Just because you are paranoid does not mean someone is not following you. Or trying to hack your website. My advice… be paranoid. If you want to keep your site secure you have make site security an ongoing priority.
Your site by itself is not special, but combine yours with thousands of other sites just like yours and now you are a prime target for hackers. Such a network of hacked sites can be used for things like black hat SEO, mass email sending, database scraping (to get your users’ personal info), to name a few. I believe that most of the common attacks against websites can be deflected by using practices that don’t require expensive tools. A “best practices” approach is best. Not all free. But affordable.
WordPress security doesn’t happen automatically. Even though WordPress is a great platform it does have its vulnerabilities. It’s popularity is what makes it a prime target for the hacker community. Here are some top tips for keeping your WordPress site as secure as possible –
Choose the best web host.
It is not always about money. Do your research. Always go for the best web hosting service that you can afford. Click here for a recent review of the best small business web hosting services for 2016 from PC Magazine.
Take charge of all your user accounts.
To begin with don’t use obvious login/usernames for your accounts like “admin”, or your given name. Instead, go with something fun like “kissmyass58”.
Never use the popular “password” for your password. Here are some simple tips you can follow to make your passwords more secure –
1 – The longer the password, the harder it is to crack. Consider a 12-character password or longer.
2 – Avoid names, places, and dictionary words.
3 – Mix it up. Use variations on capitalization, spelling, numbers, and punctuation.
It is important to keep strict control of all your user accounts. Limit the number of users and assign appropriate permissions. Make sure your users are also following strict guidelines with regards to usernames and passwords. Click here for a handy password strength checker. Also, using your main Administrator account for editing/publishing work (or when working with content in general) can sometimes be risky. Especially if you’re using Wi-Fi in a public place. Instead, create an Editor account for all content work you do.
There are also ways of limiting login attempts. Password cracking is a real threat. A “bot” can make multiple attempts at guessing your login/password combinations until they get it right. They may not succeed in 10-20 attempts. But can be successful after thousands of attempts. Consider plugin software such as “Login Security Solution” to block brute force and dictionary attacks. Jetpack Protect is also included in the current version of the popular WordPress Jetpack Plugin.
Use up to date software and trust your sources.
Ensuring you are using the most recent version of WordPress crucial. Luckily for you the solution is very simple most of the time … you can just enable auto-updates for your WordPress site or perform a manual update as soon as you see a notification. However, it is also important that you ensure that a) your theme and installed plugins are also updated to work with the latest version of WordPress and b) your website is backed up on a regular basis. Our recommendation is that you maintain a close eye on your site and perform manual WordPress updates soon after receiving notification. Many site crashes happen after an automatic backup when themes & plugin updates are not keeping pace and conflicts occur.
When it comes to updates it’s not only WordPress itself that needs to be kept up to date. The same thing goes for the themes & plugins you’re using. Before you commit to a theme or a plugin research the author and use as many forums/articles as possible to ensure the pedigree of the software. Make sure the software is not out of date and is compatible with the WordPress platform.
It is also important that you get rid of any plugins or themes you don’t need will reduce the likelihood of being hacked. And remember that deactivating plugins isn’t enough. You must actually click “Delete.”
Consider Site Security Plugins
Hackers use brute force attacks to try and gain access to your WordPress site by continually trying new random usernames and passwords. One of the best ways to protect your website against this kind of attack is to install Login LockDown or login security plugins. These plugins allow you to limit the number of login attempts from a given IP range. Once a user has failed a defined number of times, they will be logged out of your website for a defined period of time. The great thing about these plugins is that they record the IP address of anyone who fails a login attempt and this can be used to block individual IP’s from your website indefinitely.
More comprehensive security plugins will enable you to view crawlers in real time; scan your core, theme, and plugin files; customize blocking protocol; and so much more. However these plugins can came at a cost. Research these security options and beware of conflicts. These plugins can come with a lot of options that allow you to customize them by changing the default settings. Research these options before locking down the options.