Most people don’t think about their website security until it is too late. A hacked website can lead to a significant breach of consumer confidence towards your company. Restoring the damage, if possible, usually involves many hours of work. Time to talk about cybersecurity and making your website secure.
Cybercrime is a hot topic and makes headlines often. On average, every 39 seconds a form of cybercrime is taking place. With more than 30% of the websites running on WordPress, they are the most targeted platform.
Is WordPress secure?
That raises the question many people have, is WordPress secure? And the answer is, yes. WordPress by itself is a reliable platform when it comes to security. The next obvious question is, why does this platform get hacked so often?
For a large part, the security of your website is determined by you. Failing to take precautionary measures, gives hackers the opportunity to get access to your website and do a lot of damage.
Just like any offline business, your online business is vulnerable to crime. Where shops deal with shoplifters trying to steal products, your website deals with hackers and cybercriminals that try to steal your data.
The most common attacks
The most common ways sites get hacked is through backdoors, brute force attacks, and bad web hosting.
Backdoors
These are plugins, themes or any type of 3rd party code that is added to the initial WordPress installation. The more you add to the initial WordPress installation, the more at risk you become.
This is because WordPress frequently releases updates, which often includes security patches. If you have a plugin, that hasn’t been updated for a while, it creates a backdoor. Because the core WordPress software has been updated, but the plugin is still using the old version, creates a gap, also known as a “backdoor”. As a result, hackers can just walk inside.
The longer outdated plugins you have, the bigger the backdoor becomes. If you have more plugins that are outdated, you could even have many backdoors in your installation.
Outdated plugins and themes are the most common reason why websites get hacked. So, the best thing and easiest thing you can do, is to make sure everything is up to date. Always make sure you have made a back up of your website first before you make the update.
Check the plugin or themes changelog to see if they are up to date
The issue of backdoors is easy to resolve, by using common sense. Just check when the last update took place. If they update their software frequently, that’s is a good sign. You can check this by looking at their changelog. With every update, the changelog also gets updated that shows what is included in the update.
Plugins that are widely used, you can be certain this is the case, but it never hurts to check it.
For plugins that are unfamiliar to you, or that not many people use, you have to check the changelog. Sometimes you will find a changelog with the latest update being quite outdated already, or worse, there isn’t any changelog at all!
The changelog for a plugin
Clearly this is a bad sign and something you probably want to stay away from.
When looking for a new plugin or theme for your WordPress website, checking the updates through the changelog should be part of your due diligence.
Brute force attacks
The most common hacks are so-called, brute force attacks. These are hacks that take place on the login page. For this hackers use robots, or Bots. These Bots are programs that go to your login page (the page with the wp-admin extension) and guess over and over until they find the correct user- and password combination. When they succeed, they will have full access to your website.
Username and password
Obviously you need to create a strong username and password. Change the default WordPress username from Admin to a custom one. Not changing this creates a risk, because hackers know there are a lot of users that don’t change it. Not updating the username leaves only the password for them to figure out.
Also, avoid using the name of your domain as the username. Hackers know this is also a common username. Often, the domain name seems like a good alternative for Admin, and therefore are one of the first things hackers will try.
In addition, these bots will try to find out as many things about you as possible. So chances are they will find out your name and last name and will use those and in combination with each other. So this is also something you don’t want to use.
When it comes to creating usernames and passwords, as a general rule, you need to pick something that is unrelated to you. This means picking something more at random.
And then there is your password. This has to be very strong, so no birthdays, your dog’s name or 123456, etc. For passwords, I recommend you use both small and capital letters, numbers and characters.
Hide the login
The login page is the front door to your website backend. So, the first I recommend to do is to hide the login page.
This means you will have to rename the default wp-admin extension to a customized one. Hiding this page will make it much harder for someone trying to access your website because now they not only have to find the right user- and password combination, they also have to look for the page where this information is entered.
Hackers know many people use the default extension, so finding the front door is a walk in the park. Now, they can let their Bots do all the work to figure out the matching combination.
Set up a maximum number of login attempts
The next step is to limit the number of attempts someone can do to login to your website. Too many failed attempts will place the website into lockdown mode. Now, it is impossible for anyone to get into your website. You will get a notification of unauthorized activities on your website, and that the site is on lockdown.
Now, it is impossible for anyone to get into your website. You will get a notification of unauthorized activities on your website, and that the site is on lockdown.
If you haven’t done any of these steps yet, just think of how big at-risk you are. You didn’t hide your login page, you didn’t change the default username. And chances are you have also taken an easy to guess password, like your name, or 123456, or the name of your company.
Ithemes all in one security plugin
For both hiding the login and setting a limit to attempts, you can install a security plugin called Ithemes. The screenshots above were taken from the user interface of the Ithemes plugin.
A good thing about this plugin is that you don’t need to install separate plugins to hide the login page, limit the number of login attempts or install some other security functionality. This reduces the opportunity for outdated plugins which leads to backdoors.
Webhosting
For running a website on WordPress, I recommend getting a web host that specializes in WordPress. They will know where the most common vulnerabilities are with WordPress, so they most likely have cybersecurity experts that have in-depth knowledge that make their hosting more save than hosting providers that aren’t specialized in WordPress. Their team is going to be highly specialized in WordPress and know everything about security.
For me, Siteground is the winner when it comes to WordPress hosting. I have been with them for more than 4 years now and never looked back. I also never ran into any security issues with them. If you are looking for a reliable hostingcomapny, Siteground is a great option!
Insert the SSL certificate
This certificate encrypts the connection between the user and the server, or from computer to computer. This encryption preserves the privacy of the user. Installing the SSL certificate for your website will give your URL the HTTPS protocol highlighted by the little lock in front of it. Making visible your website is secure, ensures users their data is safe.
Trusted hosting providers offer this certificate in their package, and is another reason why getting good web hosting is so important for website security.
Prevent your website from getting hacked
Prevention is better, and indeed more effective and cheaper, than to cure. Don’t give hackers a chance to access your website and follow these easy steps that will prevent the majority of the potentials hacks on your website!
