6 Tips for Securing Your WordPress Website TodayJames Evans
WordPress is a powerful, easy to use, content management system used by millions of business to create almost any website you can dream up. The developer-friendly nature of the system makes it ideal for a website for anything from a one-man start-up to a large multi-national, and the simple layout and menus in the CMS make it easy for non-technical staff to update and use.
Unfortunately, the popularity and usability of the platform is also one of its biggest weaknesses.
Hackers across the world have millions of business websites to try and hack into, many of them with the exact same weaknesses. For a hacker, a WordPress website without proper security is a sitting duck, just waiting to be shot at.
Once inside, a hacker can easily destroy your website, or replace it with pages of their own creation. These pages will stay online until someone on your staff notices and takes action. Even more insidious, a hacker could subtly change small details on your website, adding in a few of their own links that take your customers somewhere else entirely, or changing the payment settings if you’re using an online store. Smaller changes like these are no less damaging to your business, and in some cases can take much longer to detect.
Because of this, it is essential you do more than the average business when it comes to protecting your WordPress site. We’re going to get you started with six top tips for increasing your WordPress security:
1. Protect Access to Your WordPress Admin Panel
One of the biggest weaknesses with WordPress is that the login page for the admin panel is in the same location for every website – unless you change it. The standard location is www.mysite.com/wp-login.php.
If you have no further protection then once someone has found this page, breaking in simply requires brute force: trying password after password until they find success. Your security is not helped by the fact that usernames on WordPress are not particularly well hidden – they can guess these from posts on your website.
Changing the whereabouts of the admin panel login page means that even if a malicious individual has access to a username and password, they still can’t login without finding the page first.
2. Take Regular Backups
No matter what happens to your website, if you’ve got a backup, it isn’t an absolute disaster. You can roll back to the correct version, change your passwords, and carry on.
While ideally you will never need it, a regular backup is essential. You can set your WordPress site to back up automatically, so this needn’t be a manual task that takes time out of your working week. Once you’ve set it, you can hopefully forget it.
Best practice backup involves using the 3-2-1 rule: saving three backup copies of the important files, across two different media, with one copy stored offsite. For example, you may want to store a backup on your server, one on a local machine, and one in secure cloud storage.
With several copies in diverse locations, it is almost unthinkable that all your backups could be lost at the same time.
3. Stay Updated
WordPress regularly releases new updates to its core features, including bug fixes and security improvements. The security fixes typically repair known security holes that have become public since the last update. If you fail to update WordPress, you are leaving yourself open to these obvious exploits that will quickly become common knowledge for savvy hackers.
The same updating strategy goes for your theme and your plugins too. One of the benefits of using a premium WordPress theme is that the author will regularly release updates to ensure it works securely with the latest version of WordPress.
Of course, each time before you update you’ll want to take a backup just in case something goes wrong.
4. Limit Login Attempts
The brute force password attack is a hacker’s simplest and easiest tool for getting into your site. Once they’ve found the login page, it is only a matter of time before a brute force method cracks a password. That is, unless you’ve put a system in place that detects and limits brute force attacks.
One of the simplest ways to do this is to limit the number of unsuccessful login attempts someone is allowed before their IP is blocked. This isn’t impenetrable, but will put off the majority of hackers. Guessing a password by running through millions of obvious combinations is quite possible (if you have poor passwords), but with only 3 login attempts a hacker will have to get extremely lucky.
5. Use Strong Passwords
If you put just one bit of advice in this article into practice, let it be this one.
We’ve spoken before on this blog about creating an effective password, so hopefully you’ve already got one in place. However, if you don’t, it’s time to get one – right now.
Changed your password yet? Great.
A long, random password will take billions or even trillions of years to crack using a brute-force method. Most hackers will try for shorter passwords and then give up – after all there are plenty of business websites with less protection that are quicker and easier to hack into. Your job is to ensure that you’re one of the harder sites – not the easy prey.
6. Utilize Effective IAM Services
If you’ve got a website that a large amount of employees has admin access to then it can be a nightmare ensuring that they all use strong, effective passwords.
One way to manage your users and their passwords more effectively is to use specialized Identity & Access Management software. Onion ID provides this functionality through the Onion ID WordPress Plugin.
There is no good reason why your WordPress website should be any less secure than your business apps, servers, and cloud storage. You have just as much to lose if your website is compromised so you must take security just as seriously. Thankfully, the Onion ID WordPress Plugin makes this easy.