Statistics show that there are more than 90,000 security attacks on WordPress sites every minute of every day, with hackers ready to attack businesses and websites of all shapes and sizes.
By its very open nature, WordPress is vulnerable to such attacks, and, therefore, measures need to be taken to strengthen the defences against such unwanted intrusions and threats. Identify what the weakest spots of your site are, and consider how somebody might exploit them.
It is important to understand that, most times, hackers are not specifically searching online for your website (especially if it happens to be brand new or on the smaller side). Many hackers automate the process of sniffing out vulnerabilities by using bots.
These bots detect the entryway and the hackers follow on their heels. Literally any WordPress site can become a victim, so to keep hackers and their bots at arm’s length, it is important to familiarise yourself with the most common weak sports in WordPress. and how to address them.
1. Backup your site
While backups are not always all that helpful in recovering from a WordPress hack, they are essential for disaster recovery, especially when it comes to damage to your database which is where all your site content is stored.
For further information on this, here is a useful guide.
2. Check your plugins and themes for continued support
Do not use plugins and themes that are no longer maintained. If you plugin or theme has not been updated in a year replace it. This can be a huge problem with themes. Many developers are fly by night and do not stick around more than a couple of years to support their theme.
When you shop for a theme or plugin, look for a theme or plugins with current support requests that have been answered in a timely manner, good star ratings, and recent and frequent updates.
WordPress premium themes often come bundled with third-party plugins. The theme developer may or may not provide timely updates for these bundled plugins, which may mean that even if the theme itself is secure, the “bundled” plugins could be vulnerable to attack.
If you purchase a premium theme that comes bundled with premium plugins, purchase these separately so you can be notified of updates to those plugins specifically and not rely on a theme developer to keep you safe.
3. Consider upgrading your web hosting company
If you are at all concerned that your current web hosting company are not taking the security of your data seriously enough, consider upgrading to one that routinely undertakes security scans and will clean-up your site if hacked.
4. Do not login on public Wi-Fi networks
If you login to your WordPress site on a public network, you are essentially giving your login credentials away to anyone else on the network who might be running packet sniffing software. If you do not have an SSL certificate installed on your site (which encrypts your username and password on the network), then use a Virtual Private Network (VPN) service to encrypt your traffic on the network. Use this even if you do have an SSL certificate on your site, as it is good to stay in a virtual private network on any public networks.
5. Install an SSL certificate.
SSL Certificates are small data files that digitally bind a cryptographic key to an organisation’s details. When installed on a web server, they activate the padlock and the https protocol, and allow secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and, more recently, is becoming the norm when securing browsing of social media sites.
On a WordPress site, an SSL certificate encrypts the data you and users to your site transfer, such as when submitting contact forms or using log-in pages. Having SSL installed on your site allows you to login security (via https) while traveling. Many hosts offer this for free, and you can use the Really Simple SSL plugin to force your content to use https.
There are online marketing benefits to have an SSL certificate as well, as it will give customers peace of mind that yours is a safe site with which to do business.
6. Keep your server clean
Delete any used versions of Word Press on your server. unused WordPress files, plugins, themes, etc., even if they are not being used, not active, or not even associated with your current install. as they can be exploited.
Any spot on the back-end or front-end of your WordPress site that requires a login and password is a prime area for targeting. This includes the main WordPress login area, Comment boards, and e-Commerce accounts or payment gateways. Hackers know that users are not always inclined to create a unique and strong password for every account they have online, which is why they will be one of their first targets on your WordPress site.
You can no longer use the same password on every internet account and get away with it. Instead create passwords that are long, complex, and obscure and change them frequently. Use a password tracking tool like 1Password to track all your passwords.
8. Protect your computer and home network
Run virus scans all the time especially if you run Windows. Be careful of the sites you visit. You can inadvertently give your WordPress login away through a keystroke tracking trojan which will steal your passwords as you type them on your keyboard. Protecting your computer is often about not visiting websites that are distributing malware. But, even known sites, such as a friend’s blog, could be hacked. So, you need some protection wherever you go on the web.
9. Run a WordPress security plugin
Run a specially design WordPress security plugin. Such plugins offer a wide range of features to make your WordPress blog secure from known threats. These plugins keep their services updated with security from the latest exploits and threats.
10. WordPress Plugins
WordPress plugins account for over 50% of all security attacks on WordPress websites.
There are generally two ways in which WordPress plugins can create difficult situations:
- When they are updated by the developer, but you do not make the upgrade on your site (or do it in a timely fashion); or
- When you unknowingly add a fake WordPress pluginto your site.
It is, therefore, essential that you update your plugins as soon as a new version is releases, and also that you only install recognised plugins from an approved WordPress vendor.