With over 1 billion websites on the internet, WordPress remains the most popular web publishing platform. Its popularity is attributable to the fact that it is one of the most user-friendly platforms. Hence, it comes as no surprise that many organizations and individuals have opted to build their websites on WordPress.
However, popularity comes with a price. WordPress websites have been increasingly at the receiving end of malicious cyber attacks. In fact, a 2014 report by WP White Security revealed that of more than 40,000 WordPress sites in Alexa’s Top 1 Million websites in the world, over 70% were vulnerable to cyber threats.
Despite your website being extremely popular, it can be open to cyber attacks for various reasons. Therefore, although your website may not attract vast amounts of traffic like BuzzFeed or Huffington Post, it still pays to play it safe.
Here are 5 key steps you can take to make your WordPress site more secure:
- Settle for a good Hosting Company
Research reveals that over 40% of the websites hacked were due to vulnerabilities in the hosting platform. Prior to hosting your website, check thoroughly for reviews of various internet companies that offer hosting services. Here are some important questions to ask when selecting a hosting company:
- Are their servers optimized for WordPress sites?
- Do they offer support for the newest versions of MySQL and PHP?
- Do they have advanced malware detection capabilities?
- Does the service come with firewall protection optimized for WordPress?
- How efficient is their support service?
- Is their staff up-to-date on the latest WordPress security concerns?
- Do they offer regular (preferably daily) backups?
When starting out, it may be tempting to select a hosting company based on their pricing. But in the long run, it is not a safe approach. After all, with your website, you are building your online presence and you just cannot leave it to chance.
- “Admin” as a username is a strict
Although a simple step, it is often the most overlooked. When you build your WordPress site, the basic login credentials that you are offered have “admin” as the username. Most cyber-attacks are aimed at your wp-admin access point by trying “admin” as the username and several combinations to determine your password.
Create a new user (Users > New User) with a unique username and complex password. Then, delete the user account which has the username “admin,” and you are done. If you are prompted by the question about what would become of the content created under the username “admin,” you can simply assign it to the new username that you created.
- Use a complex password
Do yourself a favor and refrain from using common passwords such as “123456” or “password.” When it comes to securing your login credentials, your password is possibly the most important line of defense against hackers (along with your username). A good password will have a mix of the following elements:
- Mix of capital and simple letters
- Numerics (i.e. 1,2,3…)
- Symbols (i.e. @,$,%,_)
- Have as many as 10-20 characters
- Do not use the same password twice
- Change your password regularly
If you are stuck for choice, go to 1password and lay to rest your worries.
- Enhance security with two-factor authentication
Two-factor authentication adds another layer of security for hackers who manage to surpass your initial login credentials. Although a bit of a hassle, the benefits that it offers in terms of security cannot be understated. Two-factor authentication is a given for most access points (think Gmail, PayPal).
This form of security works by requiring a user to have more than two pieces of criteria to log in. This can be your username and password complemented by a special access code or pin sent to your mobile device, all of which are needed to gain access. As a result, a hacker who has broken your username and password will also need your mobile device if he is to gain access to your WordPress site.
- Grant access to others on a case by case basis
When your team members or any third party (whom you trust) require access to your site, grant them access on the basis of “Least Privileged.” Under this principle, you will be giving administrative permission to:
- Those who need it
- When they have an immediate task to fulfill
- For the duration that the task is completed
Once the task is completed, removed that user’s admin rights. Also, when it comes to your team, not everyone needs admin rights to perform most of the tasks.
Although the above is not an exhaustive list of things that you can do to make your WordPress site more secure, it gives you a good starting point and puts you leagues ahead of many others. As well, remember to back up your information regularly in preparation for the worst.