As you well know, WordPress is the most popular content management system in the world. It powers 23% of the web, with over 60 million users worldwide. That popularity has served it well in some regards – it hosts a thriving development community with scores of passionate users coding plugins and helping one another out with technical problems.
Unfortunately, WordPress’s popularity also means it’s the top target for online ne’erdowells. Why else would we hear about a new vulnerability on a near-weekly basis, why else would there constantly be new security threats to protect against? Hackers target WordPress because it’s the most visible target, and because its high volume of users means that shotgun-style attacks have the greatest chance of success.
What that means for you is that if you don’t take the necessary steps to secure your installation, you’re going to end up paying dearly for it. That’s where we come in. Today, we’re going to go over some of the steps involved in safeguarding your CMS.
Let’s get started.
Backup Your Stuff
First thing’s first – you need to make sure you’re running regular, automated backups. Even if you aren’t targeted by a criminal or infected by malware, there’s a chance a glitch in either your installation or your host’s hardware could cause data loss. In the event that something like that happens, you need a backup to restore your site.
Without one, you’re going to be left picking up the pieces after something goes wrong.
Always Limit Access
The fewer people who have access to your site, the better. Tech Insider recommends that you use encrypted SSL on administrative pages and functions, lock down access to the wp-config.php file, and encrypt cookies to protect against cookie hijacking. You should also consider limiting the IP addresses that can access your admin folder, and track usage and login attempts.
Where user accounts are concerned, make sure you’re only giving each user the permissions they absolutely need to do their job. A content creator doesn’t need access to your configuration files, and an SEO professional may not need administrative privileges. Giving users the lowest level of access they need to do their job helps guard against both user error and malice, as well as limiting the number of administrative accounts that can be compromised.
Keep Everything Up To Date
Always pay attention to security advisories and updates – they exist for a reason. While you can probably avoid cosmetic updates to the WordPress platform, you cannot put off updating your plugins or installing security patches to your site. It’s imperative that you regularly check for new bugfixes and hotfixes, and then install them as soon as possible. Failure to do so means you’re leaving yourself wide open to attack.
Don’t Be Stupid With Your Usernames And Passwords
If your administrator account name is ‘admin’ — which it is by default — and your password is ‘password,’ then I’ve some bad news for you: your WordPress site is probably going to get hacked sooner rather than later. Change your username so it’s not something visible or obvious to hackers, and make sure your password includes a combination of numbers, letters, and symbols – the longer it is, the better.
Install Extra Security
WordPress core is fairly secure, true – but that doesn’t mean you’ve anything to lose by adding a bit of extra protection on your own. There are plenty of top-notch security plugins out there, including brute force protection, malware scanners, and spam protection. Go over what’s available, and install the ones you think you’ll need.
Be Careful Where You Download Your Plugins
I’ve lost count of the number of vulnerabilities tied to third-party plugins or untrusted sites. When installing plugins to your WordPress platform, always make sure you’re installing them from a trusted source. A pirated plugin very often contains backdoors or malicious code – installing one is simply asking for trouble.
WordPress might not be insecure, but it’s still the most popular content management system on the web. That makes it an immensely popular target for cybercriminals. If you’re not doing everything you can to protect your site, then you’ve only yourself to blame if it gets hacked.