We're pleased to host our guest blog today with Tony Messer who is the Co-Founder of UK Web Hosting Company pickaweb.co.uk. Tony set the business up with Co-Founder Pilar Torres Wahlberg and since then they have gone on to provide high quality hosting services for tens of thousands of small to medium sized businesses.
Are you using WordPress? If you are then that’s a good choice. Easy to use, loads of great features and powerful SEO means it’s no surprise that WordPress is the world’s number one Content Management System (CMS).
But with that popularity, comes an element of risk. As with any popular software, WordPress attracts hackers who will try a number of ways to exploit your site. The last thing you want is to wake up to find your site hacked, suspended for hosting malware or sending phishing emails.
The cost to your reputation, let alone the cost of fixing the hack and restoring your site to a safe and secure level, could be extremely high. It’ll also take a long time to recover the lost trust from your clients. And that’s without factoring in any damage to your search ranking if Google deems your site to be high risk.
But don’t despair. You can easily secure your WordPress site and prevent the vast majority of hacking attempts with some simple security housekeeping.
So here are ten simple ways you can secure your WordPress site.
Simple Tip 1 - Two-Factor Authentication Login
Implementing two-factor authentication (2FA) for logging in is one of the simplest but most effective ways of preventing brute force attacks. The way they work is that they add an extra layer of login security by requesting additional proof of ID, such as a mobile generated code or secret questions.
WP Google Authentication plugin is an excellent example of a 2FA plugin that can easily be installed to secure your site’s login.
Simple Tip 2 - Implementing Login Limits
Reducing the number of login attempts is a simple but effective way of preventing determined hackers and unauthorized manual login attempts. All that’s involved is a locking mechanism in the login retry of your WordPress login page.
The WP limit login plugin lets you prevent any attempted brute force attack to your login page by blocking any IP addresses that cross the threshold of failed login attempts in any given time period.
Simple Tip 3 - Change Admin Login URL
Most people will leave their WordPress admin login set to the default one, which will usually end in either wp-admin or wp-login.php.
You can make your site more secure simply by changing this to something less predictable such as /wp-login.php? or my_login.php etc.
This simple step alone will stop most automated brute force attacks which are set up to attack the default admin URL page. The iThemes security plugin is a comprehensive security plugin that allows you to do this.
Simple Tip 4 - Make Your Passwords Secure
Sometimes the simplest options are amongst the most effective and changing passwords is just good, basic security.
Let’s face it, if your password is as simple as abcd123 then it's just a matter of time before someone breaks into your site. Best practice is to make sure you use a combination of lowercase, uppercase, special characters and numbers for your password. Try to make your password at least 10 characters long using the above combination and you’ll definitely make your life lot easier.
If you need help with generating a secure password then use this password generator tool.
Simple Tip 5 - Password Protect the WP-Admin Directory
The most important directory of your WordPress website is wp-admin directory. Therefore, it makes sense to password protect it to add an extra level of login security - one for logging in and one for WordPress admin area. This can be achieved using the AskApache Password Protect plugin.
Of course, an administrator will often need to visit a certain directory of wp-admin, so unblocking those directories can make administration easier while locking the rest of the directory.
Simple Tip 6 - Forcing Strong User Account Passwords
If your blog has multiple users, say from other members of your blog or external contributors, then it would be best to ensure that they are forced to use strong passwords.
Using a plugin like Force Strong Passwords will make sure your admin area is secure. This plugin will make sure that your users are forced to choose secure, difficult to break passwords which incorporate good password protocols, such as using a mix of characters (upper and lower case), numbers and symbols.
Simple Tip 7 - Switching to HTTPs (SSL/TLS)
A Man-In-The-Middle Attack (MITM) is where data sent between two parties is intercepted by an eavesdropper in the middle who monitors the data being sent between the two.
The most basic way to prevent this happening is to switch from insecure HTTP to secure HTTPs by using an SSL Certificate. This creates an encrypted, impenetrable link between the browser and the web server.
Aside from the benefit of extra security, HTTPs is actually a stated Google Ranking Factor. So as well as better security, you get a better ranking!
Simple Tip 8 - Actively Monitoring WordPress Files
If your WordPress files are tampered with by a hacker, you’ll want to know about it as quickly as possible to minimize any damage. Plugins like Acunetix WP security, Wordfence can monitor your WordPress files to track any changes made to them and notify you.
In fact, the Wordfence plugin is one of the most installed security plugins in WordPress. It has live security scanning, monitoring, intrusion detection and prevention features all built in so if you’re looking for an excellent security all-rounder then this plugin is definitely worth considering.
Simple Tip 9 - Perform Regular Back-Ups
If you follow the tips in this post, then hopefully your site won’t get hacked. However, if you do get hacked, the last thing you want is to have to start from scratch or try to work out how to remove any infected files and make your site safe again.
The best way to address this is to ensure that you take regular back-ups of your site. Backing up your sites will allow you to restore your websites from previous working copies if required. There are a number of WordPress plugins that can help you do this such as Vaultpress, Backup Buddy or blogVault.
There is a cost involved with some of these but when compared to the alternative of having a hacked website with no back-up, it is a price worth paying.
Simple Tip 10 - Keep WordPress and Its Plugins Updated
As a hosting company, one of the most common security issues we see with WordPress and other CMS systems like Joomla is having an out of date version or an out of date plugin.
In fact, one of the most common ways hackers can hack into your WordPress website is through plugins that haven’t not been patched or updated to the latest versions. However, many plugins have automatic update options so you should consider configuring them to make use of this feature.
WordPress has an automatic update feature from version 3.7 onwards. If you are unsure that you have the latest version, you can check at the official WordPress site.
TIP: Only download plugins that are from the official WordPress website. This will make sure you aren’t being tricked into downloading malware to your site.
Wrap-Up
As you can see there are loads of simple things that you can do to prevent your site getting hacked. Some of them are just basic procedures like using complex passwords, but there are also plenty of plugins that have been created specifically to ensure that your site is safe and secure.
Remember, it's often the simple things that can stop your site getting hacked!
Tony is passionate about helping his clients get the most out of their online presence. He is the Author of the 5 Star Amazon rated book ‘The Lazy Website Syndrome’ which gives the reader a simple 3 step approach to grow their business using online marketing. Tony currently resides in the South of Spain.
Pickaweb offers a full range of services for SME’s including Domain Names, Web Hosting, Reseller Hosting, Virtual Private Servers, Cloud Servers, Dedicated Servers, SSL Certificates and an easy to use Website Builder.
