One of the great things about having a website for your business is that it’s easy to change and update the information. Unlike a print brochure you can easily make changes anytime you like. That’s assuming of course your site is built using a CMS, or content management system. A CMS gives the website owner the ability to easily change content on their website without having to contact their webmaster. (If you’re a bit anal — I mean “detail-oriented” — then this may not be a good thing. It’s 2 AM, put down the mouse and go to bed.) There are many content management systems out there, but the most common one is WordPress.
It also makes you a target.
Of all active websites, today over 30% are using WordPress. Of all active websites that are using a content management system, over 60% are using WordPress. Because WordPress is so popular and pervasive, there are thousands of add-ons and tools (plugins) available that can help you get the most out of your website. While this makes WordPress a great option for building and managing your website, it also makes it – and you – a target. A really, really big target. If you’re a hacker and trying to compromise a website platform, then you want to compromise WordPress. This means if you’re going to use WordPress to build your site, you’d better have security at the top of your to-do list. And WordPress security is not just something to think about when you build your site, but something that must be part of your everyday routine as you go about maintaining your website. Here are some things to consider.
You’ve heard this one before. Probably many, many times. You need to use strong, secure passwords. If you’re using your website for business, then getting hacked is not just inconvenient, but also embarrassing, and possibly expensive if it causes you to lose business. It’s easy to pick a good password because WordPress helps by picking one for you. And if you want to change it to something that’s not secure, it will actually make you check a box saying: “Confirm use of weak password – because I want to be hacked and have some malware installing lowlife make my website their bitch.” Okay, maybe it doesn’t say it exactly like that, but you do have to confirm you want to use a weak password. Use the password WordPress picks for you, or use your own strong password.
Don’t make “Admin” your username
For malcontents to log into your website they need more than just the password, they also need an administrator’s username. The one used most often is “Admin.” So it’s quite easy to guess. So don’t use it! But you need to do more than that. The first user created when WordPress is installed is commonly admin. Which finding out that username can be as simple as going to your website with ?author=1 tacked onto the end of the URL. (https://www.YouDomainName.com/?author=1) If you can type this in and get to a page that has your admin username at the end of the URL, then you may want to add security measures to stop this.
So how do you help secure your WordPress website by removing admin as your username?
- While logged into your WordPress control panel got to Users and select Add New. This is where you will add a new administrator role. By using a password generator you can be sure you’re choosing a strong password.
- After the new administrator role has been added, log out of your current one and log back in with your new user. Finalize the process by going back into users and removing the user “admin”.
Note: If the “admin” user had existing posts go ahead and assign the links and attributes to the newly created user.
Limit login attempts
If you have used an easy-to-find username, and a weak password, how do hackers get into your site? One method is brute force. They use automated bots that try different logins over and over. Fortunately, this is easy to thwart. There are plugins that will limit how many attempts can be made to get into your site. After a set number of attempts, the IP address of the attacker will be blocked.
It’s 10pm – do you know what your plugins are doing?
Use quality themes and plugins
Speaking of plugins, do you know where yours came from? Are they kept up-to-date and actively maintained? There are thousands of plugins out there. And not all are created equal. By using just any old plugin you may be adding security holes into your website. Before installing any theme or plugin make sure it’s one that is being actively maintained and is well supported by its author. If you find a premium plugin you’d like to use, don’t be tempted by one of the many websites that offer free downloads of premium plugins and themes. If it’s not from the vendor or a reputable source, you do not know what else may have been added. A backdoor to your website perhaps? Some nice malware? A few spam scripts? Just like you don’t want to buy your important medications from some website wearing a trench coat and hanging out in a dark alley, you don’t want to get your WordPress plugins or themes from these sites either.
Keep everything updated
One of the reasons you want to make sure you only use themes and plugins that are supported is because hackers are always finding new ways to get in. New exploits are always being found, and even the best software can have security holes. When new security threats are found, vendors will patch their code and you will need to upgrade. Patches and upgrades are always coming out for plugins, themes, and WordPress itself. It’s important that you keep all of these up-to-date. If you are doing this manually you should be checking at least once a week. The longer you wait to update your site, the longer you may be leaving the back door open for attackers.
Backup, Backup, Backup
Like using a secure password, this is one you hear all the time. And for good reason. If your site does get hacked, you may need to delete it and install a backup. That is if you have a backup. Often website owners assume their web host is backing everything up. But are you sure? Many times we have heard of users losing part or all of their website and finding out their host can’t restore it. You may have to pay extra to have website-specific backups done, or if they are done, to get your files back. Check with your webmaster or web host and find out. But don’t stop there. You can run your own backups.
File and directory permissions
The files and directories of your website have a set of permissions. They are set independently for each file and directory and for the type of user. They say what can be done with each file, and who can do it. For example, you want everyone who visits your website to be able to read your content, so anyone should have read access to the files needed to view the content. But other files, files that contain configuration and database information, for example, should not be readable by everyone. And they certainly shouldn’t be editable by everyone. Making sure all of these permissions are set correctly is very important. If you’re not familiar with setting these, there are WordPress security plugins that can help. Or contact your web host.
WordPress websites use a database to store the information and content that make up the site. If a hacker can compromise the database, they have complete control. You can make this harder by making sure the table names in the database are not easy to guess. By default, all the tables have specific names with a prefix of wp-. You can change this prefix when installing WordPress so your database tables can’t be easily guessed. There are also a set of security keys that need to be added when you first set up WordPress. These keys are used for encryption to make it more difficult for attackers to crack your login. If you’re installing WordPress yourself, be sure these keys are added correctly.
Would you like some nice malware?
Secure your own computer
If you’ve got the most secure WordPress installation in the world, but the computer you use to log into your site is compromised, then all that work may be for nothing. An attacker can just get the login information from your computer. (Along with the login’s to your bank accounts, medical history, email, work logins, Wanda’s online emporium of adult toys…) So make sure you keep your computer up-to-date and secure.
These are only a few of the things you should be doing to secure your website. There are more. If you have a webmaster or web host who you think is doing these things for you, don’t assume. Ask them. One thing to look for in your host is if they offer “Managed WordPress” hosting. With managed hosting, you generally get many additional perks. Things like keeping your WordPress installation and themes and plugins up-to-date, and making sure your site is secure. They may also add additional WordPress-specific security at the server level. Don’t just pick the cheapest hosting for your WordPress website. If you’re not an expert in site security, then find a managed environment that can handle that for you. If you’d like help managing your WordPress website, contact us today!