Keeping your WordPress Site Safe: Security Tips
Keeping your WordPress site safe is important, and also challenging! WordPress holds the lion’s share (possibly as high as 59.3%) of the content management market across today’s websites. Unfortunately, being at the top of the charts in popularity also makes this open-source tool a top hacking target. It makes sense. If you can hack a platform like WordPress, you can gain access to a massive number of websites!
A hacker doesn’t just wave a magic wand to hack websites; they search and search to find and exploit an existing vulnerability. While a few sites are open about possible hacking attempts they’ve faced, the reported numbers have a few things in common.
The majority of hacks happened because of 1 of these 4 causes:
- A security vulnerability on the hosting platform
- A security flaw in a WordPress theme
- A security issue in a WordPress plugin
- A weak password
Protecting your business content doesn’t involve any magical defense system, just some common sense preparations.
The Security Vulnerabilities of Your Hosting Platform
Your web host is where your site files reside online. You want to pick a reputable web host that you can trust….hint, those that are offering the cheapest hosting may not be the most secure! Once you settle on your web host, there’s not a whole lot you can do to protect against hackers coming in through the server, that’s out of your control. The best you can do is this: research your web hosts carefully before you commit your business to them.
The adage “you get what you pay for” is in full effect here. And even if your web host isn’t keen on publishing data on past web breaches, by looking at the more visible aspects of your host you can assess their security as well. If a web host is competent in other areas, there’s more of a chance they’re using best practices on the security front.
The Security Flaws of WordPress themes and plugins
One of the reasons WordPress is so popular is because it’s adaptable.
But the more you jazz up your theme with complex graphics and tools, the more code you add to your overall system and the weaker your defenses get against technological attack.
For a business website, sometimes simple is better. In a world where “flash” and “awe” get cheaper and cheaper to implement, more and more customers are saying they crave simplicity and clarity. Instead of animation, work to build a more powerful message and better content to deliver that message.
WordPress is an open source project, continually being updated and improved by a dedicated team of programmers around the world.
That said, the easiest thing you can do is keep your version of WordPress updated to the latest version. In most modern implementations of WordPress, updating is as simple as moving your mouse cursor up to the top left side of the page and clicking the Update button. There are even settings so that most updates are done automatically.
Updates to themes, plugins and WordPress can all be carried out seamlessly while the rest of your web operations keep humming along. As a side note, be careful just what plug-ins you use. Be sure to research the maker and read reviews of the plug-in online. I’ve seen poorly developed plugins be the source gateway for attackers to take over a website.
8% of hacked WordPress incidents were from poor password choice. Picking a simple, easy-to-remember password for your website isn’t a headache.
Give yourself a unique username. In WordPress, the default username is Admin and many people never change it. Hackers regularly begin their cracking sessions with Admin as the user. Giving yourself a unique username will eliminate a huge segment of hacking attacks.
Limit logins. In a DDoS (Denial of Service) attack hackers need to try multiple times to gain access to a site. Just by limiting the number of bad login attempts you’ll reduce your risk of a DDos hack tremendously.
Finally, contain the damage! If you have multiple websites and multiple accounts, don’t use the same name and password across sites. Don’t be an easy target!
Security Plugins for Extra Security
Here’s a list of my favorite WP Security plugins
- WordFence – Firewall, malware scans, and malicious IP address detection
- Securi – Malware scans and cleanup, DDoS detection
- BruteProtect in Jetpack – Guards against DDoS attacks
WordPress hacks are always in the news, partly because the platform is used by so many people. Taking a few measures like I’ve noted above can make all the difference in giving you a little peace-of-mind and cause hackers to move onto easier targets.
WordPress Security Resources
- Great resource for wordpress security information