Security. The Web never seems to have enough of it! Each week we hear another story about a successful attack that has compromised either a series of businesses or institutions. It’s easy to feel as though this doesn’t affect you. Especially if you’ve installed all the necessary security patches, updates to your computer and WordPress installation. However, most preliminary scans and hacking attempts are actually automated and fairly indiscriminate. Even if your site doesn’t include valuable data, typically attackers will hijack your server and use it to attack other websites.
No matter what industry you are in or what software you run there is always a possibility of the worst happening. What can you do to ensure every base has been covered? Without further ado, here are our 6 vital steps detailing how to secure your WordPress blog from hackers and avoid your website becoming a statistic and make it as difficult as possible for a would-be hacker:
1) Secure Your Logins
If you’re using wordpress under the default ‘Admin’ login – change this now by either creating a new user or updating the details of ‘Admin’. This may seem like an arbitrary change, but if you don’t do this, any potential attacker already has a valid username – half the battle to getting a valid login
Use a password of a decent length which ideally should include a mixture of upper, lowercase and special characters (e.g. !, #, $ etc). Change it regularly and never give it out to anyone. If you need to give anyone else access to your WordPress, be sure to create a new login for them and share only this with them!
Set a limit to the number of login attempts that users are allowed before being logged out. Many hacks like this are automated, having a lock out period won’t necessarily stop them altogether (as many will use VPNs and proxies) but it will definitely slow them down and cause a greater usage of resources.
2) Install Updates As Soon as Possible
Regular updates for WordPress are available to fix security patches, bug fixes and to add new features. Unless your theme or any of your plugins prevent an upgrade, these should really be applied immediately. You will need to check if any of those plugins or features the theme uses will break on upgrade.
WordPress release a series of patch notes for each upgrade and while it’s helpful for you to know what security holes were patched, what bugs were fixed and what new features are now available, it also acts as a blueprint for an attacker leading them directly to a vulnerable place on a website that has not yet been upgraded. Each day, hour or even moment you don’t upgrade puts your website at greater risk.
3) Ensure Your Server and Hosting are Secured
Do you have an SSL certificate? All websites should have these now, not just online shops. Not only does Google reward you with better rankings for this extra security measure (find out more about why this is necessary here). It will prevent anyone ‘snooping’ and intercepting any communications between your users and your website. This may allow people to collect login information.
- Does your server have adequate firewall and login protection? In addition to your website, there are separate logins for the server it is hosted on. These can be FTP logins or Remote Desktop Login (RDP) which are separately open to types of abuse by attackers. Some hosting providers will provide a ‘locked’ FTP server (i.e one that won’t work until you enable it for your control panel for a limited time or by IP address. It’s worth checking your using all the security your host provides!
Simplepage offer specially dedicated managed WordPress hosting accounts with all of these security provisions in place. We also manage upgrades for you, taking care of the worries associated with most of these tasks except your day-to-day usage of WordPress (point 1). Click here to find out more about our Managed WordPress Hosting service or find out more about our website hosting services here.
Let me say this again…..
5) Make Sure Your Workstation is Secure
Separate from your website itself, the computer or device you use to connect to your website should also be secure. Bear in mind that the device you use could also become the weakest link.
Even if an attacker has been unable to gain entry to your website, if they can gain entry to your computer and you use to access it via (1) remembered passwords (2) programs such as FileZilla or CuteFTP which hold FTP login details, then it may be possible to use this to gain entry.
Another type of attack involves using malware on your computer as a ‘keylogger’ which records what key presses you make when logging into a website, so an attacker, separately fro this once they’ve seen what you type may then enter the website.
To avoid these scenarios you should:
- You should install all software updates for your operating systems (such as Microsoft Windows or Apple’s OSX)
Ensure your local network and computer is adequately protected by firewalls and other security provisions.
- Limit access to the website, either by having just the one set of login details or ensuring that everyone has only their own logins and that only one of these are administrator!
This list will depend a lot more on how your business uses networks and information and how this relates to the website itself. But bear in mind that your website will only be a secure as the weakest link to it. This includes the person editing the website and what sort of computer they use. If you have staff who log in remotely from home or while on the move, this presents a separate set of challenges which you may be able to secure with appropriately setup Virtual Private Networks (VPN).
As ever, remember to keep your website fully backed up at all times. You want a quick, safe and easy method to restore your website back if anything should happen. Many hacks involve updating your website’s content (e.g. inserting unsavoury adverts and links) sometimes it isn’t easy or possible to identify which pages have changed. In some cases, every page and post in your site may have been updated and there would be now easy way of being certain. Cleaning this by hand is incredibly time-consuming and not guaranteed to get everything, while restoring fresh from a backup gives you a quick and guaranteed way to undo the damage.
If you would like the Simplepage professional team help you achieve optimum security or secure your WordPress blog, why not get in touch today? You will be glad you did!