Website security tips for WordPress sites.

How can you protect your website from hackers and keep your resources secure?

Like many website owners, you may think that your site isn’t high- profile enough to be hacked. However, website hacks aren’t just to steal your valuable information. They’re also to use your website resources to set up temporary servers to host files or relay spam email.

Furthermore, hacking, like many industries, has learned how to use automation to save time. Many hackers aren’t targeting the high-profile websites, because these sites have already extensive security defenses in place to keep them secure. Instead, they’re using automated scripts to search for easily-exploitable websites. Once the script find a site without secure password protection, for instance, it can crack the site login and alert the hacker once its gained access.

Fortunately, there are several precautions you can take to secure your website that will thwart most hacking attempts. Take a look at these best practice and see how many of them you follow.

1. Keep WordPress up to date.

Many of the most publicized security breaches of the past few years have exploited known software weaknesses, and could have been avoided had the user kept the software up to date. This is because many software updates are to patch security weaknesses. By staying up to date, you can take advantage of the latest security updates as soon as they come out.

There is, however, a caveat. Many WordPress users have run into trouble when they go to run an update that it causes problems with their site. Avoiding this issue isn’t hard. If the update is only a small one to fix a few bugs, then you probably don’t have much to be concerned about. On a major update, however, you should test it first on a non-production site in case of compatibility issues.

Of course, if you’re already working with a trusted web development team, you can leave plugin updates in their hands.

2. Manage your plugins.

Tied to the above: know your plugins. Don’t install plugins from sources without a good online reputation. Even if the plugin company means well, if they aren’t following good security procedures it could impact your site.

Like WordPress, you will need to keep your plugins up to date, and like WordPress, you should test major updates before you apply them to your entire site. Because of this, make sure you uninstall any plugins you aren’t using. There’s no reason to keep updating or to leave yourself exposed because of a plugin you aren’t using.

3. Change your login URL.

It’s harder for hackers to break your login page if they can’t find it. Most WordPress sites come with a default user login of example.com/wp-login or example.com/wp-admin. Changing the login URL to /my_business-login is an easy way to make a hacker’s job harder.

4. Use smart login credentials.

Using “admin” as your username is as careless and sloppy as using “password” as your password, so make sure no user on your site has that as their username. Also make sure that every site user has a strong password.

Strong passwords are a 16-digit-or-more random combination of numbers, letters, and special characters. You won’t be able to remember it, so be sure to write it down and store it safely. This may seem counterintuitive to you, but you are at far greater risk of a brute force attack than that someone will find the password you’ve written down and use it to crack your system.

Brute force attacks are when a program tries every combination to login. The shorter your password is, and the fewer acceptable characters there are, the faster it will be to crack. On the other hand, brute force attacks are easy to thwart simply by picking a longer password.

Passwords that contain recognizable words are also not recommended, as some hacking programs can use a dictionary attack to spot known word phrases. And of course, make sure that any password you choose is unique. Don’t use it anywhere else.

5. Use multifactor authentication.

Multifactor authentication requires two or more different verification factors for access. Different factors could include a thing you know, a thing you own, or a thing you are. So, for instance, your username and password are both things you know. Because they are the same type of factor, they don’t count as multifactor authentication. But a password plus a piece of biometric data would be a think you know plus a thing you are.

Most multifactor (or two-factor) authentication programs use a thing you know (your username and password) combined with a thing you own (your phone or email account) for verification. After typing in your login credentials, these programs will send a text to your phone or an email to your inbox to confirm that you are who you say you are. This is easy to enable, and a strong step toward login security.

6. Enable CAPTCHA on your login form.

You know those picture puzzles you sometimes see when you go to login to a website that show you an image and ask you to type in the letter/number combination you see? That’s called a CAPTCHA, and it’s in place to make sure a human being is logging in and not a bot.

While CAPTCHA can often be irritating, they are effective. And the good news is that they are becoming more user-friendly. These days, many CAPTCHA are as easy as a box you have to check, or a simply math problem you have to solve. They’re easy to put in place, and do a lot to secure your website.

7. Enable SSL on your entire site.

As we wrote recently, SSL protects your website by encrypting information as it travels from your browser to a webhost. Without SSL in place, your website is vulnerable to a man-in-the-middle attack. This is when a hacker captures your data as it travels to or from your server. By encrypting the data during transfer, SSL can keep your login credentials safe.

8. Backup your website.

If you do experience a data breach, you will be grateful to have your site backed up elsewhere. In fact, this is so important that you automate your backups so that you never forget. Decide how frequently your backups need to happen, and then use a backup plugin to make sure it happens on a schedule. If your site is ever compromised, you will be relieved to have fast way to restore your site.

You can keep your website secure.

With the abundance of stories in the news every day about the latest security breach, you may wonder if keeping your website secure is even possible. The bad news is that, unless you have exceptional resources to devote to your website security, it will probably never be hacker-proof. But the good news is that you don’t need it to be: you just need it to be hard enough to deter most hackers.

Think about it like home security. If someone decides to target your house, specifically, they will find a way in. But most burglars aren’t targeting individuals, they’re looking for the easiest house to rob. If you keep your doors and windows locked, your garage door closed, and your security system enabled, most would-be robbers will go elsewhere.

Most website security is about following some common-sense best practices to cut down on known weaknesses. By adhering to these precautions, you can patch up the most common vulnerabilities and be reassured that your site won’t be easily exploited.

Published 10/12/17 by Laura Lynch