One of the biggest concerns I hear from clients when it comes to having a website built on the WordPress platform is in regards to the security and whether or not their website and their users will be vulnerable. WordPress is one of the most widely used open source content management systems in web design, so this of course makes it a very big target, however by taking appropriate preventative security and hardening precautions, there’s no reason that a WordPress website could not be considerably hardened against attacks.
1. Update WordPress Core & Plugins
One of the easiest and most effective things that you can do to improve the security of your website is to stay up to date with WordPress core updates, WordPress plugin upgrades, and any updates you may be receiving for themes or dependencies. One of the great things about the WordPress community is the vast number of brilliant developers who are constantly investigating and improving the underlying code behind WordPress. The collective knowledge going in to these updates are typically aimed at patching bugs or vulnerabilities within the system, so by utilizing each update, you are ensuring you have the most up to date, hardened WordPress system.
2. Use Secure Passwords
By default, the method of encryption that WordPress uses for password hashing is not considered to be the “most secure”, in fact MD-5 hashing has been found to suffer from extensive vulnerabilities. This being said, it is all the more important that your password be one that is very unique and extremely difficult to guess. Some of the basic rules to follow are to use a variety of uppercase and lowercase letters, numbers and symbols in your password, for example PaSsworD99##. However, I typically also suggest that you go a step further and swap out certain letters for number replacements, for example P4Ssw0rD99##, where the “A” has been replaced by a “4” and the “o” has been replaced by a “0”. By breaking up whole words with numbers, you are making it considerably more difficult for a hacker to access your website using a brute force or dictionary guessing attack.
3. Do Not Use the Default “Admin” Username
Many times, hackers are not attempting to hack websites one by one, but instead are using scripts to scan multiple websites simultaneously for vulnerabilities or to launch attacks. For example, a standard brute force login attack is likely just going to be a bot that has found your login page and is now running as many password combinations as it can against a user name before it’s either successful or is locked out. Typically, the first username that will be attempted to login to will be “admin” as it’s one of the most commonly used admin usernames. By using a less common username, you are making it even more difficult for a hacker to “guess” his way on to your website.
4. Make Sure That No Sensitive Files Are Exposed
There are a number of files within your WordPress file system that provide information about WordPress version, any plugins that may be running, themes being used, database credentials and more. Often times access to these files alone will not allow someone to access your website, however the information gathered would be the starting point in finding a vulnerability and exploiting it.
5. Lock Down Your Web Server
Often times the main goal for a hacker is to get access to your web server so that they can either publish pages with malicious content or backlinks to other sites, or so that they can “hijack” your server to be used in a larger Botnet, or in a sense, as a single ‘worker’ amongst a large group of ‘workers’. Since your WordPress website is connected directly to your web server as well as your database, it presents an attractive way to gain direct access to the server. One very basic thing you do to seriously mitigate these risks is to deny access to every IP address with the exception of a few “whitelisted” IPs. These IPs would ideally belong to you, any necessary employees, and your developers, this way anyone who is not connecting from one of these IPs will not be able to access the server, regardless of whether they have the correct credentials or not. While no method is 100% foolproof, this methodology would make it so difficult for someone to exploit your server that it would likely not even be worth the attempt.
When seeking out a new web design agency to build your WordPress website, user experience and functionality should not be your only concerns. As WordPress continues to grow as a platform, security will continue to be more and more important when it comes to your users experience, your search engine rankings, and your overall success online. If you have a WordPress web design and feel it’s ready for a full website security audit, we’d be happy to run one for you at no cost to you.