the 10 commandments of WordPress security
WordPress is the most popular content management system in the world. But what can you do to maximise your WordPress security?
Over time WordPress’ popularity has grown, creating a large community of users and developers. This has enabled the sharing of open-source features that have helped to expand its capabilities. It’s thanks to this large community and the free resources available that more and more people from every background are starting to learn how to code.
Of course, with great open-source code and add-on features comes great responsibility. If you’re familiar with WordPress then you may have come across the occasional security issue along the way, as is expected with all websites. However, we needn’t think of website security as the terrifying unknown; we just need to recognise the common security breaches that occur in regards to our specific framework and what we can do to safeguard ourselves from them.
As a web design agency, we love WordPress and our expert development team are fanatical about keeping our beautiful websites both safe and functional. With this in mind, we thought it was time to share our 10 commandments of WordPress security.
1. Thou shalt use secure hosting
Hosting vulnerabilities make up for a significant percentage of hacking incidents. When looking for a hosting provider, it’s important to do your research in order to find a host who will take your security as seriously as their own. At Uprise, we offer our clients full secure hosting and support contracts. This allows us to offer constructive assistance and provide safe-guarding from basic security breaches.
2. Thou will update regularly
The web is constantly evolving and improving, so it’s understandable that there are always going to be new software updates available. it is therefore crucial that you keep your WordPress core version, plugins and themes up-to-date. This can easily be done through your WordPress dashboard. We would recommend checking for updates on a weekly basis.
3. Thou shalt use a security plugin
If your technical knowledge is somewhat limited, then you can safeguard yourself from attacks with easy-to-use and open-source plugins. These are free and address all of the common WordPress security issues, we personally recommend this one.
4. Thou shalt always use strong login credentials
Although this may seem like a basic point, it’s imperative that strong passwords and login credentials are used at all times. This article gives fantastic advice on how to pick the perfect password.
5. Thou shall limit login attempts
A simple yet effective measure to reduce the risk of hacking is to limit the amount of failed login attempts from a single IP address. You can specify how many retries are allowed, although it’s a good idea to allow a couple of attempts in case you mistype your own password – it happens to the best of us!
6. Thou shalt disguise WordPress
We’re not suggesting that you hide your beautiful website away from the world, but you should try to hide the fact that WordPress is your CMS of choice. Many WordPress attacks are carried out autonomously by malicious software bots. The bots will search for WordPress websites and attempt to hit the most commonly unprotected folders in a bid to use these vulnerabilities to their advantage. The best way to protect yourself from this happening is to remove all references of WordPress from your websites.
7. Thou shalt change thine login area URL and secure your wp-admin folder
By simply changing your login area URL, you can minimise the risk of attacks. By default, WordPress sets your login area URL to the default of ‘YourWebsite.com/wp-admin’ or ‘www.YourWebsite.com/wp-login’, thus making it easier for bots to know exactly what they are searching for in order to get to the login screen. If they can’t find your login page, they won’t be able to make it through the pearly gates and into your website.
8. Thou shalt perform regular database backups
Another effective way to abolish the fear of a security breach is to back up your database on a daily basis. This means that if the worst should happen and someone does manage to access your site, at least you’re somewhat safeguarded. This is another reason to make sure you use a decent hosting company, as it’s fairly standard for them to backup your website regularly.
9. Thou shalt protect thine self from DDoS attacks.
A ‘DDOS’ attack (or ‘denial of service’) is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. It’s probably one of the most common ways to bring a website down as it doesn’t require much technical knowledge. However, you can get into a whole lot of trouble if you’re caught doing it. A plague of locusts, or more likely, a legal team will descend upon you for attacking in this way.
You can minimise the threat of a DDoS attack by:
- Disabling directory browsing
- Enabling 404 detection
- Blocking foreign characters in URLs
10. Thou shalt protect thyself from code injection
“This is used by an attacker to introduce or ‘inject’ code into a vulnerable computer program and change the course of execution.” (Wikipedia)
Code injection can occur when specific sensitive files within your website aren’t protected and become accessible. To minimise this threat, you must regularly update your website and make sure you have strong passwords on your FTP, cPanel and even login credentials. You can also use some further security plugins.
All this talk of hacking sounds intimidating, but WordPress is safely used by millions of businesses every day. The main thing is to be vigilant in updating plugins, and ensuring your password and login details are secure. At Uprise, we can host your website on a secure server and provide support if you’re experiencing technical difficulties. We will also regularly update your website plugins and framework in order to maximise security and minimise the risk of hacking.
If you’re considering a new website then get in touch. We can help you with everything from your security hosting and support to your web design.