9 Ways To Ensure Your WordPress Security

18 May 2016

You may have heard some horror stories from WordPress website owners that have been badly burnt by notorious hackers – and I’m sure their stories are pretty horrific! But another thing I’m almost certainly sure of is that they will have blamed the hack on WordPress being an ‘insecure platform’. Well, I’m going to try and bust that myth in this article!

The truth is, it’s not WordPress that is the problem… It’s the website owner. More often than not, hackers get into WordPress websites through totally preventable security flaws, such as poor passwords and out-of-date plugins and themes.

Popularity of WordPress

According to a recent study carried out by DMR, WordPress currently powers a whopping 26% of all websites! That’s approximately 37 million websites worldwide.

In fact, WordPress is so popular that some of the biggest names in the music industry are using it! Pop giants include the likes of Queen Bey and her beloved rapper hubby, Jay-Z, as well as pop-princess Katy Perry, and rock sensations, The Rolling Stones! WordPress is also used by some of America’s most influential news outlets and publications, such as The New York Times, CNN and Forbes.

Why do hackers target certain websites?

Hackers have targeted websites that are built on extremely popular platforms for years. If a serial hacker wants to take over a number of websites, for whatever perplexing reason, they are going to target a platform hosting millions of websites. But it’s not just WordPress; hackers target all other popular CMS platforms too, including Joomla and Drupal.  Why? Because hackers know that a lot of website users either neglect, or don’t know how to update their website’s security.

So why WordPress? Well to put it simply, WordPress has the most number of users. By targeting a platform as popular as WordPress, cyber snakes know it won’t be hard to find a vulnerable website!

Here are 9 ways to ensure WordPress security

1. Don’t choose an obvious username

When installing WordPress, the likelihood is you were probably given the default username, ‘Admin’. Even though you’ll have been given the option to change this at the start – if you’re like the majority of WordPress website owners – you’ll have probably just kept ‘admin’ for ease.

Simple usernames such as ‘admin’ or even the name of your business are a hacker’s paradise, because they’re so obvious. And the likelihood is, if you’ve chosen an easy username, you’ve probably chosen an easy password too!

2. Create a secure password

An easy password combined with a simple username is just a recipe for disaster! If, like a lot of people, you’re guilty of having the same password for every online portal, social media profile and eCommerce website you’ve ever visited, chances are you’re a super easy target!

You should choose an alphanumeric password, meaning a combination of letters and numbers. To ensure your password is extra secure, you could add a mixture of upper and lowercase letters, and even symbols such as asterisks, hyphens and percentage signs. Basically, the more complex the password, the more secure it is – just make sure you can remember it!

3. Secure your login path.

The login path of your website is the URL that you type into your browser to gain access to your website’s login page. A typical WordPress login path might look something like this, www.mywebsite.com/wp-admin.php.

This is just a minor stepping stone to securing your site, but making it difficult for a hacker to find where to login to your website is a good start!

You can create custom login URLs using the WordPress Stealth Login plugin.

4. Keep WordPress up-to-date

Although WordPress is already pretty secure as a platform, some of the older versions are open to vulnerabilities and security threats. Security improves with each version of WordPress, and the tech whiz-kids over at WordPress HQ – also known as the hacking gurus – are always looking for new ways to improve security!

Unfortunately, if your website is running on an old version of WordPress you are leaving your website open to hackers, so make sure you update it at every given opportunity.

5. Ensure your plugins and themes are up-to-date

WordPress offers an abundance of installations including plugins and themes to help enhance the performance of your website. With each update comes a neat little package of new features, bug fixes and security fixes.

Many website admins and owners simply don’t bother to update WordPress installations for fear of them breaking or changing the appearance of the site. However, this can pose major security threats in the long-run, as hackers tend to target the security weaknesses in older installations.

6. Choose SFTP over FTP

To put it simply, SFTP is secure and FTP is not. FTP wasn’t designed with security in mind when it first came into play around 30 years ago. However, as technology becomes more advanced, so do the hackers and the need for a more secure way of transferring files becomes apparent!

SFTP is encrypted – or in it other words, it’s completely hacker-proof! Whereas if a sneaky hacker gets hold of your FTP login details – just like if they got hold of your password – you’re pretty much screwed!

7. Install a firewall plugin

WordPress offers a library full of firewall plugins to help prevent attacks from hackers. Firewall plugins help protect your WordPress website by blocking potentially dangerous, harmful or suspicious users. We would recommend Securi or WordFence.

You can find out more information about how firewalls work from Comodo.

8. Don’t give permissions to everyone who’ll be updating your website

There are five different WordPress user roles, all with different levels of access and capabilities. An admin role is the highest level and gives the user full power and control over the website, including writing, publishing and editing all posts, add and remove users, and have control over plugins and themes.

It is important to only grant full permission to users that you know and trust. Don’t grant permissions to the nuisance web developer who sent you a spam email claiming he can fix your SEO for £100, because the chances are:

  1. He can’t fix your SEO – infact he will probably make it ten times worse
  2. He’s an untrustworthy, good-for-nothing hacker!

9. Don’t tell anyone your password!

Okay, so this one might seem as obvious as a slap around the chops, but it has to be said – in this digital age, it can be hard to tell friend from foe! Keep your password locked away at the back of your brain and remember not to store any digital or written versions of your password!

Want some help from the professionals?

At Hush, we pride ourselves on our stringent security measures across all platforms, and we’re pleased to say that compromises are an extremely rare occurrence.  Do you need help securing your WordPress security? Feel free to give our development team a call on 01325 361729, or email us via [email protected]!

Start A Project

Start a project

Thanks for your interest in working with us. Please complete the details below and we’ll get back to you within one business day.