There’s not a moment goes by on the web, when there’s not a hacker trying to undermine and access a website. Major site hacks are reported and scare us all but with a few careful considerations and vigilance your WordPress website can be protected. Making a few fundamental changes in how you work and secure your information can help keep your site running and make it more hacker-proof than it is now.
Simple steps to take:
Hopefully your password isn’t 123 and you don’t have the same password across all of your sites! If you have then this is definitely the place to start and overhaul all of your passwords. Read this article at PC World to get some ideas on how to produce passwords that you can remember but are super-creative. Using upper case, lowercase and numbers, up to 15 characters long with symbols, if you are allowed, create and change your passwords on a regular basis. The thought that you use the same password for multiple sites, is a frightening prospect. When a hacker can gain access to all your personal things together with your website then destroy your site and reputation.
WordPress updates are released to fix bugs, introduce new features and importantly, to patch security holes. The world we live in means that they are usually one step behind the hackers, so when major security issues are known, a patch will then be made available, don’t procrastinate! Put them on and similarly when plugins and theme updates are sent don’t waste time worrying whether the updates will disrupt your site. If you have these worries, re-assess your strategies in their use. Things will certainly be disrupted if because of your dithering a hacker is able to install a page of encrypted code into your site. WordPress theme framework , Genesis,(which we use) is updated almost simultaneously when updates are released by WordPress.
Hackers can find user names quite easily by checking past blog posts or elsewhere. Changing ‘admin’ user default that WordPress installation starts with, is probably a good move but probably more important is to make sure every user name of your site is protected fully by a strong password. Extra protection can be added by using a Yubikey to login but if you have read the article on PCWorld you are armed with the knowledge to produce strong passwords. For added peace of mind a Yubikey is easily stored on a usb, users cannot log in unless they physically possess the key, which is then inserted at log in.
Guard against the Bullies:
Your web host , if you have chosen well, will be protecting you against brute force attacks. They will be regularly monitoring failed log in attempts, where they are originating from so they can then lock out offending IP addresses.
You can protect yourself by ensuring you have made things as strong as you can in the above points, passwords,updates and admin access. There are programmes available that will make these techniques more difficult, you could consider installing one of them. e.g. Limit Login Attempts is a WordPress plugin.
WordPress hosting is a good choice for the security conscious, with plugins available which monitor for malware infection, breaches and vulnerabilities.
WP Security Scan plugin will also hide which version of WordPress you are on and check your blog for admin user password changes.
Keep things tidy by removing plugins and themes you no longer use as these are areas that are easily accessed especially if they are out-of-date.
It can all look rather daunting but with a carefully chosen web host, strategically picked plugins , some creative passwords and vigilance your website will remain hacker-free.