WordPress Security Tips for your Website
With WordPress hacking a popular pass time for an ever increasing group of individuals, it makes sense to keep on top of your website’s security.
This article will discuss 5 WordPress Security Tips to make your website much less attractive to potential hackers.
The WordPress Security Tips:
- Use Strong Passwords
- Keep Up-To-Date
- Use Secure File Permissions
- Two-Factor Authentication
- Use SSL/HTTPS
Understanding the Threat: What is a Hacker?
Unfortunately, there are people and systems actively working to hack websites.The word “hacker” may bring a few ideas to mind, including:
- The hooded teenager
- Government agents infiltrating crime
- Freedom fighting Underground networks
These hacker stereotypes do exist but they’re unlikely to target your WordPress website. In fact it’s actually much more likely to be an automated piece of software, or bot, performing the attack. These programs run 247 scanning the internet and probing sites, looking for a way in.
When a vulnerability has been found in an area of sofware, hackers create new software that allows itself to move in to a vulnerable server and take part or full control of it. Much like a parasite or a virus (hence the use of the word). Once inside, it uses the infected servers resources to replicate itself onto other vulnerable servers. Another favourite approach is use the attacked site to send out illegal spam and phishing emails.
Why do they bother?
Each compromised site gives the hacker access to other peoples’ resources to create a revenue stream in one way or another.
The sheer popularity of WordPress (26% of the internet) makes it a target.
Sucuri recently released a Hacked Website Report, with roughly 78% of the sites they worked on in the third quarter of 2016 were WordPress sites. Some people conclude that WordPress isn’t secure, but it is secure. Sucuri found that in most instances, compromises had to do with improper deployment, configuration and overall maintenance by the webmaster and hosts.
How Can I Keep My WordPress Site Secure?
WordPress is Secure if you keep the core, themes and plugins up-to-date.
If you bear in mind that it’s almost impossible not to get attacked. As long as the attacks are unsuccessful, you will be ok.
So how secure is my Website?
Without further ado, here is the list.
1) Use Strong Passwords.
If your passwords are either :
a) Coherent in a language (eg a word or name) or
b) Repeated from one account to another,
…then your password strategy needs addressing!
A good password is at least 16 characters in length, includes wildcards (@#£ etc), different for each account. A good way to randonly generate a secure password is to go to a password generator such as this one http://passwordsgenerator.net/
Don’t worry about remembering Most modern web-browsers have secure password managers. I use chrome and that can even safely store credit card details.
2) Keep Your WordPress Site and Everything On It Up To Date.
Keeping your WordPress software up-to-date is an essential part of the battle against unwanted intruders. As with all engineered things, WordPress software needs regular maintenance to keep it running tip-top.
Themes or plugins updates often have important security patches and bug fixes, so it’s important to always run the latest version of WordPress and any themes or plugins you’re using.
- Keep the WordPress core up-to-date.
- Keep plugins and themes up-to-date.
- Regularly update your passwords.
- Keep regular back-ups of your site (in a place other than your server)
If you manage multiple WordPress sites, there are tools to help make WordPress maintenance easier like iThemes Sync. Instead of logging into each individual website to run updates, you have one central dashboard to run multiple websites at once. iThemes Sync also can send notification emails when new updates for your WordPress site are available so you never miss an important security update.
3) System File Permission
A Secure WordPress Site MUST have secure file permissions.
The device you’re using to read this webpage deals with files and file permissions. So does the server that hosts your website files. If the files are read/write by the public, you’re gonna have a bad time.
You can check your file permissions in the control panel file manager or an FTP client (such as the excellent filezilla).
Directories – NEVER have these set to 777. Somewhere between 700 and 744 is ideal.
Files – NEVER have these set to 666. Somewhere between 400 and 444 is ideal.
4) WordPress Two-Factor Authentication
You may have used this already with a social network or a webmail account. It’s when they ask you for a mobile phone number and then text you an activation code that you must enter into the website somewhere.
If an individual somehow gets hold of your login credentials, the two-factor authentication system will shut them down! The would-be-hacker needs your username, password AND your mobile device to successfully login.
You can easily add WordPress two-factor authentication to your WordPress login with
5) Use HTTPS/SSL on your WordPress site.
The green padlock in your browser next to the URL you are accessing shows you that the website uses Secure Socket Layer (SSL) technology. It creates an encrypted connection between the web server and the web browser.
In the early days of the web, administrators needed a way to share information they put online. They developed the HTTP protocol for this, but quickly learned that is was easy to intercept and view information. They then agreed on a procedure to secure the information they were sharing, and this is the HTTPS protocol.
This is where SSL certificates and SSL come into play. The SSL certificates on each computer involved with the transfer have unique keys or locks. When the data is transferring through Secure Socket Layers, it’s as if there are virtual padlocks on each end.
SSL certificates range in price but are absolutely necessary to keep information on your website secure. You could install ther certificate and convert your WordPress site to hhtps. However, the easiest route is to get
These are our top 5 WordPress Security Tips to keep your WordPress website healthy and safe. If you take the time to make sure that they are enforced, you can greatly reduce the risk of being hacked and/or brought offline.