If you’re trying to protect your WordPress website? Start with basic security practices shown into this article
It’s every website owner’s worst nightmare – a hacker has gained access to your WordPress site. All the time, effort, and revenue you’ve put into that site slowly goes down the drain as you desperately try to regain control. The good news is that this situation is easy to avoid. The bad news is that you might not be doing everything necessary to avoid it.
As of 2013, more than 70% of WordPress sites are vulnerable to attack from cybercriminals. Unfortunately, it’s unlikely that number has changed much, even to the present-day. The reason for that is simple.
Most site owners don’t do enough to protect their assets.
It’s easy to cower in fear at the idea of the sophisticated black hat, equipped with an arsenal of unstoppable hacking tools that allow them to break into whatever system they choose. Such organized experts comprise the minority of digital criminals, however. And even the sophisticated ones will more often than not choose the path of least resistance over an approach that’s unnecessarily complicated.
To put it another way, why bother scaling the side of a building when you can just walk through an unlocked door?
On its own, WordPress is actually a relatively secure platform. The team releases regularly security patches and updates. Moreover, they provide users with a wealth of first-party plugins and tools to help them protect their sites against everything from spam and malware to brute force attacks.
More often than not, a site gets hacked because its owner overlooked something.
They installed a plugin they shouldn’t have. They failed to install a security patch and left their site running with a known vulnerability. They used a weak username or password, or they installed a theme from an untested, unauthorized third party. They worked with a host that wasn’t serious enough about security.
In other words, they overlooked the basic best practices of cybersecurity, and it cost them. If you still aren’t sold, WP Template recently published an infographic detailing the most common avenues through which sites are compromised. The results are quite telling:
- 41% of hacks are the result of a vulnerability in the hosting platform.
- 29% are due to an insecure theme.
- 22% are because of a vulnerable plugin.
- 8% are due to weak usernames/passwords.
That’s it. No complicated hacking campaigns, no government-sponsored black hat agencies. Simple, exploitable vulnerabilities – most of which are patched shortly after being discovered.
That’s good news, because protecting against such attacks is actually quite easy:
- Run regular malware scans on your WordPress site.
- Install an antispam tool such as Akismet.
- When a new security patch is released for a plugin or for your WordPress installation, update immediately – don’t wait.
- Only install plugins and themes from trusted sources and marketplaces – and never install a premium theme if someone tries to offer it for ‘free.’
- Change your username and password away from the default, and use something both strong and memorable. GREATd0nkeyMAHOGANYavenue is a good example of a strong password. “Password” is not.
- Make sure you know exactly who has access to your site, and that they aren’t doing anything to compromise your data.
- Maintain regular backups of your WordPress installation.
- Use two-factor authentication – with the built-in authenticator, not SMS.
- Make sure wp-config.php and .htaccess are hidden.
- Limit login attempts to your site.
- Ensure the host you’ve chosen is secure
Sure, if your site gets targeted by a highly-sophisticated criminal enterprise, there’s probably little you can do. But the chances of that actually happening are infinitesimally small. You’re far likelier to run afoul of an opportunist who doesn’t know your website from a hole in the ground – a criminal who’s just looking for something vulnerable to attack.
By following the advice here, you can ensure you’re an unattractive target for such crooks, and that they will ultimately look for victims elsewhere.
Max Emelianov started HostForWeb in 2001. In his role as HostForWeb’s CEO, he focuses on teamwork and providing the best support for his customers while delivering cutting-edge web hosting services.