The statistics on WordPress security are in some ways a little grim. That’s the case in large part because many sites aren’t spending the time or energy to take the necessary precautions. How can you safeguard your site?
- Hardening your site & WordPress risk-taking stats
- 10 basic steps to harden WordPress
- Expert WordPress hosting
Hardening your site & WordPress risk-taking stats
When IT folks talk about security, they often use the word hardening. That’s an apt term because it is a way to make your defenses more rigid, to make it more difficult to compromise your perimeter. You want your walls and gates to be multiply reinforced, and you want sentries posted so that no one enters within the private areas of your site who’s unverified.
You may not consider yourself well-versed on WordPress security or how to generally safeguard a website, but you have probably picked up a few ideas from the many pieces out there on the topic. If you haven’t done much to address security yet, it’s certainly compelling to look at some sobering statistics:
- An incredible 31% of targeted cybercrime efforts in 2012 were of small business, notes the National Cyber Security Alliance. To put it another way, about 20% of small businesses get hacked annually. Three out of every five outfits that are compromised are bankrupt within just half a year.
- WordPress security should by no means be assumed, says Brenda Barron of WPMU Dev. “Did you know 73% of the popular sites that use WordPress were considered ‘vulnerable’ in 2013?” she asks. “Or that of the top 10 most vulnerable plugins, five were commercial plugins available for purchase?”
10 basic steps to harden WordPress
As clearly seen in the above statistics, it’s a mistake to think that security isn’t paramount online or that WordPress is in any way fundamentally safe. Here are 10 ways to secure your account:
Step #1 – Passwords
If you want your house to be secure, get strong keys made. If you want your site to be secure, you have to have really strong passwords. One of the most prominent random password generators, at whatever point you might need a password, is Perfect Passwords. Randomizing really is worthwhile so that there is no connection to you or even to the English language, making it much more complicated for someone to guess.
You also want to treat passwords with care. Don’t share them with anyone. Don’t use common words (and ideally randomize them). Plus, use different passwords for each of you accounts.
Now, hardly anyone follows that last rule: three-quarters of web users have the same password for Facebook and their email, according to a study from BitDefender. That really is a vulnerability that’s unnecessary, according to Eric Griffith of PC Magazine. Simply develop a system for remembering your passwords (such as acronyms based on stories, with numbers and symbols thrown in) or a storage system to implement optimally diverse randomized passwords.
If you don’t want to use a random password generator, here are four steps to create one that is similarly obtuse, from Griffith: “Spell a word backwards… Substitute numbers for certain letter… Randomly throw in some capital letters… Don’t forget the special character.”
Finally, be sure to use at least ten characters per password.
Step #2 – Updates
You want to always stay abreast of updates. Any time an update comes out, it’s easy to think it’s some pointless effort to introduce features that you might not even use. You don’t want to be sitting around updating all the time rather than actually using the system.
Keep in mind that security patches are introduced to plug holes through which hackers could enter. If you don’t take advantage of those updates, it’s almost as if you were inviting the hackers in. Updates are first-priority and always should be, and that applies to the overall WordPress, along with themes and plugins.
WordPress developer Jerod Morris notes that many people are fearful of updating their site because they don’t want to lose data or have technical problems. “[I]f you’re afraid of it, then you need to re-evaluate your theme and plugin strategy,” he says. “Your theme will certainly get disrupted when a hacker injects half a page of a nasty encrypted code into it.”
Additionally, you want to be careful what plugins you include. Don’t think of them as part of WordPress because they are independent. Make sure they are updated often. Also consider paying for support.
Step #3 – Admin
Changing “admin” to a different name is a simple step, but realize hackers can find usernames elsewhere – such as from blog posts. Rather than focusing on the username, it’s more important to center yourself, again, on password strength.
You may also want to use something like a Yubikey – a small device that offers two-factor authentication at the touch of a button. Whether you use this solution or any other, the introduction of a physical component has to vastly improve your security.
Step #4 – Brute force
Hackers love getting into sites. In fact, many large sites are hit with hundreds or even thousands of failed login attempts per hour!
How do you defend yourself? First, make sure your web host prioritizes security and that you are protected against brute force from that end. Second, you can use an app such as Limit Login Attempts to defend yourself.
Step #5 – Malware detection
You must have some kind of malware protection in terms of server-side scanning. Again, your web host should cover this – but make sure you know how your systems are protected.
Step #6 – Malware removal
Be aware it’s important that your malware solution should go beyond scanning to cleanup. “A couple of the oft-overlooked ‘true costs’ of WordPress ownership are those associated with downtime due to security issues and cleaning up those issues,” says Morris. In other words, you want to make sure your hosting partner is able to keep you up and running, or help you quickly recover if you do get attacked.
Step #7 – Choice of web host
Many people have always chosen to have their own dedicated machine; but don’t make the mistake of thinking cloud hosting exposes you to the same dangers as a traditional shared server. Keep in mind that the security industry is highly focused on the cloud industry – so you should be able to find secure settings in the public cloud. Many industry thought-leaders have commented that public cloud is more secure than the typical on-premises datacenter because systems are monitored and patched immediately, behind the scenes, by expert full-time security personnel and automated cloud mechanisms.
That said, your host should really have security, along with things like customer service and performance, as one of its top priorities. They should understand that the threat landscape is always evolving and that they need to approach it dynamically.
Step #8 – Dirty dishes
Think of old plugins and themes that are attached to your installation but unused as dishes with food growing older, more rotten, and more attractive to pests and rodents. Clean up the kitchen.
Cleaning up is also important because if you do get hacked, it’s easier for a pro to come in and remove the problems if they can see everything clearly.
In addition to getting rid of unnecessary components, you also want to organize your file structure. Look at the default WordPress core, and see how your list compares. If you have a few extra files, that’s fine; but you don’t want to have twice as many or more.
Expert WordPress hosting
Are you looking for a secure WordPress hosting environment? At Total Server Solutions, we are audited to meet the requirements of SSAE 16, Type II – a gold standard of security developed by the American Institute of CPAs. See our first-line defenses.