you have a backup of your website prior to making any updates in just in case an update causes issues with your site (not typical).