Security is a huge issue in web design and keeping your site safe from hackers is always a challenge. No site is invulnerable to hacking attacks, but there is plenty of common sense things to do to harden your site and make it much more likely to avoid the dreaded “hacked” notice. Start with these 10 tips.
1. PASSWORDS – Passwords are the gate to the kingdom. So don’t give them away. The easiest way to have strong passwords is to use a password manager, so you can use a randomised 15 digit minimum character password. Take a look at any “top 10” passwords list, and you’ll see that people still don’t get this. Don’t be one of those people. Your password should include upper & lowercase letters, numbers, and other characters. A password manager like LastPass makes this a breeze.
2. WORDPRESS UPDATES – Each time WordPress is updated, the release notes indicate which security vulnerabilities that update has fixed. The problem with this is thay hackers also see this list, and they exploit it. More than50% of WordPress websites are not updated to the current version. Is yours one of them?
3. THEME & PLUGIN UPDATES – Much the same as with WordPress updates, if you do not update your theme & plugins promptly, you could be leaving your site wide open to malicious attacks. This is especially true if you use any of the popular plugins, as these would receive more focused attacks. The recent Panama Papers scandal; a hack of the Mossack Fonseca website, was purportedly achieved by hacking into the site through an older version of Revolution Slider that had a security vulnerability and had not been updated.
4. ADMIN USERNAME – It’s really, really simple, but your username should be anything but ‘admin.’ Neither should it be related to your name or the site URL; make it unique and complex. Again, if you use a Password manager, it can be as complex as you like. Another added thing to do, in the MySQL database, is to change the ‘nicename’ of users whose usernames will be shown on the site. Read this article to see how to do that.
5. LOGIN OBFUSCATION – With the right code or plugin (iThemes Security plugin offers an easy way to do this), you can easily change the URL of your site’s login page (other than the default wp-admin or wp-login.php) to anything you like, for example, mysite.com/enterhere. This makes it that much more difficult for hackers to find it and attempt to log in to your wp-admin area.
6. BACK UP YOUR WEBSITE – Sometimes the best offense is a strong defense. You can fight hackers with the best security practices, but you can never be 100% secure. A full external backup in place is one of the first things you will need, if and when, your site does get compromised; don’t be caught without one. Your host will keep a number of backups, but make sure you know how many, and how easy they are to restore. Off-site backups are even more secure. BackupBuddy, Updraft Plus, and BackWPup are just a few of the most popular options. Site management tools like ManageWP also offer backup.
7. SECURITY PLUGINS – There are a range of good security plugins available. They take a bit of configuration for them to work to their fullest, but there are many guides on how to do this. The two most popular currently are WordFence and iThemes Security. They do slightly different things, and yes, it is possible to have both running. Don’t be caught with your pants down.
8. LIMIT & BE SELECTIVE WHEN CHOOSING PLUGINS – Plugin enumeration easily allows attackers to discover what plugins your WordPress site is using. By avoiding the installation of unnecessary plugins you automatically reduce your site’s attack surface. When choosing which plugins and themes to use, be selective. Before installation, read up and check how many downloads they have and when they were last updated. The more frequently they are updated, the more likely any security vulnerabilities are patched quickly.
9. REMOVE INACTIVE USERS – Users, especially administrators and others which have the ability to modify content, are among the weakest points of any site because, unfortunately, most users choose weak passwords. If you absolutely need to keep inactive users in your WordPress database, change their role to ‘subscriber’ in order to limit their actions.
10. PROPER WORDPRESS MANAGEMENT – Let’s be honest – you probably don’t have time, or knowledge, to dive into the deep depths of the security of your website, server, and database. You have a business to run. In many cases, the best thing you can do for the security of your website is to hire someone to manage it for you – 24/7/365. Photografica offers a range of plans for your website’s maintenance and security.