27% of the websites on the Internet are powered by WordPress. Can you imagine? At least one-fourth of the Internet is made up of WordPress. No wonder that it has also become to be a juicy target for hackers.
WordPress is largely used by first-time users and amateurs who want to pop up their own websites without too much of coding and technical works. The amateur user base also makes it a soft target for hackers who want to make away with sensitive information.
Imagine the aftermath if an amateur eCommerce retailer has his customer credit card information stolen?
Statistics from Alexa estimate at least 40,000 websites to have been hacked until now. The number is still growing on a daily basis.
Your WordPress website could also be one among them. Provided you take measures to make things difficult or impossible for the hacker, like the ones we are going to describe below:
Change the defaults
As an out of box CMS, WordPress comes preloaded with default usernames and settings. Most hackers know the default username, file structure, directories and every other nook and corner of a freshly launched website like the back of their hand.
Now, imagine what could happen if you don’t change these defaults. It is like letting the door open and making it easy for hackers to make an easy steal. To make things difficult for the hackers, we would suggest changing all the defaults, including the admin username, the location of the admin folder, etc. to discreet locations. Take the step to launch your website only after double-checking the defaults are changed.
Remove all outdated plugins & themes
Continuing to use outdated plugins and themes is a self-imposed risk. Do you know that more than one-fourth of WordPress hacks are caused by vulnerabilities in outdated plugins? Sucuri had earlier found that three most commonly used outdated plugins, namely RevSlider, GravityForms plugins, and TimThumb Scripts were the reason behind the hacks and exploits. Check if you are using any of these outdated plugins. Also, if there is any other plugin that is outdated, update it right away or better remove it once and for all.
You can also take advantage of WordPress security plugins that can provide a reasonable amount of security for your website. If you are an eCommerce player or a website that needs to protect user data, go for an SSL certificate that can encrypt data. It would activate the HTTPS bar in your address bar along with providing SEO benefits as well as improved customer trust.
Change passwords occasionally
There is a popular joke amidst cybersecurity experts. A password is like a toothbrush. You must choose a good one, never share it with anyone else and change it occasionally. If sharing your toothbrush can damage your dental health, sharing your password can cost you financial loss, online reputation damage, identity theft and many other tragedies.
If you own a WordPress website, be prudent to change your login password and admin panel password on a regular basis. Also, never write it down or save it anywhere where it can be seen by someone else.
Take backups and put them offline
There are two mistakes that most WordPress website owners make. First, they do not take regular incremental backups. Second, even if they do, they make a mistake in putting it in another online medium.
The right way to keep your data backed up and safe is to schedule the backups. There are several WordPress extensions that can take care of that. You have to set up an offline storage system where all the data can be stored. Taking it offline will prevent the data being breached using online hacking techniques.
Don’t go easy with passwords
We know how difficult it is to remember stuff. Especially passwords which have a combination of several alphabets and numbers. And, when you have to remember passwords for too many accounts, you are going to have trouble remembering everything. The ‘Forgot password’ button is going to be your best friend.
Nevertheless, don’t easy with passwords. Always create passwords that are tough to crack. To make it easy to remember, use a phrase or a quote and add few numbers and symbols to it. That should take care of your password forgetting issue.
Put a cap on failed login attempts
Failed login attempts happen all the time. But, most of us get it right the third or fourth time. Else, we go for the option to recover the password using our email. But, a hacker does not have either of these options. So, they go on repeating multiple usernames and passwords trying to break into your account using brute force.
Brute force attacks can be prevented by limiting the number of failed login attempts. If a user fails to log into the website within the first few attempts, (usually 3 or 5) lock them out from trying to log in again on the same day. You can also set up two-factor authentication to ensure that only someone with both the password and the OTP is able to access the account. This will prove to be of immense help in protecting admin accounts from being compromised.
Running a website of your own can be difficult on its own. Add to it security woes and your peace of mind can go for a toss. Despite its shortcomings, WordPress does come with a host of security provisions that you can make use to secure your WordPress blog.
We have outlined some such security measures above. They are the basic essentials that you must cover. In the longer run, as and when the number of websites you manage increase, you can turn into a checklist to ensure that all security gaps are properly filled.
What other security measures do you take to secure your WordPress website? Feel free to let us know