If you are one of those 30% of all website owners who run their web properties on WordPress, you should also know that security experts warn that three out of every four WordPress sites are open to attacks by malicious hackers.
The most common vulnerabilities pertain to issues such as weak passwords, old versions of WordPress, unpatched themes and plugins as well as accessing WordPress admin accounts through insecure networks.
It requires only a small effort to adopt a few best practices to secure your WordPress website and make sure you always log into your administrator account via secure connections.
Secure Your Connection at All Times
An increasing number of site owners are accessing, editing and updating their WordPress website on the go. Connecting to open Wi-Fi networks at airports, hotels, conference facilities or any other public place bears risks of exposing your passwords to malicious third parties. The same applies to public networks that require a security key as anyone with a password in hand will be able to snoop for your passwords.
Using a virtual private network (VPN) is the first line of defence. A reliable VPN service encrypts all your data traffic, establishes a secure connection between you and your WordPress login page and also hides your location in case you are in a restricted country or just do not want to reveal your place. It is always a good idea to take your time and search for the best VPN service for Windows around.
Now also is the time to change your default WordPress administrator account name that is set at “admin” for anyone to have half of your login credentials readily available. The other half is, of course, your password.
You Need Strong Passwords for a Reason
Using a reliable VPN service is not a replacement for a strong password. There are a few best practices you should adopt to create strong passwords and make it harder for an intruder to penetrate your website.
The average length of a strong password is anywhere above 9-10 characters with no limit for the number of characters you are using. Of course, passcodes longer than 10 characters are hard to remember and that is why you should use combinations of lowercase letters, uppercase letters, numbers and special characters to create passwords that are hard to crack and relatively easy to remember.
Also, never use the same password for more than one website or platform. Changing even a couple of characters in a master password can make the difference.
Never Postpone WordPress Patches and Updates
The WordPress content management platform is quite popular and as such, it is a target for numerous and continuous attacks. Even a single outdated plugin could become the weak point exploited by the bad guys to compromise your website.
Developers at Automattic, the company behind WordPress, are pushing new platform releases on a regular basis and all these WordPress versions usually contain one or more security updates. By using the latest WordPress version, you markedly lower the chance for any bad actor to penetrate your system through a known vulnerability.
The same applies to all your themes, plugins and software apps you are running on WordPress. Plugins and themes are even more vulnerable as small teams or individual developers lacking the resources to patch their products on a regular basis are developing a good number of the available themes and add-ons.
Also, do not download and install plugins from obscure sources, check if the software developer is a trustworthy one first.
Hosting Provider and Backups Matter
You can host a WordPress website on your own servers but most users prefer to host them at a third-party hosting provider. Your host should be well equipped to secure your WordPress property by offering WP firewall, antivirus and code injection protection, as well as properly configured and up to date PHP and MySQL.
Furthermore, a decent WordPress hosting provider should offer regular backups in case of something going wrong with your website or their servers. You can also take advantage of WordPress plugins that enable website administrators to make backups themselves and restore website data if the need arises.
In any case, it is always better to spend some time on scheduled backups than to lose your data due to a targeted attack or by being infected by a random malicious software released in the wild.
Monitor Your WordPress Site and Files
There are methods to monitor both the activity and the file changes that occur on your WordPress site. Such ill-intended activities may involve brute force attacks, for instance. One of the techniques to protect yourself against brute force attacks is to use two-factor authentication and also limit the number of login attempts. Two-factor authentication works by sending to your phone a one-time passcode you should enter along with your WordPress username and password.
As far as brute force tactics rely on repeated login attempts using all the possible character combinations to crack the passcode, limiting the number of login attempts is a working method to stop brute force attackers. You can easily limit the number of login attempts allowed within a specific period.
Finally, you can opt for an app that monitors and tracks changes to the WordPress files. Bear in mind, however, that you should carefully research these plugins as they might introduce vulnerability risks of their own.
To conclude, start by implementing the most basic protections first – configure a secure connection to your WordPress website, change the default admin settings and update your WordPress version along with any themes or plugins you happen to use.
Then, you can perform a more thorough security audit, deleting and uninstalling any unnecessary themes and plugins while introducing advanced login and file tracking methods.