5 Tips to Secure your WordPress Website – by Charlie Cummins
Hackers are forever trying to take over websites. Sometimes it can be done as a prank, but often sites are hacked for far more malicious purposes.
While it is almost impossible to provide a 100% guarantee that your website can’t be hacked, there are a few steps you can take to make your site more secure and thus much harder to hack for the average user.
The top 5 tips here are directly relevant to sites built on the WordPress platform, but similar steps will be applicable for other common development platforms.
1. Install a security plug-in:
There is quite a wide variety of security plug-ins available for WordPress. One that we particularly like and have found to be very effective is All in One WP Security & Firewall. This plug-in features multiple levels of security settings across a range of functions. It will also give you an overall score for the security settings you’ve selected – the higher the score the more secure your site. Bear in mind though, relying on a single plugin for your complete security could be disastrous if the plugin fails.
2. User Names:
Don’t use “admin” as your user name. It’s the default name, and most easily hacked. Pick something much less obvious – ideally a name that doesn’t relate to your business. For example, if you run a veterinary service a user name of “admindogsandcats” or “admindogdoctor” isn’t really much better. If you already have admin as a user on your WordPress site, it is simple to work around this. Create a new user, with a more secure username and password. Then log-in as the new user, and delete the old one. WordPress will then ask you to attribute pages and posts from the old to the new user.
3. Password:
Similar to the above, a password of “admin01” really won’t work and again a password related to the business should be avoided. There are two better options. First, is come up with a unique password of your own making. Some of the WordPress security plugins will tell you how secure your chosen password is based on a red, yellow, green traffic light system. Or it may give an indicator of how long it might take a computerised hacking programme to break your password. The second choice is to have the system generate a totally random password for you. This may look something like this J%JZ&4Y@$21dgj&&mKP5% – but be sure to save this type of password in a safe place.
admin01 could be cracked within 19 seconds.
J%JZ&4Y@$21dgj&&mKP5% would take 32 sextillion years.
Source Link April 2015: howsecureismypassword.net/
admin01 could be cracked with 8 seconds.
J%JZ&4Y@$21dgj&&mKP5% would take a computer about 13 sextillion years to crack your password.
Source Link July 2017: cloudwards.net/tools/password-generator/
As you can see from the above comparison, 2 years apart, as computers processing power increases, their speed to crack passwords has more than halved. It is more important than ever to use secure passwords across the internet.
4. Rename the config.php
Initial WordPress installations come with a “wp-config-sample-php” file. This should be renamed and new SALT secure keys installed. New secure secret keys can be downloaded from WordPress via this link: https://api.wordpress.org/secret-key/1.1/salt/ . This step should only be done by someone comfortable working with and editing website coding.
5. Auto Pingbacks:
A handy feature of today’s websites is the ability to post blogs or news to your website via your email. Be cautious in activating this feature as it could make your site vulnerable to a “back door” attack through your email service. In this case, Pingbacks have a valid purpose, but can also be easily used for malicious reasons.
For more advice on how we can help you secure your website, please contact us ……