Understanding Your WordPress Website Security

Understanding WordPress Security

Why is WordPress the victim of so many security attacks?

 

Firstly with it’s $0 price WordPress is the world’s most used CMS (Content Management Software), so quite simply it is the natural target for malicious hackers. The reasoning is simple … if you are a hacker you will obviously want to break into software that powers millions of websites. If you can ‘hack’ the software, you have millions of sites at your disposal!

Secondly it is your responsibility to ensure that WordPress, themes and plugins ares updated and unfortunately not everyone is enthusiastic when it comes to keeping the backend updated. When security flaws or hacks are discovered, WordPress rolls out a security update, quickly followed by themes & plugins. From that point on it becomes your responsibility to update!

Thirdly a number of security issues in WordPress arise from ‘unreputable’ themes and plugins. WordPress has a number of themes in their official repository, along with many premium themes provided by reputable software providers. These official & premium themes are good for security, they offer, clean & tested code and regular updates.
Problems can arises when you install themes or plugins downloaded from unreputable providers. Themes obtained from official & reputable providers have a distinct advantage,  they are updated by the developers in order to ensure compatibility with the latest WP security fixes. Keeping themes and plugins updated is the third key element.

Six Simple Strategies to make your WordPress installation less vulnerable to attack.

1. Never use “admin” as your username

If you use “admin” as your username, and your password isn’t strong enough, then your site is very vulnerable to a malicious attack. If you have “admin” as your user name, hackers have half of the login information needed to access your website.

Until version 3.0, installing WordPress automatically created a user with “admin” as the username. Many people still use “admin” it’s become the standard, and it’s easy to remember.

Fixing is simple … create a new administrator account for yourself using a different username, then log in as this new user and delete the original “admin” account. If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.

Also don’t use your name as your username!

2. Strengthen those passwords

According to research, around 8% of hacked WordPress websites are because to weak passwords. Keeping your passwords complex and changing them often is one of the best ways to keep your site secure.
This can be annoying, which is why most people choose to use the same easy-to-remember password for everything.

If your WordPress password is anything like ‘letmein’, ‘abc123’, or even ‘password’ … all are more common than you might think, you need to change it to something secure as soon as possible.

For a password that’s easy to remember but very hard to crack, we recommend coming up with a password recipe, a recipe that has the same number of steps but different ingredients.

Step 1: A unique number, e.g. 7011
Step 2: A unique name, e.g. mynamesfred
Step 3: Then use a mix of lower & upper case & special characters
The password becomes … 7011_my/N^me5/freD

3. Update all things … WordPress, theme & plugin versions

The best way to ensure everything stays secure is to keep everything up to date; this starts with your WordPress version. Every new release of WordPress contains patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.

Many hackers intentionally target older versions of WordPress with known security issues, so keep an eye on your WordPress dashboard notification area and don’t ignore those ‘please update now’ messages.

The same applies to themes and plugins. Security vulnerabilities can also exist in the plugins you have installed, so it’s important to also keep these up to date.

If a plugin provider does not update their plugins to address security issues, it may be worth considering removing the plugin or finding an alternative. Also if not updated regularly your plugins can fall behind when you upgrade WordPress … if not updated they might stop working or cause conflicts.

Make sure you update to the latest versions as they are released. If you keep everything up-to-date your site is much less likely to get hacked.

4. Backup

This is the simple strategy that many people put off until it’s too late.

Even with the best security strategies & measures, you never know when something unexpected could happen that might leave your website open to an attack.

If you experience a hack you’ll be thankful that you have kept regular backups of your website and you can restore a usable & up to date backup. It is also possible to run into issues when updating WordPress including plugin and theme conflicts that can impact the operation of your website.

If either happens you want to make sure all of your content is safely backed up, so that you can easily restore your site with minimal effort and time.

5. Use Security Plugins

As well as the strategies above, there are a number of security plugins you can use to tighten your website’s security and reduce the likelihood of hackers gaining access.
We recommend and use:

iThemes Security (formerly Better WP Security)
iThemes Security gives you over 30+ ways to secure and protect your WordPress site.
https://wordpress.org/plugins/better-wp-security/
https://ithemes.com/security/

Wordfence Security
Wordfence starts by checking if your site is already infected. Comparing a scan of the website source code to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.
http://wordpress.org/plugins/wordfence/
https://www.wordfence.com/

Securi Security
The Sucuri WordPress Security plugin is a security toolset for security integrity monitoring, malware detection and security hardening.
http://wordpress.org/plugins/sucuri-scanner/
https://sucuri.net/wordpress-security/wordpress-security-monitoring/

6. Managed Hosting

If you’re busy, or you aren’t tech savvy, you may not have the time and skills to keep your website backed up, up to date and secure … consider a managed WordPress hosting option.
Our “Peace of Mind!” managed hosting options provides weekly backups, update of WordPress, theme & plugin versions (including a full backup before and after) and installation, setup and monitoring of selected security plugins.
Read more …

… Finally Don’t Panic!

This may sound pretty intimidating, especially if you’re a beginner. It’s not intended to scare anyone, we just want to make sure you stay one step ahead of the hackers!

If you just remove the ‘admin’ username, start using stronger passwords and run regular backups your WordPress website will be that little bit safer!

Whether you choose to use managed hosting or look after your website yourself, we hope you benefit from the above strategies.