As we all know, internet security is a hot topic across the world at the moment, with TalkTalk web site being compromised only recently and various large companies having their customer details stolen and sold online it is extremely important that we become more aware of our online safety.
Not only is this terrifying but it also portrays just how vulnerable we are online and how we must take online security very seriously.
This article concentrates on the protection of your WordPress Blog. WordPress is a wonderful open-source tool that can be used for free by anyone. The ubiquity of WordPress comes with great advantages including a wide developer support base but WordPress’s high market penetration unfortunately makes it a target for hackers. Do not ignore this fact! The world wide web is full of opportunity and convenience, however as the internet is still so vastly an unknown entity, there are fundamental flaws in the infrastructure that make what we do on the internet quite simple to trace, replicate and steal.
How to protect your WordPress blog in 10 steps
1. Use a strong password
This is the simplest tip of all but the one that people feel most reluctant to do. As we all know, remembering multiple passwords is a real pain, however it is a easy change in behavior that could save you from being the target of an online attack. If you have the same password for various websites, then you are already making yourself vulnerable. If one website has a lapse in their online security and your password is stolen and sold on, then this means all of your other online accounts practically kicked wide open.
You should update your passwords at least once every 72 days. It seems obvious but the password should not be something like your child’s name or favourite football team, but ideally it should be a randomly generated series of numbers, letters and special characters which has a mixture of upper and lower case. It is important to generate complex passwords and update them regularly in order to narrow the window of opportunity for hackers.
2. Do regular back-ups
More often than not, hackers find a way in by latching onto your website without you knowing, by inserting small bits of code into the existing data that is already there. By backing up your content regularly you are more likely to be aware of obvious changes to the amount of data that is stored on your server. Not only that but if you regularly take back ups of your site you can always re-upload all of the data if you are ever unfortunately hacked.
3. Always upgrade your WordPress
After you have backed up your site, always upgrade to the latest version of WordPress, upgrade your theme and plugins. One of the reasons developers upgrade their software and extensions is to fix vulnerabilities found in older versions.
4. Do not use WordPress default usernames
Ok, so I know it makes sense that your username is ‘admin’ but as it is a default username, you are practically giving a hacker one more piece of vital information to add to their jigsaw puzzle.
Even if the username has been changed by your hosting company or server manager, you can never be sure how secure their systems are so it is still advisable that you change these defaults.
Let’s talk plug-ins
5. Research plug-ins before you activate them
As WordPress is open source and therefore can be contributed to by everyman and his dog, it is important to do your research when buying plugins for your WordPress site. Many plugins can be completely useless and full of faults as they have been developed by an amateur.Other times they do exactly what it says on the tin and it can fix whatever issue you are having, quickly and easily. It is advised that you take time to read the user reviews and comments, as it can be a better way to work out if the plug-in will work for your requirements or not without you having to buy it only to find out it isn’t compatible with your theme.
5.a Activate a security plugin
There are many security plug-ins on the market that are specifically designed to protect your blog and block all of the routes hackers might attempt. However good these plug-ins claim to be, there are always loop holes. It is import that you do not rely solely on a security plug-in and you ensure you take other necessary precautions to protect yourself online.
5.b Delete unused plug-ins/images
Many people often download popular plug-ins and use them briefly on their WordPress site. Once they have tried them out it is often the case that they find something that fits their requirements better and they leave the plugin laying dormant on their website without really paying attention to it. Over time WordPress release programming updates that fix bugs and issues that have been found with certain elements of the software. This is also the case for plug-ins and if left outdated hackers are able to find the flaws in the development and access the contents of your website. By deleting the unused plugins and images on your website you are cutting off one of the avenues in for a hacker. Not only that but you will save space on your server too!
6. Do not allow guest user registrations and ensure you have sole admin access
These may seem like rather obvious points but to be honest a lot of WordPress users do not tend to look into the default settings, and sometimes this can be a something that has bypassed them in the set-up process. You can allow various people different access rights, but it is always good to ensure that you have sole control. If you have developers working on the site, you can request that they use a ‘version control’ like Bitbucket or Github so that you can always know who is working on what.
Tips that are a little more technical
7. Disable logins from certain IP addresses
There are many available plug-ins which allow you to do this. It is a slightly more complex task however, it is very effective – specifically if you run your WordPress blog from one particular place. This means that only your own IP address will be able to gain access to the login screen and all other attempts will be rejected.
It is also possible to add a 2 stage login process, where by you have to confirm your email address before being allowed access. This is also a good precaution to put in place.
8. Blacklist IP addresses from logging into your admin
The only downside of doing something like this is that if your IP address changes you would need to go into your FTP details and update the htaccess files with your new IP. This can become a time-consuming thing to do especially if your IP address changes often and you travel a lot. If you are happy to do this (and you know how update htaccess files) then this is one of the best tips for securing your WordPress blog.
9. Block internet bots from accessing WP-Admin login page
This may sound like quite a complex task, but actually is it really quite simple to do if you have knowledge of server directories. You need to locate your htaccess file again as mentioned above. Blocking the bots basically involves copying and pasting this script into the top of your file. If this sounds a little too technical then there are also plug-ins that can product the same effect, but just read the reviews and ensure you update them as recommended.
10 . Use webmaster tools and analytics
There is a security info section of webmaster tools which will notify you of any security issues with your website and also in many cases show you how to fix them. You can also monitor if there has been any unusual activity on your account by keeping on top of any varying data in analytics.
So there you have it. 10 tips to help keep your WordPress website safe from the prying eyes of hackers. You can also use variations of these tips to secure yourself more generally on the web, and I think by just becoming more vigilant with our online habits, we will be less likely to be vulnerable to an online attack.
If you would like any help securing your WordPress blog or if alternatively if you would like any more information regarding the work we product, the please get in touch.
If you have any more helpful tips for our readers then please comment below.