WordPress is used by millions of website owners around the world including Website Designers for their own websites (and this one), it is a favorite of online marketers, and is used by many high profile companies and institutions.
And, because it is supported by hundreds (if not thousands) of developers around the world, it is relatively secure.
Unfortunately though, because it is used by so many website owners it is also a magnet for hackers, people wanting to break into others websites and either pass viruses or just redirect visitors to spam websites.
According to an article published on Information Week, at the beginning of October 2013, 70% of WordPress websites run on older versions of the core software with known and well published vulnerabilities that hackers can easily exploit.
What would happen if your small business WordPress website were attacked?
- You would have to rebuild your website, or pay someone to do it for you (probably with the same vulnerabilities!).
- You would loose potential leads!
- You would loose business!
Although WordPress is inherently secure, hackers are constantly finding ways to break into WordPress websites, and the developers are constantly having to close these security holes. But, there are some things that the core developers cannot do on an individual website by website basis. They are constrained to making it easy for the masses. This leaves WordPress driven websites vulnerable to attack for hackers.
Here are 5 simple steps that you as the website owner can do to make your WordPress website a little more secure.
1) Never, EVER, use admin as the administrative username.
Hackers know that admin is the default username, and if you are using admin, they are already half way to hacking into your website!
2) Use long passwords
I know it’s a bit of a pain, but using “proper” words in your password is also inviting hackers, they are very easy to crack. So use a mixture of uppercase/lowercase letters, numbers and special characters. Also make sure your password is at least 12 characters long. If you are unsure what password to use, go to Random.org, and let them auto-generate a password for you.
3) Delete the following files from your server:
readme.html – this file will tell a hacker what version of WordPress you are using and if you have not updated to the latest version, they will most likely have a simple hack available to the as many hacks are published and shared amongst the hacker community.
wp-admin/install.php – Once WordPress is installed, this file is no longer needed. However, you will have to do this each time you upgrade WordPress!
4) Move wp-config.php (needs FTP access to the server)
This file contains details of your WordPress installations’ database including your database username and password! This file can easily be read by hackers and they can gain access to the database and do an awful lot of damage.
If you only have one website on your server (no add-on domains) the wp-config.php file can be safely moved up one level in your server folder hierarchy without it breaking your WordPress installation.
5) Keep your website to the latest version!
Most updates to the WordPress core files, are security and bug fix updates.
It takes just a few minutes to update your websites’ core code to the latest version, so keep it up to date.
In addition, as of WordPress version 3.7.1 – the developers have included automated updating. With this, the WordPress installation will automatically update itself (minor updates)!
Again, however, those removed files will reappear when the upgrade takes place, so you should remove them again.
Security plugins are not the full solution
There are many WordPress security plugins available, both free and paid, however although they do provide a measure of protection, they are not the full solution.
Plugins like WordFence can increase security, there is no doubt about that, but they also introduce a level of complexity that is often difficult for users to understand. Also, some will provide limited additional security at the expense of other vulnerabilities.
Database Backup
WordPress is database driven; all of the posts, pages and settings are save to the database and served to the browser on request, so if your database is compromised you could lose years of work.
And it is a big mistake to entrust that backup to your hosting provider, as many do not do it regularly enough.
Therefore backing up your database at least once a week (or more if you post new content daily) is an absolute essential for restoring your website should it get hacked.
Security Hardening
In addition to the above, there are more technical techniques that can be implemented on your WordPress installation, that can increase your WordPress Security with just 4-5 hours of work (on a new website), and make it much more secure (100% security cannot be guaranteed due to server and plugin vulnerabilities).
Get your WordPress website secured from just £47 per month. Call 07979 864718 or visit my sister website at wpwebsitesupport.co.uk, before your WordPress website gets hacked and you loose business.
Ask about our monthly WordPress Security and backup service, keeping your website in business.