Keeping your WordPress website secure – a beginners guide
There’s no doubt that WordPress is the number one Content Management System (CMS) of choice by many developers. In fact, according to the official WordPress website, around 30% of the top 10 million websites are powered by it – including Aspurian Digital!
To dive into the numbers even further, there are roughly 74,652,825 active websites across the entire web that use WordPress. This is appetising to a hacker as it’s easy to discover weaknesses on a single website and exploit on a larger scale across others with the same symptoms.
And if you think that someone is going to type your domain into their address bar and spend the time manually trying to spot these exploits, you’d be wrong. The majority of hacks are carried out by automated bots crawling the web seeking out vulnerabilities, allowing hackers to attack large quantities of websites in one hit.
But it’s not all doom and gloom…
WordPress is an incredibly powerful open source CMS with a familiar interface, that allows users to easily maintain the content of their website.
There are more than 55,000 WordPress plugins (often free) and thousands of themes that can be installed to further enhance its functionality; making it quick and cost effective to set up a website with all the bells and whistles.
It’s certainly possible to maintain a high level of security and continue using WordPress. We’ve put together a list of our top tips to get you started. Let’s take a look…
Keep WordPress up-to-date
WordPress is open source and developed by a community of developers, which means that it’s continuously being worked on and improved. These improvements include new features such as the recently announced WordPress Privacy tool, aimed at helping your website stay GDPR compliant.
You may have been living under a rock for the last few months if this is your first time hearing about GDPR.
But for the purpose of keeping your website secure, we’re interested in the security patches that also come with these updates.
As of writing this, only 54.9% of WordPress sites are running the latest version – that’s quite scary considering the sheer number (millions) of personal bloggers and businesses that are using it.
WordPress will automatically update itself, if it’s able to do so, whenever a minor version is released. Minor releases often include maintenance and security updates, and also changes to translation files.
You can update WordPress to the latest major version within your dashboard by navigating to the Updates menu item in the left hand sidebar.
Before updating to the latest version of WordPress, ensure that you have taken a back up of your site files and database in case something goes wrong during the process.
Keep plugins and themes up-to-date
As mentioned above, WordPress boasts an impressive library of plugins and themes that can be installed to enhance your website.
It’s not uncommon for plugin and theme authors to regularly release updated versions that include exciting new features and enhancements. But more importantly, these updates will often contain security patches.
You can update plugins and themes within your dashboard by navigating to the Updates page via the menu in the left hand sidebar.
Similar to updating WordPress, it’s wise to perform a back up of everything first in case something goes wrong during the update process.
In addition to back ups, we would recommend installing the WP Rollback plugin. This allows you to quickly roll back to a previous version of a plugin or theme, directly from within the WordPress admin interface – with a click of the button!
Set strong passwords
Setting a strong password should be second nature to us in this day and age of technology.
Hackers have automated the process of brute forcing passwords by using a technique called a “dictionary attack”. A dictionary attack systematically enters every word in a dictionary and common phrases as a password, which is why it’s incredibly important not to use ordinary words.
Here are some tips to creating a secure password:
- Make it unique. Don’t use the same password on other systems or other accounts. If one of those systems were to get hacked and your password leaked, then the hacker would potentially have access to all your accounts that use that password.
- Numbers, capital letters and symbols. The aim here is to ensure that your password can’t be easily guessed by a dictionary attack. Switch an S for a $ or a 1 instead of an L, or mix it up by including a & or % symbol – but note that something like “pa$$word” is NOT a good password.
- Don’t personalise. Although you’ll need to remember your password without having to leave sticky notes all over the place (don’t do that!), it’s important not to make the hacker’s job any easier. Try not to use personal information such as your date of birth or your favourite football team as your password.
- Use phrases. The latest advice from security experts is to use a “pass phrase” rather than a simple password. An example of a phrase would be “AppleBowl#21GarlicFi$h” which contains a mix of different cases and alphanumeric values. Try to aim for around 20 characters whilst still making it easy enough for you to remember.
With all the above in mind, it’s important that you never give out your password to anyone. Also, be careful of phishing scams targeted at tricking you into handing over your passwords.
Use two-factor authentication
Two-factor authentication, also called multiple-factor or multiple-step verification, is a security method that requires two different ways of proving a users identity.
For example, if two-factor authentication was enabled on wp-admin then the following steps would be taken by the user:
- User enters their username and password as normal.
- If authenticated, a verification code is sent to the users mobile device.
- User enters the verification code onto the wp-admin login screen.
- If authenticated, the user gains access to the WordPress admin dashboard as normal.
This makes it nearly impossible to gain access to the account without access to the users device.
If you’re already following the basic password security measures outlined in the previous point, then two-factor authentication will make it much more difficult for hackers to gain access to your account.
Unfortunately, by default, WordPress doesn’t have two-factor authentication functionality built into it. There’s a highly recommended WordPress security plugin, WordFence, that enables two-factor for the wp-admin area – in addition to many other useful features!
Back up regularly
If we haven’t already mentioned it enough – back up your website!
Seriously though, it’s going to save you a lot of time and frustration later on down the line if something were to go wrong with your website. You’ll want to easily and quickly revert back to a clean version of your website if hacked, or simply gain access to your content if required to rebuild.
When backing up your WordPress website, you’ll need to consider both database and files.
Taking a back up of your website is something your hosting provider should be able to assist you with. However, if you’re self hosting and want to read more about taking back ups, there’s an official WordPress back up support article that outlines the options you have.
Need help keeping your website secure?
Although just the tip of the iceberg, hopefully these pointers will help you on your path to WordPress website security. Over the coming months we’re aiming to release more in-depth articles covering the more complex aspects of security.
If you need further help or advice with website security, please give us a shout. At Aspurian Digital we’ve been helping various brands (both large and small) implement changes in relation to their website security.