It is more important than ever to secure your website. With the Russian internet security attack that was uncovered in July, it is obvious that most websites need to beef up their security measures. (If you didn’t hear, a group of Russian cyber criminals were found to have stolen over 1 billion unique username and password combinations. Anyway, here is a list of five things you can do to safeguard your WordPress website.
1. Use a strong username and password. This is the simplest way to stop what is called a brute force attack. This is the most common type of WordPress security attack. It is when a computer program will access the login page of your site and try different combinations of usernames and passwords. The programs will try nearly every combination of forms of your business’s name, patterns like 1234, anything related to the content of your website and common passwords like ‘password’. It should go without saying, but please don’t make your password ‘password’.
The best way to create a password is to use Norton’s strong password generator. It can be found here. Make your password 15 characters long and use uppercase, lowercase, numbers and punctuation. It may sound like overkill, but you won’t think so when other sites are getting hacked and yours isn’t.
2. Limit Login Attempts. There is a WordPress security plugin called Limit Login Attempts. I know, real original right? Well using the plugin will limit the amount of times a user can try to log in and it can even ban the IP addresses of a user who has tried to log in too many times with the wrong credentials. This preventative measure is a second step taken against brute force attacks.
3. Stay Updated. Make sure your WordPress install, and all WordPress plugins and themes are constantly updated. If you see a circle with a number in it next to ‘plugins’ or ‘themes’ that means that there are plugins or themes that need to be updated. Click on them and then click update on the ones that need the updating. WordPress will run the update itself and you will be good to go.
Here is an additional tip. You should deactivate and delete any plugin that you are not actively using.
4. Install a SSL certificate, and force admin access over SSL. Installing a SSL certificate is pretty straightforward. Simply call your hosting provider or use a trusted SSL company. They will handle installing it. When a website uses SSL, it encrypts the connection between the user and the website. This makes it impossible for hackers to intercept the data being transferred. Forcing admin access to your WordPress install will make all connections between the admin users of your site and your files secure. There is a great article on the WordPress codex about how to do this. It can be found right here.
5. Limit access to wp-admin to only your computer’s IP address via the .htaccess file. If you aren’t a coder, this one may be a bit harder for to do on your own, but it is totally doable. You could also have your webmaster do it for you. WordPress also has an article on this, which can be found right here.