WordPress websites are now everywhere, and everywhere you look, there is a programmer or developer that can help you with your WordPress site. This is a great thing, this has allowed a lot more businesses to have an online presence at an affordable rate and the tools to administer their site without a programming degree. Unfortunately, most website owners (and some so called developers) overlook the most important part of their WordPress website – Security.
As the most commonly used website platform on the internet, 37% of all websites in Australia alone (source: Built With), WordPress is a popular target for hackers and spammers. While its user friendly platform makes it the most desired choice, it is also one of the most vulnerable to attacks if not secured properly.
According to a WordFence survey, a staggering 38.9% had their WordPress site compromised within the past 12 months and this figure is growing each year.
I know you must be asking why would someone want to hack my site. Dont worry, its not for your credit card details or any of your information for that matter. Most sites are hacked only because its possible and most of these are generally automated.. What most hackers want is to use your server to send spam emails and/or infect your visitors computers. Very rarely will a hacker specifically attack a site for a reason. No matter how small your site, or how little traffic you get, your site is always vulnerable.
What can you do
To secure your WordPress site, there are three (3) key things that you need to look at:
First, protect your WP-admin. This is a simple one and is generally always forgotten. Any one needs only three (3) things to access your website, your username, your password and the login address (where to enter the username and password). If there is no place to enter a username or password, then its going to be hard to get in. For example, a lock pick is going to struggle to pick a lock if they don’t know where the lock is.
Out of the box, the WordPress login page will always be http://yourdomain.com/wp-admin. If this isn’t changed then anyone trying to access your site is 1/3rd of the way there.
Another common security feature that’s overlooked is to limit login attempts. How many times do you want someone to allow to try and guess your username and or password. The more chances some one has, the more likely they are going to get your password
There are several WordPress plugins to help you to protect your login form. All you need to do is search for security when under add plugin (example). What has worked for us is a combination of Pro WP Limit Login Attempts, WordFence and Protect WP-Admin.
Second, Update your WordPress. Another common mistake made by website owners. WordPress is a platform, much like your operating system of your computer. The amazing team from the WordPress Foundation provide updates for WordPress to ensure your site is secure and all identified vulnerabilities are patched as soon as possible. According to WP WhiteSecurity, more than 70% of the top WordPress websites on the web showed some sort of vulnerability that was due to running an outdated version of WordPress.
Your plugins are just as important. Plugins play a big part in making WordPress as popular as it is today. As of this writing there are 43,719 plugins available for download in the official WordPress plugin directory. That is an incredible selection of plug and play software. But you obviously need to be careful with them, as plugin vulnerabilities represented 55.9% of the known entry points reported by respondents (source WordFence).
Third, complicate your login. The most common reason why anything is hacked is because of the complexity of your login credentials. Yes i know its a pain to remember the uppercase, the lowercase, special character and don’t forget the numbers, but its for your own good. The reason for the complexity is simple math. The longer your password, the more characters, the higher the combination which means the longer its going to take someone to guess your password. Here is the one thing that everyone forgets. This also applies to your username. Earlier i said for someone to access your site, they need three (3) things, the login location, the password and the username. Now, if you use admin as the default username, that’s 1/3rd of the game there.
For the everyday automated attack (Brute Force), changing the username from admin or administrator helps a lot. This simple change now makes potential hackers have to guess the username as well as your password.
In conclusion, prevention is better than the cure. If you keep the above three things in mind, hackers will find it difficult to get access to your site.
For assistance or to book a service call, contact us on 02 8004 0414.