One of the best things about WordPress is that anyone can design and build their own website －not just web developers. The downside of this is that full control for your website is in your hands. One of the major concerns of WordPress users is security and ensuring a safe online presence －and for good reason. The risk of hackers taking advantage of weak code in your website is a real one. Luckily, with the right information you can take the necessary precautions to safeguard your website.
- Understand website security
Your website hosting provider is responsible for network- and platform-level security in the environment where your website is hosted, while you are responsible for website-level security. Choose a hosting provider that is detailed and transparent about the security they provide － and if you don’t understand the details, ask them for clarification.
- Choose the right solution
You may not think it’s necessary to install an additional security solution on your website, but take a moment to think about how valuable your website is － and what it would cost you if it was down for a few days. Prevention is better than cure, and an affordable web application firewall (WAF) like Cloudbric could prevent your website being exploited by hackers. Weak and vulnerable code is often in a plugin or theme. Choose WordPress plugins and themes that are highly rated and keep them updated.
- Make sure you’re HTTPS
An SSL certificate enables you to switch your website to HyperText Transfer Protocol Secure (HTTPS), a more secure version of HTTP. The main purpose of SSL is to encrypt sensitive information sent across the internet, so that only your users can understand it. Since July 2018, Google Chrome, currently the most popular browser, marks all http sites as “Not Secure”. If your website opens automatically in the HTTP version, you may need to force HTTPS.
- Strengthen your password
A weak password is an invitation to hackers. Strong passwords contain 14 characters or more, at least one numeric character and at least one special character. The trend is to use a passphrase, rather than just one word e.g. I1oveleathershoes. It is also recommended to make use of a password storage site like LastPass.
- Choose your username carefully
Don’t use an obvious username. Specifically, don’t use ‘admin’ as your username as it is so widely used, and don’t use your own name. A two-factor authentication (TFA) plugin is recommended to ensure safer usernames. In the absence of a plugin, choose a username that cannot be guessed easily. TFA requires a username and password, but also a piece of information that only the user could possibly know (e.g. the name of the first street you ever lived on).
- Limit the number of users who have access
You may need help to manage your website, but it’s important to limit the number of users who have access to your admin panel. Ensure that those who do are given strong passwords, and don’t email the passwords to them. Rather send them via WhatsApp.
- Understand the value of your siteIt might be hard to believe, but hackers really are interested in your website. It’s not personal －data is like currency; a means to a criminal end. Sometimes, it’s not even about access to your data. Your website could help to advance the goals of malicious traffic. The good news is that if hackers can’t get in, they can’t do harm.
- Keep tabs on your website －here’s how:
- It might not be obvious that your website has been hacked. At first glance, it might look normal, but unusual pop-ups and links that you didn’t create are tell-tale signs.
- Another quick check: type your business name (not your URL) in your Google browser. If your website has been hacked, a Google notification appears on your site warning users that your site may have been hacked. This may also appear in the Google search result.
- Accept that hacking attempts are unavoidable
A hacking attempt is not a once-off occurrence － your website is constantly under threat. To illustrate this, Hetzner, a trusted web hosting provider, observed about 300 websites that use Cloudbric, which monitors the number of hacking attempts on those websites. During a 30-day period, Cloudbric blocked over 2 million attempted attacks. 400 000 of these attempts were on websites created using WordPress. With the right security, you won’t need to worry about hacking attempts because they won’t lead anywhere.
- Keep informed
Website security is not something you can ignore, as it won’t just go away. But with the right knowledge about WordPress security, you can keep your site updated, using the right plugins, and making smart security decisions.