When we are about launching a new website, we are always shoulder-deep preoccupied with the creation of ideal design and informative content. Many people are putting too much time into these items and at all forget about data security. The problem is that the amount of security attacks is growing every year and hacking technologies are becoming more and more advanced. If your website has the lower security level, this post is for you as it shows how not to become a hacker bait.
1. Use reliable passwords
Actually, the most common reason for hacking is very simple – unsecured password (for example, “password”, “12345678”, “admin” and the like). Similar passwords can be easily figured out in several seconds, that’s why the password has to be unique.
Strong password formula: at least 16 letters of the lower and upper case, digits, characters, spaces + not using simple words.
This rule can be applicable not only to your WordPress site, but also to your E-mail, Facebook/Twitter/other social network accounts, as well as to your computer. What is more, to keep your data secured, you’d better not use the same password for different sites or services and don’t store passwords on a piece of paper under the keyboard or in a notebook.
2. Limit the number of logon attempts
If you do this, in case if a hacker or bot one day decide to attack your site and try to crack the password, he/it will have limited number of attempts to achieve this. You can find many plugins that set limits on the official WordPress site like Limit Login Attempts and the like. With the help of such plugins you can specify the number of attempts and how long the IP will be blocked after several unsuccessful logon attempts.
3. Make sure that the computer you use is clean
If viruses and worms live on your computer, they can go directly to your website. Make sure your computer is not virused-up and try to avoid working with your site or files using another person’s laptop and for evermore forget about using public computers (ex. Internet cafes, etc.).
What is also important about viruses prevention is that computer viruses can be also transmitted through E-mails, on disks, by USB, and even through smartphones (for instance, when it is synchronized with a computer) so often check your antivirus system and never open suspicious files.
4. Always update all the components of your website
Outdated versions of WP engine are the common cause of hacking sites on WordPress. Hackers know that older versions are the most vulnerable and often problems existing in older versions are well documented. Consequently, it makes them the main target for attacks (to find out which version of WordPress the site uses, it’s enough to look at the site code). In the newest versions developers eliminate vulnerabilities found in previous versions. So if you do not update your site, security weaknesses can be exploited by hackers.
However, not only the WordPress core needs to be updated. You should also update themes and plugins (if you have themes and plugins that are not in use, you’d better delete them to be on the safe side). What is handy, starting with WordPress 3.7, all security updates and technical versions are installed automatically.
5. Make backups
Even with the adoption of the best security measures, you never know the real level of your site’s attractiveness for trespassers and when/whether something unexpected will happen. In this case, you should be sure that the content of your site is securely copied. The best decision is to create the backup schedule and stick to it. But do not store backups only on your server, because after reaching it, a trespasser can delete both your site and all of its backup copies.
6. Be careful in themes and plugins choice
Themes and plugins allow to expand the WordPress functionality and to improve appearance easily, but their choice should be treated with caution. It occurs widely that hacking of WordPress sites appears because of vulnerable topics and plugins. Before installing theme or plugin, search for reviews, learn as much as possible about the author and so on. If there are any doubts about the quality, try to find another, more secure analog.
If you want to download free plugins and themes for WordPress, you’d better do it with the help of the official WordPress.org, as there every theme and plugin is checked by moderators.
7. Take user’s name choice seriously
During the installation of WordPress you will be asked to enter the username that will meet a burden of administrating. The majority of users just choose the first thing they find in their heads, for example, admin. Undoubtedly, such user name is the easiest to remember, but it is also the most insecure. If you use a random combination of letters – or at least something different from admin – then it will make the task more complex: hackers will need to guess both the username and password.
Unfortunately, if you have already chosen an admin username, you will not be able to change it in WordPress console. The easiest way out is to create the new user account with administrative credentials, log into this new account and delete the old admin account.
8. Forbid to edit files in the admin panel
In the installed WordPress, you can get the ability to edit theme files directly in the admin panel. The thing is that if a hacker managed to access to the admin panel, he can edit files in such manner and execute any commands.
9. Apply rigour to choosing the hosting provider
In the process of searching pay attention not only to favorable price. Do research and make sure that you are going to use a provider with a good credentials of security measures.
10. Extra security measures won’t do harm
There are a lot of services (both paid and free) that can help to find and fix vulnerabilities on sites. For example, Google Webmaster Tools can let you know if there are any extraneous links or scripts on your site. With these tool you can also see how your site looks in the eyes of the search engine, because some viruses display shill links to search bots.
Also there is Exploit Scanner plugin that can scan your WordPress for malicious scripts, plugins and themes. Services Sucuri and VaultPress allow to do scanning regularly. Moreover they help with cleaning and backuping.
Pingdom lets you know if your site suddenly stops working. Captcha plugin is the best security solution for protecting your WordPress website from spam entries by means of math logic. It can be used for login, registration, password recovery, comments and popular contact forms.
We sincerely believe that if you abide by these rules, your data will be safe and sound. Or at least will deliver troubles to trespassers.
As always we are interested in your opinion concerning the topic of security measures: which item from the above do you suppose to be the most effective and sustainable?