WordPress currently occupies 27% of all websites online, that’s around 15,000,000 websites and because of this it’s open to malicious scripts that try to cause problems for you. But don’t let this scare you, if you follow our 7 security tips you’ll minimize the risk of being at mercy of a hack.
1. Keep WordPress up to date
You’ve probably seen us talk about keeping your WordPress version up to date in previous posts, that’s because it’s extremely important. Not only does keeping it up to date allow you to have access to the latest features, it also increase your website’s security.
Recently you may have noticed WordPress updates itself for hot fixes such as 4.6.1, but for major releases like 4.7 require you to update them. A hot fix will fix any issues in the major release or add small features not worthy of a major release. Of course these automatic updates are nothing to worry about, but if you do want to turn them off you can.
If you do want to update the site yourself, to be safe we suggest taking a back up of the database and if you want to be extra secure you can use a plugin like Backup Buddy which will backup your entire website.
2. Keep plugins up to date & remove unnecessary ones
With this statistic in mind you can understand why it’s best to keep all your plugins up to date. If managing this seems like too large of a task for you, we offer various care packages where we’ll handle the updates for you.
3. Never use ‘admin’ as a user & have strong passwords
When a script is trying to get into your site by guessing your username / password it’s called a ‘brute force attack’. It gets the name from the method it tries to get in. You can find plugins which allow you to restrict how many failed attempts someone can make before they can try again which can help the issue. Another solution is to add a captcha to your login forcing users to confirm they’re human before it allows them to submit the form.
One of the first things malicious scripts will do is try the username ‘admin’ purely because its the first username people use for the admin user of a website. Try to use something a script won’t think of. Your name for example is much more secure than ‘admin’.
The second thing a script will do is attempt to guess your password. So having generic passwords like password123 won’t keep them out for long. We use a piece of software called 1Password to generate complex passwords that are going to keep scripts from guessing it. If you’re wondering what a complex password looks like, one I just generated is .p8VQ$pULTHAmTxkd3A. The mixture of symbols, numbers with upper and lowercase letters makes it extremely secure and almost impossible to guess. The longer they are, the better. If you want a free tool that can help you try the Strong Password Generator. We prefer 1Password as it allows us to store all our complex passwords.
4. Change the admin URL
Most WordPress websites have the admin URL set to /wp-admin/ which is extremely easy to remember. The issue with this being so common is it becomes the first URL that scripts will try when they want to brute force your site. To help get around this you can change the URL. Doing this means it becomes harder for scripts to find the login URL and apply brute force attacks.
5. Change the database prefix
The database of your WordPress website is probably the most important part of the site. It stores all of the information from posts to passwords, so its best to keep it secure as possible. When setting up sites we often make sure we use different names for the database user and the database name as well as having a long secure password as we discussed earlier.
6. Disable the Plugin & Theme editor
To do this you do need to edit the wp-config.php file so if you don’t feel comfortable why not get in touch with us and we can handle it for you.
If you do feel comfortable doing it all you need to do is add the following line of code to the wp-config.php file in the root of your FTP or SFTP.
7. Keep track of website activity
No matter how many users you have using your website its a good idea to keep a track of what they’re doing.
You may ask why? Sometimes something little can cause a vulnerability on the website, so when it comes to solving it knowing whats happened on the website recently comes in handy. WP Security Audit Log is a simple and free plugin which keeps a log of everything that happens on your websites dashboard so you can view what your users are doing but more importantly, what hackers have done if they have got into the site.