It’s still a misconception that when you pay for a web domain and a hosting service, you’re set up in your own little private corner of the internet— as if you were buying physical property. But just like you are at risk of break-ins in your home or work, as the owner of a website you are also at risk of security breaches.
Did you know that 73% of all Americans have fallen victim to some type of cybercrime, and 47% have had their personal information exposed by hackers (Stopthehacker.com)? That’s a lot of Americans who have been victims of online security breaches.
Everyone is at risk— big corporations, small businesses, individuals, even governments. That became evident in the recent US election when Russians broke into both the DNC and the RNC. The FBI now considers cybercrime as one of its top priorities.
No one is immune to cybercrime. So as a website owner, you are responsible for keeping your site safe from hackers. This can seem like a very daunting task considering how skilled hackers are becoming. But there are still steps you can take to securing your site, particularly as a WordPress site owner.
Securing your WordPress Site
The following are some critical methods of securing your WordPress site from hackers:
1. Use email as login
An email address is far more secure than a username. Hackers have an easier time predicting usernames, whereas email IDs are more unique. In any case, every WordPress user account is always created with an email address that can be used to validate the login.
2. Set up website lockdown
Have you ever tried to log into an account where you couldn’t remember the correct user ID or password and then been locked out after too many failed attempts? It may be annoying when you’re on the receiving end of a lockdown, but this is an important measure for protection. Establishing a website lockdown for your site is a handy feature because it prevents brute force attempts. Not only is the intruder locked out, but you receive notification of the unauthorized activity.
There’s a plugin that can assist you with setting up lockdown measures for your site called iThemes Security. It allows you to set a limit on failed login attempts and then bans the intruder’s IP address.
3. Change your URL
Hackers have an easier time brute forcing their way into your system when they know the direct URL of your login page. The hacker will try to log in using their Guess Work Database (GWDb), which is full of millions of combinations of usernames and passwords.
Replacing the login URL prevents an unauthorized user from gaining access to the login page altogether. All you have to do is change “wp-login.php” to something more unique such as “login_now_admin.” This will remove the threat of almost all direct brute force attacks.
4. Make use of 2-factor authentication
This is becoming a popular method for protecting logins, and you may already have some familiarity with it for accounts like Google or your online banking site.
As the website owner, you decide which two login details a user must provide to log into their account— email address and phone number, password and security question, etc.
5. Keep WordPress up to date
As WordPress is an open source code, there are always improvements being made to remove bugs and fix security issues. It’s important that you stay on top of the latest version of WordPress by always updating when prompted. An un-updated site is a vulnerable site.
8. Delete the plugins and themes you don’t use
Logically speaking, if you’re not using a plugin or theme, you’re not going to update it. That means you’re leaving yourself vulnerable. So instead of taking that risk, delete the plugin altogether. Note that “deactivating” is not the same as “deleting.”
8. Backup your site regularly
If something ever happens to your live site and you lose data, you’ll be kicking yourself for not backing it up. Do yourself a favor and keep an off-site backup that you update on a regular basis. There are several plugins to help you with this.
9. Remove your WordPress version number
If hackers know the version of WordPress you’re using, it gives them a significant advantage on attacking your site. There’s an option to hide the version number, and the same plugins that can be used to backup your site can also help you do this.
10. Encrypt data using SSL
SSL stands for Secure Socket Layer. An SSL certificate will safeguard the transfer of data between the server and user browsers, which complicates a hacker’s ability to interfere.
Not only are SSL certificates easy to purchase for your WordPress site from your hosting service, but Google’s algorithm ranks SSL certified sites higher in the SERPs. It’s a win-win.
11. Change the admin username
You make it very easy for hackers when you leave your username as “admin.” It’s at the top of the list on GWDbs. Change it to something more unique.
The iThemes Security plugin mentioned above comes in handy for this particular issue because it will immediately ban any IP address that attempts to log in with the “admin” username.
12. Adjust your passwords
It may be easier on you (and your memory) to leave a password as something simple and easy, so you don’t have to look it up every time you want to log in, but if it’s easier for you it’s also easier for hackers.
Change your passwords regularly, using both uppercase and lowercase letters, numbers, and special characters. If you want some help coming up with unique passwords, this password generator is a nifty solution.
13. Download a security scanner plugin
It will put your mind at ease to know just how secure your site is by being able to monitor everything that happens on your website. WordPress offers a free security plugin called Sucuri Scanner which will track failed login attempts, malware scanning, and other file monitoring.
It’s not difficult to put proper security measures in place to protect your WordPress site from cybercrime. Make sure you put all of these tips into effect so that you can minimize your risk of attack. If you need any assistance in securing your WordPress site, Bright Vessel is here to help.