Security is often the most overlooked part of any website with most users not giving a second thought to – until it is too late!
Here at TR8 Media we take our website development seriously and so all our client sites are delivered as securely as possible.
Once we hand over a project though, unless you have signed up for one of our monthly maintenance packages, the security of the website rests firmly on the shoulders of the client.
Here we run you through some of the common pitfalls encountered when running a WordPress site and offer some guidance on how to avoid any security blunders.
Is WordPress open to hacking?
This is a question we get asked a lot by clients time and time again. The simple answer is yes, WordPress is open to hacking but only as “open” as you allow it to be.
The main reason that WordPress sites get hacked so often is simply because WordPress is the most popular CMS on the planet!
According to a recent survey – 19 percent of the web runs on WordPress.
WordPress is popular because it is easy to use, even for beginners and that is where many of the security holes get left open.
Hacking is all about finding the easiest way to break in to a computer system or website. What the hackers do once they are in depends very much on what they find on your servers!
Following our simple guide below will ensure that even for a WordPress novice, you will end up with a very secure website.
- Ensure your usernames and passwords are unique and that the password would be impossible to guess. DO NOT use admin as your username, change it to something else. The best way we have found to do this is to simply open up notepad on the PC and then randomly type out characters using some lower-case, capital letters, numbers and special characters. This way you then have a copy of the username and in front of you that no one else could possibly guess! Save the notepad file somewhere safe on your PC and don’t use the password for anything else.
- Keep your admin username safe! Do not publish your administrator account name on your blog (e.g. in the meta data above a post). Instead, select to display your nickname as your public name (which can be done from the User Profile settings screen).
- Make sure you have a backup plugin installed. TR8 Media design our WordPress websites with BackupBuddy already installed and configured. There are other plugins out there that can do a similar thing but you need to make sure that you make regular backups and that you download those backups or archive them to the cloud – dropbox, mega, amazon s3 etc
- Update your WordPress to the latest version. The reason those updates come out is because every new release contains patches and fixes that address real or potential vulnerabilities to your site. If you don’t update then you could be leaving yourself open to hose vulnerabilities. Hackers intentionally target older versions of WordPress with known security issues, so always ensure you are up to date with the latest version.
- Limit the number of times a user can enter incorrect login details from one IP address. Limit login attempts does that and allows you to specify how many retries will be allowed and how long an IP will be locked out for after too many failed attempts. The Brute Protect plugin is excellent for this and also protects when the hacker is using multiple servers and IP addresses
- Disable file editing via the WordPress Dashboard. By default in the WordPress Dashboard you can navigate to Appearance > Editor and edit any of the files directly from the dashboard. This can be very useful but have you thought about how useful this would be to a hacker if they were to gain access to your dashboard? They could edit your files and execute any code they wanted. Good practice is to disable this method of file editing by simply adding the following line to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );
- Not really seen as a major security threat but more a good practice for WordPress website developers is to ensure that you delete any inactive templates and plugins from the site. This will not only reduce the amount of code bloat (making your site faster) but also reduces any minor security holes in one swoop.