Website break-ins keep rising as witnessed by the number of distributed denial of service (DDoS) attacks that occurred in 2015. Akamai reported a 57% increase in these attacks from 2014. This assault on servers, which host websites, is just one technique cyberthieves use to break in. There are plenty of other ways hackers can illegally access WordPress sites.
Once they get in, cyberthieves can change the content of a website, inject malicious software, or steal information from the database. Cleaning up after cyber culprits isn’t cheap when you add up website recovery fees, lost revenue for website downtime, and effort required to manage the cleanup.
WordPress developers respond to hacks by eliminating vulnerabilities through software updates. You can also make it more difficult for cyberthieves to wreak havoc on your site by following these five tactics.
WordPress Security Tip 1 – Use Secure Usernames and Passwords
Upon installation, WordPress sets up your username as Admin, which many people fail to change. That neglect did not go unnoticed by hackers. The username was the target of a large-scale attack on 90,000 WordPress sites in April 2013. Attackers tried to break into websites by using Admin and 1,000 common passwords. Changing the default username and using a strong password are effective WordPress security tactics that you can implement immediately.
Create a strong password with at least eight characters, using a mix of upper- and lower-case letters, along with numbers or symbols. You can also read the password guidelines recommended by WordPress. Don’t share your password with anyone. Instead, set up all users with their own login credentials.
Security Tip 2 – Update Your WordPress Core, Theme and Plugins
The majority of WordPress websites have three modules.
- WordPress core files are the engine that makes a website or blog run.
- Plugins add functionality to a site, such as social buttons, which enable people to share your blog posts.
- Themes stylize a site by dictating color, layout, and fonts.
Developers will update modules to patch vulnerabilities that pop up on the radar of cyberthieves. This is why you must update these modules as soon as security patches are released. In most cases, notifications will appear on your WordPress Dashboard, which is also where updates can be made.
Security Tip 3 – Use Safeguard Plugins
Login LockDown is a light-weight plugin that limits the number of login attempts a person can make. The login function is disabled after the limit is hit. Unfortunately, login attempts are stored in the database, so tables can grow large over time and slow down your site. Periodically deleting table entries will improve website performance.
There are plenty of two-step authentication plugins that beef up WordPress security by adding an extra login step on a phone. The initial dashboard login prompts a code to be sent to your phone, and the code then has to be confirmed via text message. Many of these plugins will not work for multiple users.
I just began using Clef Two-Factor Authentication, which makes logging in from my phone a breeze. I just hold up my phone to sync the wave with my dashboard, and I’m in! Multiple users can log in with Clef, which is a big bonus. Leary about using the wave? You can keep the option to login via password as a backup.
Security Tip 4 – Back Up Your Website Files
Keep several backups of your website files in a safe location away from the web server. This way, you’ll have clean website and database files that can be used to restore your site after an attack. You may be able to recover from an attack without backup files, but it will be more expensive and time-consuming.
Security Tip 5 – Only Access Your Website Through Secure Connections
Only log into your website through a wired Internet connection or a wireless network with data encryption, such as HTTPS. Professional hackers can retrieve login credentials from unprotected public wifi such as those frequently used in coffee shops.
Security Tip 6 – Disable Pingbacks and XML-RPC
WordPress pingbacks and XML-RPC are vulnerable areas hackers have used to launch site attacks. A pingback notifies site owners and authors when someone links to their posts or pages. XML-RPC is generally used by plugins to let people post remotely to WordPress.
Turn off pingbacks by going to Settings>Discussion and unchecking these two settings:
- notifications sent to blogs your posts link to
- allowing link notifications from other blogs.
Blog Aid has an excellent article that covers XML-RPC and multiple ways to disable it. I followed the recommended option of turning XML-RPC all the way off.
Keep Your Website Profitable with these WordPress Security Measures
WordPress security should be top of mind for all site owners. Protect your site by:
- using proper usernames and passwords
- keeping your core, theme, and plugin files up to date
- adding a safeguard plugin
- maintaining website backup files
- only logging in through a secure Internet connection
- disabling pingbacks and XML-RPC
These precautions will save you time, money, and peace of mind by reducing the likelihood of an attack and decreasing recovery costs if someone does hack into your site.
Mask in first photo came from Wikipedia. Photo designed by Digital Marketing Deva.