Many clients have come to me over the years saying that their WordPress website has been hacked. When building or redesigning a WordPress website, security is always at the forefront. Yet, that doesn’t mean that your new website will be impervious to attacks. Especially if your website is not maintained. So, you need to take precautions, as with any website that you own. Whether it uses the WordPress CMS or any of its competitors.
There are arguments that because WordPress is built using open-source software that it can be easily hacked. Luckily, with a few simple steps, you can secure your website to lower the risk to minimal levels.
I specialise in WordPress websites, from Hosting to Maintenance and Design to Development. In this article I will discuss what you can do to prevent hackers from gaining entry to your WordPress site.
Brute Force Attacks are the most common form of attack on a WordPress website. There are some very simple ways in which you can prevent your website from being hacked. So, let’s take a look:
Brute force attacks are one way to crack a password or username using the trial and error method to hack a website. They are often carried out by automated software and target your website’s login page. Because these attacks are automated, they can send a large amount of requests at one time. Meaning that, even when they are unsuccessful, this request volume will slow down or even crash your server.
Automated softwares can also disguise their IP address and location. This makes it much harder for your system to recognise and block suspicious activity. If a hacker is successful with their brute force attack it can give them access to your admin area. This can be detrimental to your website. Once a hacker has access to your website they can install malware, steal user data or even delete everything on your site, rendering your website inaccessible.
At this point, this information should be sending shivers up your spine if your website is unsecure. But, it’s not all doom and gloom, there’s some super efficient ways out there to protect your WordPress website from these vicious brute force attacks. Let’s take a look.
As we’ve already discussed, brute force attacks can put a strain on your server. Everyone knows how to access the standard login page for a WordPress website. That’s why so many simply try and brute force their way in. All you do is add /wp-admin or /wp-login.php to the end of your URL and voila, your login page appears.
The first step you should take when securing your WordPress website is to ensure your login credentials are not easy to guess, this is how brute force attacks can easily get access into your website. As a rule of thumb, you should never use “admin” as your username and you should always ensure that your password is a mixture of upper and lower case letters, numbers and symbols so that you can be sure this can never be guessed by a brute force bot.
There are also some other steps to take when securing your WordPress login page:
A firewall solution will filter out bad traffic before it even reaches your server. Blocking this traffic before it reaches the server will help to stop your website from slowing or crashing. I personally use Wordfence Security. With Wordfence Security you can set a max amount of password attempts. This means that you can avoid brute force attacks. Wordfence also includes an endpoint firewall and malware scanner. This scanner checks your core files, themes and plugins. If it finds anything, it will notify you of the issue so that you can resolve it.
Furthermore, Wordfence also offers Two-factor authentication (2FA) and login page captcha. You can even block logins for known compromised users. Two-Factor authentication is a great way to add an extra layer of security. Any user will need access to a phone or email to generate a passcode along with their login credentials to access the admin page. Adding this 2FA will make it harder for a brute force attack to successfully gain access to your website, even if they do crack your password!
It should also be at the top of your list to use secure usernames and passwords. Shockingly, a lot of people still don’t do this. If you don’t, you’re leaving yourself open to hacks. So, create a password that is at least 10 characters long with a string of numbers and letters. And, don’t EVER use the username, admin.
Remembering hundreds of 10 character unique passwords is a daunting prospect for anyone. But, don’t worry, there are many great password manager apps for your phone or device that will securely store your passwords for you.
Keeping your website up-to-date is an important part of preventing hacks. WordPress and most of the popular plugins utilise open source software. Some hackers will target known weaknesses in old versions of WordPress, plugins or themes. This is why it’s important to keep everything up-to-date. If you forget to run your updates, you could be leaving your website open to attack.
Running an update in WordPress is very simple. All you have to do is go to your Dashboard and then Updates. This page will show you all the plugins and themes that need updating within your website. It will even show you if you need to update the WordPress core.
Now, although the process of updating plugins is simple, what happens afterwards could cause clashes on your site. This is because each of your plugins and themes consist of code written by third parties (different people that aren’t your developer).
Usually these clashes are worked out within a few hours or days but it could leave your website in a bit of a state. Before you update ANY plugins, you should always take a look at what changes the author has made. This ensures that you’re aware of what could potentially break your website.
Also, don’t make the mistake of updating your plugins as soon as they come out unless it’s a security update. If you leave it around a week, this will allow time for any errors to get reported and fixed. This will mean that you can avoid your website having any unnecessary down time. That can be detrimental to your business if your website has a lot of traffic on a regular basis.
Backups are so important for security on your WordPress website. If your website is hacked you are able to restore your website to a previous version. This will then allow you to work out any weak spots in your website and secure it so that hackers cannot perform the same attack again.
You should run Backups each day and save them in a secure location. Using a managed WordPress Hosting solution such as mine provides more security for your website. This is because your website will be automatically backed up and the secure servers I use are of the highest specification.
Some people don’t realise the importance of website back ups until it all goes wrong. In instances of website security it’s always better to be proactive rather than reactive. Don’t let those cyber-criminals have an easy job.
As a website owner, making sure that your website is as secure as it can be, is your responsibility. There is a lot involved with maintaining a WordPress website, or any other website for that matter. By following the steps above are taking leaps toward securing your website in the right way. These steps won’t always 100% hacker-proof your website but they’re a great start.
Finding the time to keep on top of your website when you’ve got a business to run is not always easy. But, just because it’s your responsibility doesn’t mean you can’t get help. I have over 10 years experience working with and building WordPress websites.
So, if you don’t have time to manage your website security, speak to me today. You can trust that I have the expertise to keep your website maintained to the highest of standards. Therefore, minimising risk to your website and your business reputation. I offer maintenance packages to suit your budget that will ensure your website stays safe.
Contact me today for a friendly chat about how we can improve the security on your website with a monthly maintenance package.