Make sure you take these basic website security measures
Getting hacked is bad news. It can mean leaked credit card information, viruses, corrupted content, and loss of credibility with your customers. With all the moving pieces involved in a website, and with many of the out of your hands, it’s probably impossible to have a 100% secure website. However, most hackers are looking for an easy win, so all you have to do is make hacking your website hard enough, and they’ll move on to easier prey. Here are some basic best practices to follow for WordPress web security.
Use strong passwords
This is the most basic step you can take.
And by “strong,” we don’t mean “over eight letters with some capitalizations and a few added numbers.”
No, we mean a combination of at least 16 randomly-generated numbers, letters, and special characters. This is the most secure password you can possibly have. Any other password you use will not be worth your while. You won’t be able to remember it, so save it some place secure. You’ll be a lot safer than with a password like Sup3rS3cr3t (which, FYI, is super easy for a computer to crack).
2-factor authentication
Enable 2-factor authentication on every one of your key accounts. They way this usually works is when you try to login, your phone gets a 6-digit text, which changes every time you attempt a login. Not only does this add another validation field to be cracked, but because it changes each time the hacking computer can’t eliminate possible codes.
You can also set up your login page to make you solve simple math questions (what is 10 + 1?) when you log in, or to include a CAPTCHA. It may seem annoying, but it’s a worthwhile step.
Customize your default login URL
The most common hacking tactic is a brute force attack on the login to the backend of your website. Most WordPress users know that the default login URL is their own website’s URL with /wp-login.php or /wp-admin tacked to the end.
So all someone wanting to hack your site has to do is go to yourwebsite.com try one of those two URLs (yourwebsite.com/wp-login.php or yourwebsite.com/wp-admin), and then start hammering your login page with passwords until one of them works.
Fortunately, there’s a simple solution to this hack: change your login URL. Make it something like yourwebsite.com/super-secret-access-code. You’ll spare yourself from the vast majority of brute force attacks for the simple reason that your attacker doesn’t know the URL to your login page.
Easy win.
Keep your plugins up to date
Of course, you should begin by only using trusted plugins. If you’re using a plugin that could risk the integrity of your website, it’s simply not worth installing. But even the best-reviewed plugins can pose a security risk if you don’t take the time to update them. So stop ignoring those “plugin update required” notifications: you could be putting your site at risk.
SSL implementation
A Secure Socket Layer certificate protects the transfer of data between your browser and your server. This is a simple step to put in place, and is offered by any good hosting company (as we covered in our previous post!). Not only does this make your website safer, it also improves your Google rankings. How’s that for smart SEO!
Any more questions about WordPress web security?
Of course, all this is just scratching the surface. There are many more things you can and should do to protect yourself and your customers. So, if you have any particular questions, we’d be happy to talk to you! We may even blog about it.