November 23, 2017
In recent times, WordPress has become the most widely-used Content Management System (CMS) for publishing content on the Internet. Its popularity makes sites hosted by WordPress a regular target to various hacking attacks. Most of those are automated attacks targeting sites across all hosting platforms to find any vulnerability. An attack could cause some serious damage to your site and your business as hackers can steal user information, passwords, install malicious software, and even worse, owners may need to pay to regain access to their websites.
As a business owner, it is your responsibility to protect your site similar to how you protect any other business asset. This guide features some simple measures that any user can do to improve WordPress security immediately.
Secure Login Page
You may have noticed that the login page URL for a standard WordPress site usually has either /wp-login.php or /wp-admin/ at the end of the domain name. Knowing these standard URL formats, an attacker may try to brute force their way into your WordPress backend.
Here are some suggestions to secure your login page:
1. Don’t use “admin” as a username
Since username makes up half of login credentials, using a simple username such as the default “admin” makes it easier for anyone who wants to attack your site. WordPress used to have “admin” as the default admin username. However, that has changed and now it requires you to select a custom username while installing WordPress.
If you have already created an “admin” user: you can easily create a new user and give it “Administrator” role, transfer your old post to the newly created username and delete the “admin” account.
In addition, if you have other users on the site, make sure each user establishes a strong username. Otherwise, your personal efforts won’t matter and your site will be just as vulnerable.
2. Use strong passwords
Again, make sure every user on the site has created a strong password for their login credentials. A simple password is easy to remember, but it is also easier for hackers to crack. A strong password should include numbers, special characters, and uppercase and lowercase letters.
At SplitMango, we use 1Password to manage all of our company and personal login credentials. All your other passwords and important information are protected behind your Master Password, which only you know. The software also enables you to create a more robust password – it generates a random selection of letters/numbers/ special characters, which you can then use if you are setting up a new credential.
If you have a weak password, change it now before reading any further.
3. Turn on 2-step Verification
If you have a Google account, you may already know what this is. More and more companies are implementing it to improve their online security, and you should too. In order to login, in addition to your password, you will also need to enter an authentication code that was sent to your mobile phone number via SMS or a generator app. It is also very quick and easy to set up.
There are several plugins that offer this feature, such as Google Authenticator, Authy Two Factor Authentication, etc… Authy is the go-to software for any 2-step verification that we implement at SplitMango. We decided to choose Authy over Google Authenticator because it has better UI, provides multi-device support, and back-ups while providing the same functionality.
Keep Everything Up-To-Date
Upgrading is a simple, automated, one-click process within the WordPress interface. Most of the time, hackers exploit bugs that have already been fixed in the latest version of WordPress core, themes and plugins. Hence, you must keep everything up-to-date.
1. Update WordPress core
Always upgrade to the latest version of WordPress. If you are worried about something breaking, make a backup before installing the new version. When a new version come out, information about any issues or security holes are also available to the public. That means hackers will be easier to target an out-of-date site through its vulnerabilities.
Whenever you see “Update Available” in your Dashboard, click it and update right away. If you want to learn more about WordPress and its plugins’ vulnerabilities, WPScan Vulnerability Database archives all issues from previous versions of WordPress and its plugins.
2. Update theme and plugins
Plugins and themes are maintained by third-party developers which also release updates regularly. Similar to WordPress, new versions of themes and plugins are meant to fix the issues and vulnerabilities that remain in the old version. In the first quarter of 2016, the top three outdated plugins contributed to 25% of all WordPress site hacks, according to Sucuri:
Along with regular updates, you should only download plugins and themes from well-known sources, and delete any that you are not using on the site. If you are not using them, there is a big chance that you will not update them. Hence, deactivating plugins is not enough, you must actually delete them.
Take Regular Backups
Although regular updates are essential to WordPress security, sometimes an upgrade will lead to an unforeseen situation. Your database may become corrupted, and plugins may not be compatible with the latest version of WordPress core.
If you have a backup, you can always restore your WordPress website to a working state any time you want, even after an attack. There are many plugins that provide simple backups with built-in restore options.
We Are Here To Help
At SplitMango, an important part of our jobs is keeping our clients’ websites secured and up-to-date. We make sure our custom-built theme and the plugins that we use will always be compatible with the latest version of WordPress, and if that’s not possible we will find another solution that works for you.
Please contact us to learn more about our service.