- This topic has 0 replies, 1 voice, and was last updated 9 months, 2 weeks ago by Oghenemarho.
- February 21, 2020 at 4:36 pm #86406Participant@oghenemarho
Having your website hacked is not a funny matter. Out of the millions of hacking attempts that occur on a daily basis, a significant number of them are targeted at websites and with WordPress being the platform of choice for 35% of the websites currently hosted online, it is safe to say that many of the tools used for hacking websites are built specifically to break into websites that are built with WordPress. Indeed, if a hacker can find an exploit for one WordPress website, there’s a good chance that it will work on the millions of other websites built on the same platform. There is also the fact that because of how easy to use the WordPress content management system is, a lot of novice users do not take the time to apply basic security measures to their websites to make them less vulnerable. Thus, things like weak database or backend passwords and poor hosting choices or lack of backups make them easy victims form a persistent hacker with time on their hands.
If you do not want to find yourself falling victim for one of these hackers, then there are a few simple steps that you can take to secure your WordPress website from being compromised by malicious actors on the internet. The aim of these steps is to make you less of an easy target and to lift your web property to a level that discourages intrusion attempts from the vast majority of hackers out there. So let’s dive in and see what it takes to secure a WordPress site.
Update Everything Regularly
Because of the constantly evolving security landscape of the internet, new bugs and vulnerabilities are being discovered and ideally, developers are meant to find and implement fixes to their online systems that prevents these vulnerabilities from being exploited in their systems. The team at WordPress performs this function by releasing regular updates to the core WordPress system to patch newly discovered vulnerabilities and also fix bugs that may have been discovered since the last update. Developers of whatever plugins or themes you are using also do the same. It is your duty to ensure that these updates are installed on your WordPress site when they are available to avoid becoming a victim.
These updates can be done from the Updates menu when you visit the back end dashboard of your WordPress site. Usually if there is an update to install, the Updates menu item will be followed by a number indicating how many updates are available to install. Clicking on Updates will reveal a page showing which updates need to be done and what type of updates (i.e. whether it is an update to a plugin, a theme or WordPress itself. Clicking on the check box beside each update and then the associated update button will begin the update process after which you can return to your site’s dashboard when it is done.
There are usually some fears about whether applying updates can break your site and though it is a valid concern, it is the lesser risk when compared to hackers taking over your site, especially if you have a backup strategy in place. We will talk more about backups later on.
Choose the Right Hosting
Building a good and secure website is useless if you don’t choose the right hosting platform for it to live on. The security of your hosting provider is not something you have a lot of control over which is why you need to make sure you pick the right one to go with from the beginning. Otherwise, if the lack of proper security measures on their hosting servers leads to your website being compromised then regardless of where the blame lies, you are the one left with the pieces to pick up.
When searching for a hosting provider, it may be tempting to go with the one that offers the cheapest services but there are several other things you need to consider before making your decision. Look for a hosting provider that includes daily malware/virus scans, automated backups, recovery options and some form of 24 hours customer support service. These additional features usually add a little more to the cost but the benefits they provide are well worth it.
The daily scans will ensure that any malware that has skipped the security measures you put on your site, will be detected by the hosting server and removed from its file systems. Backup and recovery options mean that in the event of a system crash or denial of service attack, your site can be restored to its last known working state with minimal downtime, and round the clock customer support ensures that there are professionals available to respond to any query you might have about your website’s hosting, at any time of the day. These features may not look valuable in the short term but when your site eventually comes under attack, they will prove their worth.
Install SSL Certificates
Getting a secure socket layer (SSL) certificate for your website means that all data transfers between a user’s browser and your website are encrypted over Hyper Text Transfer Protocol Secure (HTTPS) and therefore nobody can take a look at your web traffic and pick out vital information being transmitted. This will also help with search engine optimization and improved trust/visibility for people visiting your website, because they will be looking for the padlock icon that’s usually associated with HTTPS sites in their web browser and once they see it, they know the site is usually safe to visit.
Typically, installing SSL certificates is carried out from the hosting side of things. Most hosting platforms today offer free SSL certificates as part of their service offerings and you can either find the setting required to implement them in your control panel or speak to a customer service representative about how to get started. In the event that this feature is not available with your hosting provider, you can make use of services like Let’s Encrypt (https://letsencrypt.org/) that offers free SSL certificates for websites, to get one.
Secure Your Accounts and Passwords
These are a common target for hackers and as such they should be adequately protected. There are a number of accounts and password associated with WordPress websites, from database user accounts, to web hosting accounts, control panel accounts, FTP accounts and WordPress user accounts. The very first thing you should avoid is using the same username and password for all these different accounts if you do not want to compromise your entire infrastructure in one fell swoop. Also, avoid using default usernames like admin, administrator and WPAdmin; or easy to guess passwords like your name, date of birth, and such. There are guidelines online that will inform you about the best practices for choosing passwords and using password managers to save them securely so that you don’t end up trying to cram everything in your head.
Another tip is to restrict the number of WordPress accounts you create that have access to the administrative dashboard area. If your website has other people who need to manage the site or add content to it, WordPress allows you to create accounts that restrict access to the functions of the dashboard based on the roles that these users play. You can also implement two factor authentication using plugins from the WordPress repository to prevent hackers from using leaked passwords to access your accounts.
Install Security Plugins
Plugins are a core part of the WordPress ecosystem that expand the functionality of the average WordPress website beyond just a simple series of webpages. There are a number of plugins available on the WordPress repository that can also be used to improve the security situation of your website. Two of the most popular plugins for this are Sucuri Security and Wordfence Security. Both of them have free versions that offer features like web activity monitoring, application firewalls, malware scanners, login security, live traffic monitors among others.
Wordfence for instance will carry out regular scans of your WordPress installation to reveal outdated or abandoned plugins, core files that have been manipulated, identify known security vulnerabilities, suspicious content uploads and URLS. It also protects against brute force login attacks and code injections, all while providing live updates to your email address of the results of these security interventions.
Tools and steps like these can help with the real time monitoring and protection of your site which in turn will lead to a speedy response from you in the event of a hacking attack on your website.
- You must be logged in to reply to this topic.