Twitter

Facebook

Guide To WordPress Security and How To Protect Your WordPress Site

WordPress security is a major issue and if you’re reading this you should seriously consider securing your WordPress website.  WordPress blogs worldwide are under attack right now. Denis Sinegubko, a Sucuri threat researcher says, “a massive advertising scam campaign is affecting users visiting WordPress sites, injecting backdoors and constantly re-infecting sites”.
In response to a comment on how the malware gets in, he says, “..hackers also know multiple vulnerabilities and they no longer use just one vulnerability. They scan your site for multiple security holes and exploit the ones that they find still open.”
He’s the expert! And he’s absolutely right, from a simple password to an outdated plugin, there are a number of unlocked doors hackers can use to “walk” into your website. When a WordPress blog is hacked, it can not only loose its credibility but search engine rankings as well. In some cases, attacks can be too devastating for websites to recover from.

Have you taken the basic security measures to protect your blog from hackers, attacks and malware?

Protecting your WordPress Admin Dashboard

1. Unique Username: To break into your account, a hacker must know your username and your password. By default, WordPress offers to set your admin username to the word “admin”. Most users accept the default username and only create a new password. If your current username is admin or anything related to your blog, replace it now. Create a unique username and keep it a secret. You can add a number to make your username unique. If you already use another username but still have an “admin” user, delete it.

2. Create a Nickname: Don’t display your WordPress login username on your blog posts as the author. If you’d like to display an author for your posts, use a nickname. This can be easily set in the WordPress control panel under Users section.

3. Password: Simple passwords are convenient but they are the number 1 reason for hacked WordPress accounts. Never use simple words, names, etc., an actual word from a dictionary or a combination of numbers related to you or your family, those are really easy to crack. Make a strong password by including small and capital letters, numbers as well as special characters. Not all long, complicated and unhackable passwords are that hard to remember. There are tricks to easily remember ultra-strong passwords.

4. Two factor authentication: Set up two factor authentication to make hacking into your account twice as hard. It requires you to enter a code generated by the Google Authenticator app in addition to your regular password to login. It is easy to setup and adds a solid second layer of protection between your account and the hackers.

5. Limit Login attempts: Hackers don’t guess and type passwords. They use automated high speed password guessing scripts, the method is known as brute force. The objective is to try different password combinations as fast as a server can handle. You can use a plugin called “Limit Login Attempts” to control how many failed login attempts are allowed before temporarily banning an IP address to block brute force attempts.

6. Use CAPTCHA: The easiest way of blocking password hacking or brute force scripts is using CAPTCHA. It’s as simple as requiring a user to read jumbled words on an image and enter them into a box. This is done in addition to entering a password while logging in. It’s one of those simple things that work!

7. Disable Guest User Registrations: Unless you operate a member based WordPress blog, disable guest users. Go to settings and uncheck the “Anyone can register” option.

How To Secure your WordPress

1. Update WordPress: All web apps tend to have bugs and known issues. Thanks to how popular WordPress is, its developers constantly try to fix security loopholes in its code. If you do not use a custom theme or a lot of plugins, leave auto update for the WordPress core enabled. This is ON by default. Also, update your WordPress installation to each update as early as possible. It is simple and a 1 click process.

2. Update Themes and Plugins: Since hackers can also break into your WordPress blog by exploiting a loophole in an outdated plugin or badly coded theme as well, it is also important to keep your themes and plugins updated. Also, never install a theme or a plugin from an untrusted source. Also stay away from pirated themes and plugins.

3. Custom themes and plugins: If you are using custom developed themes and plugins, make sure they were developed using WordPress development best practices. The finished product of an insecure or badly coded project may look good and work perfectly fine but it can potentially open doors for exploits. Ask your developer about it.

4. Backup: Don’t rely only on the backups made by your web hosting company. Make your own offsite or offline backups every day to be prepared for any eventuality.

5. Protect the Directory: Password protect your WordPress directories for additional security. Each web hosting company has different cPanel theme or control panels, contact them to learn more about protecting your WordPress directory.

Use Secure WordPress hosting if all these measures seem too complicated to you. It is the best option for non-technical WordPress users. A good Managed WordPress Hosting package takes care of all the technical stuff including updates and security while you concentrate only on your blog posts and marketing your blog.

Also, read our WordPress security tips for advanced users.