WordPress security is a hot topic on the blogosphere right now. Recent botnet attacks on a large number of WordPress sites have some people struggling to get their valuable data back and you should act quickly to strengthen your WordPress security.
Then there are those who thought ahead and took action before it was necessary. Most likely they did not experience any problems due to becoming a difficult target.
The fact is this: even when there is no secure 100% site, you can decrease the likelihood of being hacked by spending a small amount of time making your site more secure than everyone else's 99%. With that in mind, in this post I'll take you through a simple five-step process that will turn your site from a soft target to a really hard cookie.
Step 1: Update everything
Obsolete items on your site pose potential security risks, as hackers can use them to hack their way into the backend of your site. That is why it is so important to keep everything up to date.
And when I say everything, I half everything:
- The core of WordPress
- Topics
- Accessories
Themes and plugins deactivated at the same time should be kept up to date; Their mere presence on your site makes them a potential security risk, so you should keep them updated to strengthen WordPress security.
Don't you log in very often? Don't worry, you can use a plugin like the (* 5 *) Easy Update Manager to enable automatic updates for your WordPress core, theme, and plugins. At the same time there are tons of advanced settings built in to customize your updates and logs to see what has been updated and when.
A lot of people will come this far and stop later, but there is actually one more step you need to take: you should seriously consider deleting any themes and plugins from your site that have not been recently updated. You can easily monitor when plugins were last updated with the Last Updated plugin. This adds the Last Updated date to your list of plugins on the back end (which should possibly be displayed by default).
Generally speaking, I would say that any plugins that have not been updated in the last twelve months should be considered for removal.
Step 2: Back up everything (and regularly)
I know that is an obvious suggestion, but it would be remiss of me not to include WordPress backups. The simple fact is that few things (if any) are more important to the security of your site.
If your site is subject to a really destructive attack (which is forever viable), your last line of defense is a recent backup. This means that even if the worst were to happen, you still have something to fall back on. If you do not Keep regular backups afterwards, to be frank, you're screwed.
There are a huge number of backup solutions, but my first suggestion would be to choose a hosting provider that includes automatic backups within their service. If you are the victim of a hacking attempt that damages your site, then you should find that your provider is quick to restore the site to its former glory.
Beyond that, the cream of the crop options are VaultPress and BackupBuddy. They cost money, but my advice is Never skimp on your backup solution. Personally, I am a VaultPress user (in the same way as R Marketing Digital); offer a comprehensive backup solution as well as additional security features.
Step 3: change your default username
If you are still using the default "administrator" profile that came packaged with your WordPress installation, now is the time to switch.
Why? Because the first step in any brute force login attempt is to attempt to login with the username "admin" and then run a massive number of password attempts to gain input. If you create a more unique username, you stop this hacking attempt in its tracks.
Switching your profile and everything that is potentially associated with it (transferring ownership of posts, etc.) may seem like a pretty daunting task, but it's an important step in protecting your site, and it's a lot easier than it sounds. Visit YouTube for tutorials for additional guidance.
Step 4: create a unique strong password (and change it normally)
Most people are smart enough these days to understand that their password should not be "password." What they can do not What we do know is that brute force hacking attempts will attempt a staggering number of password combinations in an attempt to access websites. If your password makes sense or is somehow predictable (for example, it is made up of recognizable words or number patterns), your site is at risk.
There are actually three golden rules for generating best-practice passwords:
- Must be truly random and unique
- It should be used only once (in other words, not in multiple places)
- It should be changed periodically (for example, at least once a month)
If you follow these three rules, your site will be much more secure. In terms of generating truly random passwords, you can use a free online generator, as I recommend signing up for a free account with Last pass and use that service to (a) generate and (b) store all your passwords.
Step 5: Install Plugin Protection
There are a large number of plugins that claim to increase the security of your site. The mere choice can be overwhelming, but I'm going to cut through the garbage and recommend what I consider to be the simplest and most effective plugin to use.
That complement is Wordfence- A popular and highly rated free plugin. It includes a wide variety of security features, including (but not limited to):
- A firewall
- Malicious IP protection
- Backdoor scans
- Malware scans
- Enhanced login security
Although Wordfence is a freemium model and has a paid version with more options, the plugin itself and the basic service cost you nothing. Installing this on your site is a no-brainer.
Actually, I'm just scratching the surface here. Although implementing the above security measures will help strengthen WordPress security above the vast majority of others, there is always more you can do and forever there's a chance you might get hacked anyway.
In this post I have covered simple ways to strengthen WordPress security. If you've implemented them all and still want more, I advise you to start by checking out the official WordPress security page at the (* 5 *) WordPress.org Codex.
Now it's your turn; I'd love to know what simple recommendations you have for hardening WordPress security. It could be simple tips and tricks, plugin suggestions, or even a recommended premium service like the aforementioned VaultPress. Shoot in the comment section!
