It's every web business owner's worst nightmare: your site has been hijacked by hackers, and you're left helpless as the business you've spent lots of time and money growing is corrupted from the inside. The process of securing a WordPress site is often referred to as hardening and for good reasons.
Your website is like a fort, and it's up to you to ensure that you have enough archers on the battlements to ward off intruders. Fortunately, there are a few things you can do to reduce the odds of you ever becoming a victim of hackers.
Let's take a look at what you can do to make your WordPress Site more secure starting today:
1. Use a strong username and password
It all begins with your username and password. So start with making sure you pick a username that's hard to guess. You'd be surprised how many people use the default "Admin" username for their WordPress site.
The problem with that is if someone is trying to hack your website, "Admin" is the first username they would try 100% of the times. Using that as your username is giving potential hackers half of the information they need to break into your site. WordPress developer and Codeable expert Liam Bailey says:
Don't have 'Admin' as your administrator username. Use something, if possible, that you've randomly picked like a random string of letters and numbers.
The goal here is to come up with something unique no one would guess.
As for the password, you should use one that is called a strong password, i.e. something that is at least 16 characters featuring numbers, symbols, and letters (uppercase and lowercase). If you think this is too hard, consider using a password generator like LastPass, which will take care of generating a strong password (and store it safely) on your behalf.
There's no need to go through all the work of hardening a website if the username and password have already been compromised. The most important step of all is keeping your login details secure at all times. That's why security experts often suggest changing your passwords a few times a year.
Next thing to look at is your website's "components": plugins and themes.
2. Keep plugins and themes updated
WordPress updates are an important part of any WordPress users' life. They're important not only to improve core files, or performances of a given plugin or theme with their latest release. Updates are meant to fix bugs and security loopholes that get discovered among users. Updates are your best friends when it comes to security.
Would you leave your best friend hanging at your door? Nah, I don't think so.
That's why, when you get notified of a newer version of a plugin, theme and WordPress core files in your WordPress dashboard, it means you should be updating them. As Liam brings to attention:
The next step to make your website more secure is to make sure your plugins and your WordPress are up to date. Why? If you went into Google right now and searched for known WordPress vulnerabilities or known WordPress plugin vulnerabilities, there are lists of known vulnerabilities for older versions of WordPress as long as your arm. What’s more, the hackers have scanning tools just like Googlebot, but these are crawling the net to find websites using outdated software with known vulnerabilities, including WordPress. The minute they [hackers and their scanners] find one, it's flagged up ready for the next stage of the attack. If you don't let them in the first step, then they can't go any further.
3. Install good security plugins
There are many security plugins that will help you beef up the security of your WordPress site even if you have limited (or even no) technical knowledge. Liam suggests:
One of the best security plugins that I used is iThemes Security because among the different aspects it takes care of, it makes sure you're not using 'Admin' as your username, secures file permissions, and a host of other things which really make the WordPress site more secure.
What Liam refers to here is those alert messages saying either your username is wrong, or your password doesn't match with that username. These strings of words can be gold to anyone who's trying to breach into your WordPress website. Removing this type of information keeps attackers in the dark, and that's a good thing.
Newer versions of your plugins and themes, as well as those of WordPress core files, are continuously released. And if your website features any custom code, keeping up with security becomes even harder because you always have to be sure all updates "get along" with your custom code. Those here are just a few of the many things that can be done to harden your WordPress site. And sure, they give you a good level of security, making it more secure than 61% of WordPress websites.
But that's just a small part, yet important, of the overall picture related to the security of your website. Security is not a set-and-forget-it task, one that can be done by adding some plugins, a strong password, some other tweaks, and then move on. Security it's an ongoing, compound process whose goal is adding as many layers as possible and sharpen them to keep undesirables out.
This blog post features Liam Bailey who is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.