The following is a guest post by Devin Morrissey. Devin writes in his garage and examines car parts in his office. He aspires to be an eternal student, writing wherever the web takes him.
WordPress is the platform that more sites on the web are built on than any other, and for good reason. The platform is versatile, powerful, and user-friendly. Contrary to popular WordPress myths, it is about more than just blogging; it involves customer relationship management and even e-commerce.
Visual page builders and simple post editors mean that the most seasoned designer or the earliest beginner can set up, design, and maintain a site with little effort. Initially, the setup is free, but custom themes and important plugins will cost the user something.
In our interconnected world, cybersecurity is a vital part of keeping information out of the wrong hands. Simply because it is so popular, WordPress also can be a frequent target for hackers. One reason is that many users do not understand how to use the powerful security tools that come with WordPress. Often a site is poorly maintained but has valuable information inside — information hackers can use to steal identities or simply take control of the site. Some use WordPress sites as practice to hone their hacking skills.
It is important that you, the site owner, take action to make sure your website is secure. How do you protect your sites from hackers and keep your data and that of your customers safe? Here are seven important tips.
1. Update and Limit Themes
When you login to your WordPress dashboard, you will see a tab for plugins. If there is a red number by it, it means your themes need to be updated. While often neglected, this is an important part of site maintenance. Most of these updates have something to do with security or bug fixes, things you want to take care of anyway.
However, it is also important that you delete themes you are not using. These can be a path for hackers to get into your site security. If you are only using a single theme, like the popular Divi Builder or even a custom theme built by your web designer, delete the others from your list.
2. Update and Limit Plugins
Updating and limiting plugins is also important to the speed of your site. Be careful here though. Some plugins are designed for security, and you will want to leave those active. However, too many security plugins used at the same time can conflict with each other, causing issues rather than preventing them.
Delete plugins you are not using. Research and use the best security plugins for you — ones that will not conflict with each other, but don’t use more than one to accomplish the same task. When you have a little red number next to your plugins menu item, update them. The updates are like those for themes and are important.
3. Understand and Set File and Directory Permissions
This is another common problem for site owners. File and directory permissions are set in your cPanel, and if you don’t understand them, get help from your web developer. There are codes for each file and directory that determine who can access them. 777 permissions are the most common for directories but the least secure. Use 750 or 755 for directories, 640 or 644 for files, and 600 for your wp-config.php file.
This method will help keep hackers out of the backdoor of your site.
This should be a given about any password but is especially true about your WordPress site, especially your primary administrator account. First, don’t use the username “admin” anywhere on your site. If you write content for your site, use an author profile with lower levels of permission so a hacker cannot easily find your primary username.
Use a password generator when possible if you are changing passwords. LastPass, iCloud Keychain, and other password management systems are all available browser extensions depending on the browser you use or your operating system. Set an alert to change these at least once a quarter, if not more often.
5. Add Two-Step Authentication
Two-step authentication is a good thing to add for many of your passwords where possible. This includes things like your social media, your banking website, and more. WordPress has this option too. How does two-step authentication help?
Essentially it makes a user who is logging in have not only access to your password but to a device you own, like your phone, tablet, or computer. For instance, when you log in, a text code is sent to you that you must enter. Without it, you cannot get into your site. It is a great way to defeat all but the most determined hackers.
Many people find firewalls to be annoying when surfing the web, as often you will have to whitelist sites and go through other inconveniences, but security is not always about convenience. Having your firewall enabled on your computer, especially the machine where you primarily run your site, is an essential part of security and another layer a hacker will have to get through before they have access to your information.
Always, always, always keep your firewall enabled, and never turn it off at the request of anyone or any site. It’s dangerous and a good way to put yourself in digital harm’s way.
7. Limit Login Attempts and Get Alerts
Ah, one of the primary ways to keep many hackers out of your site: limit login attempts. This means if they are trying to guess your password — even using a program that tries several passwords in a row — after only a few attempts, the account they are trying to access will be locked temporarily, and none of their continued attempts will work even if they accidentally get the password right.
You can also set up your site to alert you when an attack is happening. The alert, usually via email, will tell you what user name they are attempting to use, how many attempts they have made in a certain amount of time, and even the IP address the attacks are coming from. That IP address will be blocked from making future attempts.
Bonus: You’re Hacked: Now What?
Despite all of the best practices, almost any site can be hacked, but if you act quickly when it happens, you can help limit the damage. Here are some quick steps:
- Change your password.
- Contact your host, or IT if you are self-hosting, to make sure they know about the attack and prevent it from spreading to other sites or elsewhere on the host.
- Contact your web developer. Have them go through the code on your site to make sure nothing malicious is left behind.
Another pro tip: Be sure your site is backed up so that you can recover all your data at least before the last backup. Catastrophe is rare, but it does happen, and a backup can really save the day.
Your website is the backbone of your business, and it is probably designed on a WordPress platform. To make sure it is secure, follow these steps, and do a security checkup often. Keep things up to date, and be sure to understand and follow good security protocols. Your site will be secure, and so will the data you store there.