WordPress is most popular and widely used cms in the world. It powers almost 27% of all websites and dominates 76.4% of CMS market. So it important to talk about security of WordPress websites.
A recent WordPress security statics data shows that more than 200,000 WordPress sites were hacked in the year 2012. That is a whopping increase of 18% compared to the 150,000 in the year 2011. This increase in WordPress hacking attacks clearly shows that WordPress blogs and websites are an easy target for hackers and we need to pay attention to the WordPress security.
Some of the key stats about WordPress hacking:
41% of WordPress is hacked through a security vulnerability on the hosting platform.
29% were hacked due to WordPress Theme you are using.
22% were hacked due to the security issue in the WordPress Plugins.
8% were hacked due to a weak password.
51% of WordPress hacking sites is due to WordPress themes and plugins alone. So you must evaluate the plugins carefully before installing it.
Check the number of downloads, a number of updates (versions) provided through the years of development, reviews.
The Same procedure goes for the theme you want to use.
I have divided the security check into 4 parts you must follow to improve your WordPress security:
1. How to secure the login page.
2. How to secure your admin dashboard.
3. How to secure the database and hosting.
4. How to secure your WordPress themes and plugins.
1. How to secure your login page:
Strong usernames and Password:
Make sure your users are using strong usernames and passwords. Do not use “admin” as your username and password. That’s the common WordPress mistake.
Change password regularly:
One should change the password regularly. Always use uppercase and lowercase letters, numbers, and special characters for a good strength. You can also use a password generator plugin.
Integrate 2-factor authentication:
You can add 2-factor authentication (2FA) to the login page. Every time the user login, he required a password and an authorization code that is sent to his phone or email. Often, the second login code is sent via SMS. There are several plugins can be used to add this feature like Google Authenticator and Duo Two-Factor Authentication.
Limit logins attempts:
Adding a lockdown feature for the failed login attempts can stop hackers using brute force for hacking. Brute force is a hacking attempt with repetitive wrong passwords. If you have limit login attempts the website of the user gets locked and you will be notified through a mail of this unauthorized activity.
Login LockDown is great for restricting the login limits and keeping the website away from brute force. You can also use plugins to use this feature like iThemes Security and Sucuri Security.
2. Keep Track of Dashboard Activity.
Use SSL to encrypt data
You can secure the admin panel by Implementing an SSL (Secure Socket Layer) certificate. SSL ensures secure data transfer between the website and the server, making it difficult for hackers to breach the connection and hacking your website. It also affects your website’s rankings at Google. Google ranks sites with SSL higher than those without it. That means more traffic.
You can get an SSL certificate for your WordPress website from some dedicated companies or you can ask your hosting firm to provide you the SSL certificate.
SiteGround offers free Let’s Encrypt with their hosting packages.
Add user accounts with care
You should check carefully to whom give the access to your admin panel. If the person is using a weak password then your website can be vulnerable to security threats.
You can use plugins to make sure that the password they are using to log in is strong and secure. There is a plugin Force Strong Passwords for your users to make sure that whatever passwords they use are secure.
Change or Hide Author Usernames
Try avoiding to use “admin” as your username during WordPress installation, choose a different and unique username instead. Easy-to-guess username is approachable for hackers. Now they only have to guess the password only.
You can use iThemes Security plugin to stop such attempts by immediately banning any IP address that attempts to log in with that username.
Most of the times the main author of a site is also the administrator, hence it becomes easy for hackers to find admin’s username.
So it’s a good idea to hide the author’s username.
3. How to secure the database and hosting:
Back up your website data regularly
Make scheduled backups regularly to keep your website data. Scheduled backups are an essential part of security strategy because there is always a room for error, so you may need to restore the website, in that case, you need a backup data. You can choose a plugin like VaultPress, BlogVault, BackupBuddy, or WordPress Backup to Dropbox for simple backups and with built-in restore options.
Strong passwords for your database
Choose a strong password for the main database. As always, use uppercase, lowercase, numbers, and special characters for the password. You can use any password generator as a useful resource.
Protect Your Files Using .htaccess
Have you heard of the .htaccess file before, through this file, WordPress can manipulate how Apache serves files from its root directory.
You should always put an index.html file in your newly created directory, if not, your visitor can get a full directory listing of everything that is in that directory.
If you have created a directory called “test”, one can access the directory simply typing http://www.testing.com/test/ in your browser, without any need of a password.
Always keep your software up to date. These updates are released to fix bugs and important security patches.
Many WordPress users do not update or simply forgot to update themes and plugins, this can lead to serious problems. Many hackers can benefit this lazy habit of yours and can exploit bugs that have already been fixed.
So, if you’re using WordPress update Plugins, themes, everything regularly.
Remove your WordPress version number
Your current WordPress version number can be found very easily. It’s in your site’s source view. If the hackers know which version of WordPress you use, he can easily exploit it.
You can hide your version number with almost every security plugin.
Securing your WordPress site is much more than just installing a security plugin. Keep the little things in mind and always ahead of the hacker. Keep up to date with updates and software.
Tell us things you do to keep your WordPress sites secure? If I miss any detail or overlook it that you think is vital? Please let us know in the comments below.