WordPress is a wonderful platform– it’s easy to work with, relatively stable, and with more than 18% of published websites utilizing its technology, offers some great, free features that may not necessarily be easy to implement with other blogger/publisher platforms.
However, just ask any Windows user and they’ll tell you, “more popular” also translates to “more attackable” on the Internet. Unfortunately, WordPress’ popularity, along with the open-source nature of the technology, leave any site using it open to more hacking attempts than other publishing platforms. Even small sites & personal blogs are vulnerable. Fortunately, there are measures you can take right now to help curb some of this malicious activity, and better protect your WordPress site from becoming victim to hackers.
Many of these will seem like common sense (because they are); yet, it appears too few people are actually taking advantage of the opportunity for additional security being offered out there.
Enable Two-Factor Authentication
Following the could-be disaster known as “Heartbleed“, if you haven’t figured it out by now, passwords alone are often not enough to keep you safe online. Using the most complicated series of characters imaginable won’t stop someone from getting your password if a database itself is hacked. This is why two-factor authentication is so important.
Think about it: what do you always have on you? Your cellphone. Which, as it turns out, can provide a great line of secondary defense for both your WordPress site and (assuming they offer it– which they should) your web host.
For WordPress users, companies like Duo offer a free plug-in & compliment app for your smartphone that will ping your device anytime a log-in attempt is made to your Admin dashboard. The options range from receiving a push notification to a text or phone call, all to a device you set up upon installation. They offer multiple user profiles as well, for those that share their site with other people.
The same should be done with your hosting provider itself. If they don’t offer two-factor authentication for log-in protection, I would seriously consider switching hosts. This security standard shouldn’t be forgotten if you want to stay safe from potential password thieves.
Take Advantage of Crowdsourcing
Although being very popular can be a drawback when it comes to security, it also definitely has its advantages. Plugins such as BruteForce rely upon the shared data of websites they protect to learn how to provide better security in the future. The more people that use this tool, the more attacks BruteForce sees; therefore, they have more examples of types of attacks to look out for and stop. The company also provides a real-time dashboard of how many sites it is protecting, and how many attacks have been attempted on your site since installation.
Message boards are another great way of getting new tips on protecting WordPress sites from the larger crowd. In addition, I highly recommend allowing WordPress to install updates as needed, as many of these are released for security purposes.
Change the Default Settings
Far too many people I’ve worked with or come in contact with over the years, who use WordPress, forget to do little things, such as changing the default admin log-in and password (both in WordPress and in their host’s FTP access), installing the WordPress admin in a folder other than the main one, etc. I know, this is basic stuff for most of you– unfortunately, with so many new WordPress users coming online every single day, these are also fundamental security issues that often go unnoticed, until it is too late.
As good as our tips & tricks for security might be, no site is 100% safe from attack. To that end, I strongly recommend creating a backup file of your posts, settings, and plug-ins on a regular basis (mine is done weekly), so in case something should happen, you aren’t left starting from scratch. UpdraftPlus is one company that offers free backups of WordPress sites to 3rd-party cloud storage, such as Google Drive or Amazon.
In addition, use care when choosing plug-ins to install, or when granting other users access to your WordPress admin. User Roles exist for a reason, and if they don’t absolutely require admin access, don’t give it to them.