8 Ways to Protect and Secure Your WordPress Website
You know it’s time to pay attention to your website security when the FBI issues a warning to all WordPress site owners!
Earlier this week the FBI stated that a large number of WordPress sites were being targeted by ISIL-supporting hackers exploiting security vulnerabilities:
“Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future web site exploitation.”
You can view the official FBI warning “ISIL Defacements Exploiting WordPress Vulnerabilities” here.
WordPress is the world’s leading content management system, used by nearly 25% of all websites according to current research. It’s the platform we here at Websites for Hippies develop and design with exclusively.
Recently there has been a flurry of WordPress security issues involving high profile WordPress programs (plugins) such as WP Super Cache, SEO by Yoast, and Slider Revolution to name a few.
A lot of people mistakenly believe that when your website is hacked, your whole website will be broken. However, that is rarely the case. The goal of a hacker is usually to employ your server to send spam mail.
According to a study of hacked websites by WP White Security:
- 41% were hacked through a security vulnerability on their hosting platform
- 29% were hacked via a security issue in the WordPress Theme they were using
- 22% were hacked via a security issue in the WordPress Plugins they were using
- 8% were hacked because they had a weak password
At Website for Hippies, we like to empower our clients and keep their websites safe and sound. In this spirit we present:
8 Ways to Protect and Secure Your WordPress Website
1) Do not use the default “Admin” account. The Admin account should be deleted. This is the account most used by automatic “robots” crawling the internet looking for vulnerable websites to highjack. These robots are called “automated brute force attacks” and the Admin ID often falls prey to them. To delete the Admin account simply create a new user and set it as administrator. Then log in with that new user and delete the “Admin” user.
2) Do not use “root,” “webmaster,” your website name, your first name, or full name as an account ID. These are also commonly used in automated brute force attacks.
Install the free Wordfence plugin. It’s the Swiss Army knife of WordPress security and our security plugin of choice. You can grab it here.
4) Take a couple of minutes to properly configure your Wordfence plugin, especially the Login Security Options. Lower the lockout numbers to 5 and enter the usernames mentioned in points 1 & 2 in the “Immediately block the IP of users who try to sign in as these usernames” field.
5) Keep up-to-date. Make sure you are running the latest version of WordPress, currently 4.2 (as of April 23, 2015). Also keep your plugins up-to-date. Get in the habit of checking your website for pending updates at least once a week.
6) Want to really lock down your site? Consider setting up two-factor authentication. A method that is gaining traction with big names like Apple, Dropbox, and Google. Two-factor authentication adds an extra layer of security by requesting a one time password in addition to standard username / password credentials. The password is randomly generated by an accompanying mobile app and changes every minute. We have tested a few two-factor authentication systems and have been pleased with Google Authenticator for WordPress, link. The premium version of Wordfence also offers two-factor authentication.
7) Ensure your site is being regularly backed up. Many premium hosting packages include automated backups in their offerings. If your website is defaced, files deleted, malware injected, it could be time-consuming and an extra expense to recreate your website.
8) Surely, you can’t expect top-notch security from a web host that charges a dollar per month. Here at Websites For Hippies we use, love and recommend SiteGround, (*affiliate link) one of the industry’s most reliable and highly rated services. They offer Fort Knox level security, a measurable speed advantage, premium support and advanced super geeky features. They also offer HackAlert, a service that scans your website daily for suspicious code. As we mentioned above, 41% of hacked websites had a security vulnerability on their hosting platform. Keep this in mind when you see those super cheap, too good to be true hosting deals.
Of course after all this, don’t forget to have a strong and robust password.
Remember, securing your website is something you need to take seriously. Hey, even the FBI says so. Schedule some time this week to make your WordPress website secure and put the odds in your websites’ favour instead of the hackers’.
We also recommend that you scan your website for malware, spam, and defacements. You can do that for free with the Sucuri SiteCheck tool here. You’ll also discover if your website is on any known blacklists.
If you need assistance setting up your WordPress security or have any questions, feel free to contact us.
This post contains an affiliate link which means I receive a commission if you visit SiteGround and make a purchase using the above link. If you don’t want to use the affiliate link use this link: SiteGround, or Goggle SiteGround.