T : +(603) 7806 3550   |   F : +(603) 7806 5586

Thursday, 15 September 2016

10 Ways to Secure Your Wordpress Website


I've had my website hacked once, and believe me it isn't anyone else should experience. When your website gets hacked you end up spending a good amount of time trying to fix things that you don't necessarily understand. Thankfully the hack wasn't deep it and if it was, that would mean all of the effort that I have previously put into my website going up in smoke in a flash. I learned things the hard way, I had to patch multiple things and change my web host and that did the trick and fixed everything. More on the importance of choosing the right hosting plan later below. I do acknowledge that not everyone is as lucky as me. I've got a friend that had not just his site taken down but his whole domain blacklisted.

I did some research and it seems that WordPress site hacking is much more common than we would like it to be and it is steadily rising. A lot of people, like me, have their sites hacked too. Although I shouldn't sound so enthusiastic over this, but it is a sad fact.

Wait didn't we all ask this one question before:

Why would anyone want to hack my site? It is worth nothing.


I know, I know our site isn't up there in with the stars of the show. But after reading up a bit it seems that a great majority of attacks are automated where hackers (people who hack our websites) create bots (pieces of software) to crawl the online web space and look for vulnerable websites. Why would they do that? It seems that if they are successful the hacked website gets added to their portfolio, so to speak, and used for whatever objectives that they might have.

Wordpress is awesome, and popular, but it does have its problems. So to say WordPress security doesn't happen automatically. Think of it this way, why go after a CMS that nobody really uses. Going after the most popular one makes the most "hacking sense".

This is the beginner's guide. An absolute must just to make sure that bots don't find you too easy to hack.

This you must do:

1. Secure your Admin account


Don't use an obvious login/username for your administrator account like "admin" for example. This is too easy for anyone to guess, instead try "darth-vader" or "king-alexander". You might be wondering right now hey wait a sec, doesn't Wordpress not allow you to change WordPress once installation has been set? Don't worry there is a way around it all you have to do is:

Create a new user account (Users > Add New), then assign the new user an Administrator role;
Delete your original administrator account (also in users) then you are good to go!

2. Use an Editor account for content work


Using your main Administrator account for editing/publishing work can be risky especially if you are using wifi at a cafe or a public space. You should instead work on an Editor account for all content work you do making the login not so obvious. To do this go back again to creating a new user account (Users > Add New), then assign a new user to be an Editor. Now you are good to go!

3. Use secure passwords



  1. Don't use passwords that are easy to guess. 
  2. You can sign up for LastPass (don't worry it's free) and set that ultra secure password as your main password.
  3. Then use LastPass to generate safe passwords for everything going on with your site.


4. Limit login attempts


Password guessing is a big threat. A bot, or human can make multiple attempts at guessing your password combinations until they get it right. They might not succeed in 10-20 attempts but if you are using a semi-complex password the 100,000th attempt can be successful.

5. Secure your own machine 


Securing your website would be pointless if the machine you are using to access the site is compromised. This is a simple solution that most people overlook. Install good anti-virus software and take good care of your computer.

6. Update WordPress regularly


Updating WordPress is one of those things that everyone knows it is important to do, but it still ends up being forgotten. For every change of a new release of WordPress they release a change log, every bug that has been fixed is listed. Look at it as a manual for hackers who want to target older versions of WordPress. The solution is simpler than you would think it is. Just enable auto-updates for your WordPress sites or make an update manually as soon as you see a notification on your dashboard.

7. Update plugins regularly


Updates shouldn't just be on WordPress make sure you repeat the update process for your plugins.

8. Backup.


Backups won't secure your site from being hacked, but it is an absolute necessity in case things do get out of hand. Backups are invaluable. You can restore your site back to normal no matter what bad things might happen.

I use a free plugin WordPress Backup to Dropbox; or you could do it through a more feature-rich solution VaultPress (this costs money).

9. Choose the best web host you can afford.


Cheap hosting can lead to a host of problems. Think of it as renting a computer that has little management on it. This may not be the issue with your site but it can be the server itself that got hacked.

Some quality recommendations:

  1. EVERWORKS
  2. Bluehost


10. Download plugins and themes from known sources


Same old rule with email. Only download email you know rule. Same applies with themes and plugins. Go for the tried and tested reputable offers such as ThemeForest and CodeCanyon. They do a fair bit of reviewing for each new theme and plugin submitted there so you should be fine.

Is this a bit too overwhelming to implement all at once? Don't sweat it. Make sure you update your WordPress it is by far the easiest thing to do.

 
Related Posts Plugin for WordPress, Blogger...