- Jun 23, 2016
- by Brad Litwin
Security has always been a major concern – not only for the internet at large, but for WordPress users too. In fact, given that WordPress is attacked 24% more than all other content management systems combined, WordPress security should arguably be one of your higher priorities.
Security breaches are the bane of a developer’s life, and even so-called minor breaches can wreak havoc on your site – eating up your precious time and money to rectify the problem. However, there are a multitude of steps you can take to fortify your digital borders – and many of them can be done in just a couple of minutes, for little or no cost.
With that in mind, in this post we’ll firstly explore the dangers behind your website being compromised, before taking you through a seven step guide towards hardening your WordPress website against hacks and attacks.
The Importance of WordPress Security
WordPress powers over 26.4% of the internet’s monitored websites. To put that into context, Joomla trails in second place, with just a 2.7% slice of the pie.
Other than demonstrating the popularity of WordPress, this statistic reveals that hackers are more likely to focus their efforts on WordPress above its competitors. After all, figuring out WordPress will give a hacker far broader access to the world’s websites, and a larger potential gain for their efforts.
It’s tempting to think that your website will never be breached, but with such an attitude, it will be only a matter of time until your website is breached. Hacks can cause all sorts of damage, such as erasing data, redirecting your visitors to malicious websites, or displaying offensive material. This, of course, risks all of the trust that your readers and customer had in your brand – potentially hitting your traffic levels, reputation, and bottom line.
Now we’ve looked at why security should be your number one priority, let’s take a look at the seven key steps to turn your website from an open house to Fort Knox.
7 Key Steps to Protecting Your WordPress Website From Security Threats
1. Backup Your Website
This is the one thing you should do before taking any other security measures, and having a fresh backup of your data is vital to ensuring you can restore your website to its former glory as quickly as possible.
Finally, be sure to keep your backups in a local or remote location – i.e. not on your live server – to ensure they don’t get erased along with everything else if your website is ever breached.
2. Stay Up to Date
The team behind WordPress release regular updates in the form of major feature releases and security patches – the latter being more regular, and far more important security-wise.
The importance of these updates can be understood when you realize WordPress is fighting a continuously evolving battle against hackers. Each update they roll out helps to guard against the latest threats. Thus, if you delay your updates, you risk exposing yourself to new hacking tactics.
This principle also applies to WordPress themes and plugins, so it’s wise to never ignore the notifications that prompt you to update them. Get updating now!
3. Use Strong Passwords
This precaution may seem obvious, but it’s far too often skipped over by WordPress webmasters.
Hackers regularly try to crack passwords using algorithms and repeated login attempts (this is referred to as ‘brute force hacking’). Put simply, the more complex you make your password, the harder it is for a hacker to crack. So, consider using jumbled letters, numbers and symbols to beef up your passwords.
Alternatively, use a website such as Strong Password Generator:
Furthermore, avoid using admin as your username. Since admin is the default username for WordPress, and therefore the most commonly used, hackers always begin their process by attacking it before moving on to other possible usernames. (If your username is already admin, switching it is fairly straightforward.)
4. Block Brute Force Hackers
Speaking of brute force hacking, it would be wise to spend some time focusing on it a little more closely, due to its widespread usage by hackers.
As we’ve just discussed, strong passwords help, but we also recommend installing the WP Limit Login Attempts plugin:
This will block the IP address of anyone making an unusually large number of login attempts to your website within a set time period, and we believe it’s one of the best defences against brute force attacks.
5. Install a Security Plugin
As you may have twigged, WordPress can’t exactly keep itself secure. Of course, with such a strong development community, there are a number of security plugins available to help.
The A2 Optimized for WordPress plugin is one example of a stellar WordPress security plugin that optimizes spam protection, installation and upgrades, importing, user registration, password protected posts, and much more:
Wordfence is another often recommended WordPress plugin for security, however, it is not recommended due to database writing on every page view. In particular, the Live Traffic feature can cause performance issues in a shared hosting environment. If you opt to go with Wordfence, be sure to optimize the plugin.
For an alternative that enables you to handle a multitude of security options from your WordPress dashboard, consider the iThemes Security plugin.
6. Keep Administration Access Tight
Keep your friends close, and your admins closer – if you let an unvetted, nefarious type through the front door, all your security efforts will be for naught. Put simply, nobody except trusted members of your team should have administrator access.
Alternatively, we suggest giving your team members author or contributor status. This gives them the access they need to publish and modify their own content, without being able to get to the more important areas of your WordPress dashboard.
7. Monitor Google Search Console
By linking your WordPress website to Google Search Console, you’ll get Google’s verdict on your website’s well being.
This is what you’re looking for!
If a problem ever arises, Google Search Console’s Security Issues section will show a notification and guide you towards a solution. So, keep an eye on your Search Console dashboard, and act quickly if necessary.
With the continued growth of WordPress, hackers are lining up to attack vulnerable websites, but that doesn’t mean your website has to be a sitting duck. While hackers normally prey on those without even basic security knowledge, with our article, that should no longer be the case.
Let’s recap the steps you need to take to guard against malicious attacks:
- Backup your website regularly.
- Keep your WordPress installation, plugins, and themes updated.
- Use strong passwords.
- Block brute force attacks.
- Consider a general security plugin.
- Keep administrator access restricted.
- Monitor your Google Webmaster Tools dashboard for insight into your site’s security.
Image Credit: pixelcreatures.