How to Secure A WordPress Website?
It was 05:23am on a Monday morning when I was rudely awoken by my phone. But it was a different sound to my regular (and very annoying) wake up alarm, far earlier too mind you. I was receiving emails… And a lot of them…
The emails were similar in content and mentioned the admin account for one of my WordPress sites was locked out due to too many failed logon attempts. Seconds later, the next email was arriving in my inbox with the same info… My website was being attacked, by brute force!!
Brute force attacks are when someone (like a hacker – using an automated script), will browse to any login page of your website and try to log in with every password under the sun. Passwords are obtained from a list called a password dictionary, which can easily be obtained online and downloaded. The hacker will continuously attempt logons until a password matches. Once they’re in they can take control of your website!!
At this very moment I was faced with a very real possibility that someone wanted to take control of one of my WordPress websites. Thanks to some simple security techniques, I managed to prevent this particular attack.
Out of the box, WordPress websites are susceptible to hackers. That is mainly down to the fact that WordPress websites are so widely adopted. In fact almost 20% of websites and ecommerce stores use it… Meaning it is a common platform for hackers to exploit.
You can vastly improve the security of your WordPress Website or Online Store by making a few simple changes. To make it harder for the unwanted hacker-types, consider these items when working in WordPress. Hope it helps!!
WordPress Security Statistics 2018
41% of websites were hacked through a security vulnerability on their hosting platform
Only 53% of WordPress websites are running the most current version of the software (4.9)
8% of WordPress security breaches happen as the result of a weak password
Ways to secure your WordPress website or Online Store:
- Backups: First and foremost, before we talk security, make sure you take regular backups of your website’s content and database. If something does go wrong, you will at least have a version of your website to fall back on. There are plenty of good (and free) WordPress Backup Plugins available. Set a schedule to regularly backup your website’s files, content and database, store the backups somewhere safe.
- Keep your WordPress version, Theme and Plugins up to date: The more often the code of your website changes, the more difficult it is for hackers to exploit effective “backdoors” which are eventually discovered and become common place for hackers. When you keep things up to date, your website’s code virtually becomes a moving target to hackers. Keeping your website code up to date is a good start to securing your WordPress website.
- Plugin ratings & reliability: Before you install and activate a plugin, make sure it has a good star rating and has lots of positive comments. Also check it is compatible and tested on the WordPress version you are running on. You’ll be surprised at how many plugins can be compromised (through bad coding or intentionally for malicious purposes). So only install trustworthy plugins. Some website hosting companies also keep a black list of plugins. Keep an eye out for these as they can take the legwork out when figuring out if a plugin is truly trustworthy.
- User passwords: Force privileged users to use strong passwords (especially your WordPress Site Administrator users). I recommend using passwordgerorator.net to create your passwords. Also the more frequently you change your passwords the better.
- Admin username: Don’t use the default [admin] username, change it or create a username that is a bit more difficult to guess. If you use the default admin account, hackers who know your website is a WordPress site, will always try and attempt logging in with that account. If the admin account does not exist, well then you are on to a winner already.
- Disable or Delete unused user accounts: No need keeping user accounts that are no longer in use, they give hackers more opportunity to compromise your website.
- Change the URL of the default WordPress logon page (…/wp-admin/): To logon to your WordPress website it is as easy as entering your website domain followed by /wp-admin (EG: http://go-cart.com.au/wp-admin). If you keep the default logon page, then hackers who know your site uses WordPress have access to your login page. They can then attempt logging on with different usernames and passwords until they get in. It could take them a while but you’ll also be surprised at how automated scripts can make light work of this task. Especially when you have weak passwords and use the default admin username. Change your WordPress logon page URL to something more difficult to guess.
- File Change scanner/monitor: Keep track of failed logon attempts, setup email/SMS notifications. Also monitor your website’s file changes. While some notifications can be annoying at times, at least you will be the first to know when someone or something is trying to hack your Website or Online Store.
- Limit login attempts: Set automated account lock outs for users with too many failed logon attempts.
- Database table prefix: Your WordPress website comes with a mysql database. It stores important information such as page content, posts, locations of media files, user info etc… Sometimes hackers can obtain important information from your database, or exploit the appearance of your website by injecting data into your database tables (think of tables as hidden spreadsheets). WordPress table names are prefixed with wp_ followed by the [table name] EG: [wp_posts] stores your page and post content. So tables in your website’s database will be named the same as other WordPress websites. If a hacker can get to your database (say via a page’s input field on a carelessly programmed plugin) then they can easily guess what tables exists. They will be able to inject data in to your website’s database. By changing the prefix of those tables to something different, the average hacker will find it difficult to inject data.
- Auto log out idle users: Auto log out users accounts which have been idle for over an hour. This prevents others from gaining access to your WordPress backend from devices you may have previously logged on from.
- SSL Certificate: Ever noticed the http:// in a web address? What about https://? The “S” stands for secure and is a quick way for you to identify if a website is secured by an SSL Certificate or not. On an unsecured website data is submitted in the background as plaint text. So if a hacker wanted they could intercept information submitted from your website’s pages. By implementing an SSL Certificate, submitted data on your website is encrypted, making it very difficult for hackers to decipher what information is being transmitted. If you have an Online Store you should definitely have an SSL Certificate, if not; politely put, you’re being careless with your customer’s data, so make sure you have SSL on your website.
- Disable XML-RPC access: XML-RPC is a feature that allows access to post content remotely (to your WordPress site) via an API. It has actually been around for years. In more recent versions of WordPress however, this feature is enabled by default. Meaning there is another potential avenue for hackers to exploit. You will most likely not be using this feature on your website. If it is not required, disable it.
There are tonnes of things you can do to further secure your WordPress Online Store or Website. For some quick wins I’m hoping this blog post helps.
If you need a hand with securing your WordPress Website or Ecommerce Site, reach out, Go Cart are always happy to provide assistance.
Thanks for reading!