How to make your WordPress website more secure

I’ve just had a very interesting conversation with a developer who believed that the fact that WordPress is the most popular CMS on the Internet is its weakness and makes hackers target its weak spots.

Let me tell you – he was right!

Scary thought, right? But let’s take a step back and analyse what that means.

Every CMS has its week spots

Yep, WordPress, Joomla, Drupal (to name the main players) have security holes. But just to be fair to them – so do Apple, Microsoft, SunMicrosystems, Oracle, The Pentagon… And because WP relies on a community of people, every security hole is quickly identified and patched up. Enters the first advice: keep your WP core up to date!

Brute force

Just as scary as it sounds. A hacker trying to hit your login scripts until they guess your admin credentials just to wreak havoc on your website. In ways you don’t even want to imagine, but just to give you a scary example:

John is looking for a “used ford galaxy in York” in Google. And here’s your website coming up as #2 (well done by the way). He clicks on the link and… ooops… He didn’t want any viagra….

Let’s be honest – if the Pentagon can get hacked – so can you. But online security is about minimising the chances. If you still keep your main administrator user name as “admin” you’ve already given away 50% of your credentials. And even if you don’t – it doesn’t really matter that much because for a skilled guy (or script) all it takes is ask your website for www.yourwebsite.co.uk/?author=1 and guess what – it’ll turn into www.yourwebsite.co.uk/author/mysecretname/ where “mysecretname” is the name of the website admin. Simple, isn’t it?

Especially that most brute force attempts are targeting the default login page at /wp-login.php… But what if your login page isn’t there?

There are plugins like Shield WordPress Security that can help you with that. WordPress also encourages you to use complicated passwords but, hey, we know how much you like “password12345”. Just do yourself a favour and don’t. Cleaning up the mess after a website hack can be expensive and embarrassing (when you have to send an email to your 1,281 subscribers that you really don’t have viagra on offer).

There is a plugin for that

Yes, there is. Whatever you need. But when you install a plugin make sure it comes from a reputable source, has been installed many times and has good ratings. These three factors are like a price – you usually get what you pay for. And while we’re on that subject – don’t be afraid to pay £30 for a plugin that makes you money. The support is usually great and if you’re into single malts you can drain £30 over the weekend.

The important point on plugins is – they can extend the functionality of your website, but if they are badly written they can deliver a blow to your business (see the viagra point above). Yes, WP plugins can be a serious weakness of your website so be careful. And most importantly – keep all your plugins up to date!

Hosting is hosting – £1,99 a month will do

Nope. It won’t. Unless your business makes £200 a year and £23.88 is a significant investment…

Admittedly it all depends on your project and its scale. But terms like bandwidth, SPF, DKIM, SSL, SSH, firewall, SMTP Relay, IP reputation etc. are “a thing” and they affect your business and trust me – they often don’t come cheap (they sure don’t sound cheap)!

And the bottom line is that you don’t want (just) hosting. You have your business to run and you don’t want to be bothered with things that you can’t even pronounce! That’s why it’s a good idea to team up with people that offer comprehensive infrastructure support that is lined up with your web requirements.

Final note

There is no denying that to satisfy the requirements above may not be enough to keep your website 100% secure (if such a thing exists). But also there is no denying that addressing the issues outlined in this article can keep you safe from 98% of WordPress threats and keep you website and your business intact.

If you feel you might be vulnerable and some of the aspects of WordPress security have not been properly taken care of – do give us a ring on 01723 600 445


TOP