Ten Easy Steps to Protect Your WordPress Site
This year has seen a spate of website security breaches, more commonly known as ‘hacks’. It’s not just the big websites that are hit – every day millions of websites are compromised by hackers using automated bots to identify websites with poor or out of date security. It’s something we should all be aware of, so I have put together some tips to help keep your website secure.
WordPress is designed and maintained with security in mind, but there will always be a few risks that you as the website owner must take care of yourself.
Use a secure host
Insecure hosts are the reason for many hackings, so do your homework and choose a long-established company with strong security. It’s always worth paying that bit extra. Our own Hosting is very secure.
Look out for updates
WP is continually updated and each update features fixes to sort out security soft-spots. Hackers target older versions of WordPress as they know what the security problems are. Update whenever you see a notification.
Use strong passwords
Many WordPress hacks are down to weak passwords – you know, “password1” and so on. Just don’t do it, no matter how poor your memory is.
Don’t use “admin” for your username
Using “admin” as your username will lead to malicious log-in attempts and if your password is a simple or popular one, you will be hacked. Since WordPress 3.0, users can choose another username. If yours is still “admin”, set up a new admin account, log in and delete your old account. Assign older posts to this new identity.
Hide the username from your author archive URL
Hackers can sneak into your site through your username on the author archive pages. WordPress shows (by default) your username in the URL of the archive page, for example http://catvideos.com/author/catlover. It’s a good way in, so prevent any attempts by changing your user_nicename entry in the database.
Only allow a couple of log-in attempts
Some hackers just use as many log-in attempts as possible to break into a website, so lock them out after just two or three attempts from the same IP address.
Don’t allow file editing from the dashboard
By default, WordPress lets people edit theme files from the dashboard, so if a hacker got into the admin panel, they can get into your files and insert all sorts of malicious codes. To prevent this, add define( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config.php file.
Limit free themes
Free themes often contain base64 encoding which can be used to sneak spam links or malware into a site. As many as eight out of ten theme sites are offering free themes which contain base64 code. If you really need a freebie, make sure it’s from a trusted source or from the WordPress.org theme library. The same applies to plug-ins.
It’s so important to make regular back-ups – don’t put it off, make it a regular task, as you never know when you’ll be grateful! Despite all your best security efforts, hackers live to attack and they may get you. Having a recent back-up means all (or at least most) of your content is safe.
Use plug-ins for security
There are dozens of plug-ins you can use to increase your security, so have a look and take some professional advice.
Get a $50 Security Audit + Lock Down
If you are time poor or you’d like to be completely hands-off when it comes to the management of your website, we are able to help! We’d like to make sure everyone has a website that is fully locked down, so we are offering a one-off special Security Audit + Lock Down. This includes ensuring all your website software and plugins are up to date, login toughening and the installation of Sucuri and other helpful plugins.
Simply email us your web address and we’ll get to work!