WordPress Security

There’s one fact of life if you own a website or websites, more so  if they work on the WordPress platform and that is, it’s not a question of if your site or sites will eventually be hacked, it’s merely a question of when.

Personally, my sites have been hacked twice over the past few years, so I know only too well the problems someone can experience due to a hacked website.

A frequent method of attacking WordPress based sites is via a dictionary-based brute force attack where the hacker (or more usually a bot)  has multiple attempts at guessing your login password, this is made a lot easier for the potential intruder if you’re still using the default word ‘admin’ as your User Name or dictionary based terms.  Even foreign spellings of common words aren’t safe – and as for merely using ‘password’ or 1234, or a date of birth, forget it, you’re asking for trouble.

There are other methods too, see the video below, which details a plugin that helps to prevent some of the other methods of attack, namely exploits.

It’s extremely difficult, if not almost impossible, to protect your WordPress site 100%, but that doesn’t mean you should casually dismiss its security by thinking that hacking happens to ‘other’ people and not you.  An unprotected WordPress site is like leaving the door to your home unlocked, sooner or later, you’ll probably regret your lack of action.

You can begin the protection by ensuring you use a very strong User Name AND Password which utilises a variety of assorted characters, I normally favour around 20 to 25 characters in total, however the precise amount is down to the individual.

Remember that a Password that is short in length, even if it’s a non dictionary term, doesn’t present the strongest defence against a concerted brute force attack.

I use something  like Password Generator (which is free) to create Passwords and User Names and then I make certain that I use a saving facility such as Lastpass to remember them for me at the login stage.

Secondly, try installing the free version of  Wordfence, although there is a premium version too, full details on their website, configure to their recommended settings.

Now in the video above, Wordfence (and other security plugins) are installed on the test site, yet the site in question is still successfully hacked using ‘exploits’, this doesn’t mean that Wordfence and the rest of the plugins mentioned are useless, Wordfence in particular is a highly regarded plugin made by a reputable company and it affords excellent protection in a host of vulnerable areas, unfortunately the free version has limitations as far as exploits go by virtue of the fact it’s given away for nothing, it’s not really practical to expect a developer to provide extensive, premium protection for free.

The Wordfence subscription version (as of May 2017) affords better levels of security than its free counterpart, however understandably, some people will find that with other financial commitments, the companies subscription facility is prohibitive, even though Wordfence have kept it as low as possible.

The video below is placed on here to purely show you how easy it can be to hack a site and was created by the WP Site Guardian plugin – it provides better protection against ‘exploit’ attacks than Wordfence’s free plugin and this therefore it’s my third suggestion, it’s also a one-off cost, as opposed to the Wordfence subscription based service.

The two together make a good combination.

It’s also a good idea to keep regular backups of your site, so that If anything ever went wrong  (in a worse case scenario) you can restore it with relative ease, not forgetting of course, that if you were ever hacked too, you can restore the site successfully with the minimum of stress.

Backups should be kept ideally somewhere other than on the site which has been copied, i.e., place them in Dropbox, an external hard drive, or your computer’s hard drive – if using the latter for storage, make certain it has anti-virus/security measures installed, Kasperskey is generally regarded as excellent and they have a Mac and Windows version too.

Incidentally, your host may very well provide automatic backups with certain hosting plans – ask if you’re uncertain, but if not, you can copy your sites via cPanel, WPTwin, Backup Buddy, or a free plugin such as Duplicator.

Try not to install tons of plugins on your site, more plugins can not only affect your site’s page loading speed, but the more plugins you have – the more chance you’ll have of suffering incompatibility issues, plus, of more importance, there’s a stronger possibility of placing your site at higher risk of a successful hack due to a vulnerability in a plugin.

Remember, hacking doesn’t solely involve attacks to the WordPress Content Management System (CMS) but unscrupulous individuals can also find their way into your site by your having installed poorly maintained and/or outdated plugins, plus nulled versions from torrent sites, not forgetting exploits too of course, as detailed above.

When installing any plugin, check when it was last updated and whether it’s compatible with your current version of WordPress, that information is readily available at the point you wish to install, a plugin that hasn’t been updated for months, if not years, should make you ask yourself whether it’s worth taking the risk and to seek out a more up to date version, perhaps from another developer.

Click any of the highlighted links to go to their respective websites, they will open in a new tab in your browser so you can return to this page if you wish.

One other thing, always make certain that you’re running the latest version of WordPress. and update your plugins too, if you keep running old copies, these can have vulnerabilities which may give you cause for regret. Updates address security, bugs and other issues when released.

In summary, this is what you need to do:

1: Backup your site as described earlier

2: Use a strong User Name and Password as described above

3: Install Wordfence and configure to their recommendations

4: Install the WP Site Guardian plugin

5: Update WordPress versions AND plugins as they become available

If you’re using the ‘admin’ User Name and you want to know how to change it after having set it, I’ll show you the method that I use in a ‘How To’ video very shortly.

Now I’m not claiming that the above will make your site impossible to hack, no one can do that, however, with the plugins and procedures I’ve outlined above, you will succeed in your site being far better protected than most and therefore less likely to succumb to a brute force attack, plus, you will not have clogged up your site with a mass of unnecessary plugins and if Heaven forbid you ever were hacked, then with a backup to hand as recommended, you can restore your site without the pain and cost which others less savvy than yourself would endure.

If any of my links shown above are affiliate links I always make that clear, however no link on this page contains such a link.

Trust that helps, any queries, send me an email.