how to lock down and secure your wordpress
TRANSCRIPT
How to Lock Down and Secure Your Wordpress
Site From Hackers
There are millions of websites operating on the WordPress software platform. In fact, 17% of the
world’s websites are using WordPress. It’s easy to use, with a user-friendly interface that allows
someone to create and update their site even if they don’t have a programming background. It has
hundreds of thousands of plugins available to give it a multitude of functionalities to accommodate
mostly all of your basic website needs. It’s also free.
Unfortunately, there’s some downsides as well.
For example, if you don’t change your default configuration, hackers and some pesky users with too much curiosity immediately know where to log in to get into your
admin area. In WordPress, you can type in “domain.com/wp-admin” and it will take you right to the login screen. At that point, the only thing left to get into your site is to crack your password. The most common
method hackers use is brute force, which allows them to test millions of login combinations in a short amount of
time.
Your website can never be 100% secure. Hackers are always trying new things and discovering new
vulnerabilities to exploit. The online world changes quickly and the same is
true of security.
Good security is about minimizing risk. If anybody tries to sell you a 100% secure solution, they’re scamming you. You’ll never be completely safe, but there’s a lot you can do to minimize your risk. There’s also a balance between security and usability. Sometimes locking down your site makes it secure, but it’s harder to use. You’ll have to find
the balance that works for you…and take measures to keep it as secure as possible.
That being said, there’s a few preventive measures you can take in order to lower your risk of getting your site
hacked.
Here’s 6 quick steps to make your WordPress website more secure:
1. Keep It Up To Date
One of the biggest security vulnerabilities in WordPress is old software. WordPress is updated fairly often and whenever there’s a new security issue they roll out an update immediately. But you need to stay on top of keeping your WordPress software updated on a regular basis by logging in and checking to see if there’s a
notification to “update” and a link in your WordPress Admin area.
You also need to keep your themes and plugins up to date—they can have security issues as well. Sometimes people put off
updates for fear of breaking their site, but you’d rather break your site with an update than risk a break-in.
Also, if a plugin is deactivated, you need to delete the plugin entirely so that it is not an open, unused folder left on your
server that a hacker can take over.
Here’s 6 quick steps to make your WordPress website more secure:
2. Strengthen Your Passwords
Your security is only as good as your password. If you’ve got a simple password, you’re making it
very easy for a hacker to walk right in. Your password should have numbers, capitals, special characters (@, #, *, etc.) and be long and unique.
Your WordPress password can even include spaces and be a passphrase. Remembering
different passwords for different sites is tough, but a hacked site is worse.
Here’s 6 quick steps to make your WordPress website more secure:
3. Manage Your Users
Your own strong password is useless if another admin has a weak one. You need to manage your users. Not everybody
needs admin access. The more people with admin access, the more chances to hack your site. If someone is writing blogs for
you, give them “Editor” access rather than “Admin”, for instance.
Remember to update or remove users when you have staff transitions. If you have someone working on development or editing for a temporary period, create a new user account for
them and then delete once they are finished.
Here’s 6 quick steps to make your WordPress website more secure:
4. Back It Up
If anything ever goes wrong with your site, you want to be able to get it back up quickly. That means you need to have backups available to restore
the site. In order for backup to work, it needs to be complete and automatic. Backing up your database isn’t enough. That will save your content, but you’ll still have to rebuild your entire site, including theme tweaks and plugin settings. And if your backup isn’t automatic, you’ll forget to do it
regularly.
Get a powerful backup tool, such as BackupBuddy, to keep your site safely backed up and ready to be restored. It’s a premium plugin that makes
backing up and restoring a seamless process.
Here’s 6 quick steps to make your WordPress website more secure:
5. Don’t use “Admin” as
Your Username
If you use “admin” as your username, and your password isn’t strong enough (see #2), then your site is very vulnerable to a malicious attack. Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username.
Many people still use “admin” as it’s become the standard, and it’s
easy to remember. Some web hosts also
use auto-install scripts that still set up an
‘admin’ username by default. Simply create
a new “admin” user account for yourself
using a different username. Then log
out and then log in as that new user and delete the original
“admin” account. If you have posts published
by the “admin” account, when you delete it, you can
assign all the existing posts to your new user
account.
Here’s 6 quick steps to make your WordPress website more secure:
6. Use Security Plugins or Security
Services to Protect Your
Site
As well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.
Here are a handful of popular options:http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.http://wordpress.org/plugins/wordfence/ – full-featured security plugin.http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.
Personally, after trying to find a free plugin that protected my site and getting frustrated, I switched to using Sucuri Security. It’s a monitoring service that protects your site as well as fixes it if it gets hacked. It’s saved me and multiple clients websites after getting hacked. I haven’t had an issue since I signed up for their service. You can find them at Sucuri.net.
If you’re interested in learning more about hardening your website’s security, please check out these two resources:
http://codex.wordpress.org/Hardening_WordPress
http://wp.tutsplus.com/tutorials/11-quick-tips-securing-your-wordpress-site
While all of this may sound overwhelming or intimidating…I am not intending to scare you. It’s just important to understand the best measures to take so that the hours of time and effort put into building your website are protected.