Since its first appearance in over two decades, WordPress has grown (and grown) and is now safely named the world’s most popular content management system. Today, more than a quarter of existing websites are running on WordPress.
Why is your WordPress website a valuable target?
If you are wondering why a hacker would want to control your WordPress blog, there are several reasons, among others:
- Using it to send clandestine spam messages
- Steal data such as mailing lists or credit card details
- Adding a site to a botnet that they can use later
Fortunately, WordPress is a platform that offers plenty of opportunities to defend yourself. I helped to set up and manage several sites and blogs myself. We would like to share with you some basic activities you can do to secure your WordPress site.
Secure your WordPress login page
The login page security cannot be done with any particular technique, but there are certainly steps and free security plugins you can take to make any attack much less likely.
The login page to your site is certainly one of the most vulnerable sites on your site, so let’s start by making the login page to WordPress site a little more secure.
Choose a good administrator username
Use unusual user names. Earlier in WordPress you had to start with the default user name admin, but this is no longer the case. Nevertheless, most new webmasters use the default username and have to change it.
Make sure you use a strong password
By now you would probably think that people will use strong, complex passwords to protect their account, but there are still many who think that “password” is great.
- I love you
If you use one of these passwords and your website receives any traffic, your website will almost certainly be deleted sooner or later.
A strong password will contain a mix:
- Upper and lower case letters with capital letters
- Be alphanumeric (AZ and az)
- Include a special character (!, @, #, $, Itp.).
- At least 8 characters long
The more random your password is, the safer it is.
Rename your login URL
Most hackers try to log in using the default wordpress login page, which is usually similar mydomain.com/wp-admin
To add another layer of protection, change the URL of your login page quickly and effortlessly with a tool such as WPS Hide Login.
Reduce the number of login attempts
This is an incredibly simple technique to stop brute force attacks on your login page directly on their tracks. A brute force attack works by trying to get a username and password, trying to combine many combinations.
If you are tracking a particular IP address that is being attacked, you can block repeated extortion attempts and keep your site safe. For this reason, global DDoS attacks occur with multiple IP addresses with different attack origins, to throw off hosting services and website protection.
Login Lockdown and Login Security solution both offer great solutions to protect the login pages of your website. They track IP addresses and limit the number of login attempts to protect your website.
Use SSL for data encryption
Apart from the website itself, you will also want to secure the connection between you and the server and this is where SSL provides encrypted communication. Thanks to the encrypted connection, hackers will not be able to intercept data (such as the password) while communicating with the server.
Besides, it is good practice to implement SSL as search engines increasingly penalize sites that they consider “unsecured”.
For individual bloggers and small businesses, free, shared SSL – which can usually be obtained from your hosting provider. For companies processing customer payments, it is best to buy a dedicated SSL certificate from your web host or CA.
Use the content distribution network (CDN)
Although this may not save your site from being hacked, it helps to mitigate malicious attacks on it. Some hackers try to remove websites, making them unavailable to the general public. CDN will help mitigate the blow of the Distributed Denial of Service attack on your site.
It also helps to speed up your website a little by buffering some content. To explore this option, look at Cloudflare as an example. Cloudflare offers CDN services at multi-level price levels, so you can even use the basic features for free.
Make sure that all software is up-to-date
No matter how good and expensive the software is, there will always be new weaknesses in it, which may leave it to be used. WordPress is no exception and the team is constantly releasing new versions with fixes and updates.
Hackers almost always try to take advantage of the weakness, and the well-known exploit that remains unremoved simply asks for trouble. This applies to twice as many plugins, which are often created by much smaller companies with less resources.
Having said that, I do NOT recommend you to use automatic updates for WordPress and Plugin, especially if you run a live site. Some updates can cause problems, either internally or in conflict with other plugins and settings.
It is best to create a test environment that reflects your site and test the updates there. When you are sure that everything works correctly, you can apply the update to your live site.
Backing up, backing up, backing up!
Regardless of security measures and caution, accidents happen. Save yourself a crushing heart and hundreds of hours of work by making sure you have the right backup service.
Usually your hosting provider has at least basic backup features, but if you are paranoid like me, always make sure you have your own independent backups. Backing up is not as easy as just copying some files, but also including information in the database.
Your hosting matters!
Although traditionally hosting companies have simply offered us a place to host our websites, times have changed. Hosting providers, understanding security gaps, have intensified their efforts to increase security, and many of them offer value-added services that complement their hosting.
Although all this may seem a bit exaggerated for an average WordPress user, I assure you that everything (and more) is necessary. Ignoring hacking statistics around the world and for a while, let me share with you personal information about one of the darkest sites I help manage.