How Secure is Your Website?
Planning for the security of your website tends to fall by the wayside when you begin thinking of all the other aspects of what is involved with building and maintaining a website. There is content to plan and write, designs to create and approve, title tags, headers, descriptions, URL structure, SEO best practices to implement and the list can go on and on. One thing that is rarely thought of is “How secure is my website?”
This is especially true with websites that are built using WordPress. In the past there have been many security vulnerabilities that were taken advantage of by malicious hackers and have given WordPress a bad reputation when it comes to security. Is this reputation justified though? A lot of security improvements have been made to the popular CMS and there are numerous free and premium plugins that can help keep your WordPress site secure.
There are also a lot of common sense “to-do’s” that are often missed, leading to an unsecured website.
1. Don’t Ignore Updates
It is very important to keep all of your plugins, themes and your WordPress version up to date with the latest releases. New versions are released in order to “fix” security threats or bugs within the system and plugin files. When malicious threats and bugs are identified, updates to seal up those vulnerabilities are released
If you see this message in your Wordpress dashboard:
Don’t ignore these messages, click the “Please Update Now” link. This is a simple and painless process that only takes a few seconds, depending on how many updates you need to make. If you have multiple plugins that have new updates, you can select them all and click “Update Plugins”:
2. Delete the Default Admin User
The default ‘admin’ user that is created when you install WordPress is a well known vulnerability that can be exploited by bot attacks. In april of 2013 a large brute-force attack was launched to try and gain access to WordPress blogs using the ‘admin’ username and employing a dictionary-based password attack.
If a hacker finds out that your site is run on WordPress, he also knows that there is a default username called ‘admin’. All he has to do is go to your WordPress login page, enter the ‘admin’ username and try to guess your password. By the way, this can all be done automatically with the use of bots and is exactly how the attack mentioned above was carried out.
Be removing and deleting the ‘admin’ user in WordPress, you’re that much closer to a secure site.
To remove the ‘admin’ user, simply follow these steps:
- Login to WordPress
- In the left hand menu, hover over “Users” and click “All Users”
- Hover over the ‘admin’ user and click “Delete”
- If there are any posts that you have created on your site using the ‘admin’ username, you will need to attribute these posts to another user you have created. Simply select the other user you would like to attribute these posts to and click “Confirm Deletion”.
3. Move Your Default Login Page
Similar to the previous tip where brute-force attacks are targeted at the default WordPress username, the default login page location (i.e. the URL of the login page: domain.com/wp-login.php) is the same for every WordPress installation. In this case, consistency is not our friend.
If a hacker knows your website is on WordPress, he knows that there is a default ‘admin’ user and a default login page. This makes the job of attacking your website much easier.
By moving your WordPress login page to a different location, it makes it harder for attackers to gain access to your website. To move your login page, download the IThemes Security (formerly Better WP Security) plugin to easily create a new custom login page to help keep your site more secure.
4. Create Strong Passwords
When creating user passwords for your WordPress website, do not create passwords that are easily guessed.
What to Avoid When Creating Passwords:
- Do not use “password” as your password. Silly I know, but 4% of people use this as their password. Often times this is created as an initial password with the intentions of creating a stronger password but forgotten about.
- Do not use common strings and series such as 123, abc, 456, 123456, 121212 etc.
- Do not combine common strings and series with popular words such as password123, mustangabc etc.
- Do not use a “Master Password”. Although this is somewhat frustrating, try and create unique passwords for all your personal passwords as well as your online activity. Something like LastPass can really help when you need to make a bunch of different passwords but don’t want to remember them all.
- Do not use your spouse’s name. According to Instant Checkmate, 5% of men use their partner’s name while 30% of women use their partner’s name.
How to Create a Strong Password:
- Use at least 8 characters
- Use multiple alpha numeric characters that do not have a common relation i.e. opposite of the strings and series mentioned above
- Use special characters such as #!%*&
- Mix in lower case and upper case letters
- Update your password at least 2X / year
- Use LastPass to quickly and easily generate strong passwords
5. Backup Your Site Regularly
The last, and most important WordPress security tip is to back up your site! The previous tips are all best practices to follow but they do not guarantee that your site is 100% secure. There are always new threats emerging that can exploit new vulnerabilities that have not been thought of before. If you implement only 1 of these tips, make sure you implement this.
BACKUP YOUR SITE REGULARLY
If all else fails and you create backups of your website regularly, everything on your site can be saved in case your website is attacked. Speaking from personal experience, there is nothing more frustrating than going to your website and seeing that everything is gone and realizing that you don’t have a backup.
Keeping your site secure should be a very important consideration when building and maintaining a site. While these 5 tips are not an exhaustive list of how to secure your WordPress site, this should get you on the right track and will definitely help make it harder for hackers to break in to your site. For a more comprehensive look at security on your website, get in touch with us and request a WordPress Security Audit.
What other measures are you taking for security on your WordPress site? Let us know in the comments below.
Get your Free 30 minute Consultation with us TODAY.