How To Maintain WordPress Security
Website security is important and WordPress Security has a set of challenges that it’s important to understand if you are going to keep your site safe and secure.
The biggest security for any website is being hacked and there are various ways that this can occur;
- Logging in as a website admin
- Accessing your Hosting account
- Access to your server via FTP or SFTP
- Log in to your Database via DB Password
- Accessing your shared server via another site on it.
- Malicious Plugin upload
WordPress Security Weaknesses
The WP default Admin Username is “Admin” which instantly makes it easier for a would be hacker if you don’t change it… so change it!
The only other thing they need is your password.
Hacking works because most people use the same password for multiple website logins.
Why Memorable Passwords are A Bad Idea
So….. you use your memorable password for logging into seemingly harmless sites and platforms online. Unfortunately, all it then takes is for one of those “harmless” sites to get hacked and your email address and memorable password will be shared on the darknet where lists of login details change hands in their millions.
It doesn’t take much to marry up your email address with your URL, enter your details and they are in.
For your website, don’t use “Admin” as your login username, and use a unique, random character password.
Use iSecurity to set your security level, enforce unique passwords, network brute force protection and much more.
Your hosting account will usually use an email address and password for access, so the same fundamental security weaknesses exist.
Use a different, unique password to maintain your hosting account integrity.
FTP / SFTP Access
FTP & SFTP backend server logins use a username and password. Make sure that this is random, unique and strong enough to not be guessable.
If someone can log into your server via FTP / SFTP, they can upload anything they like. They can delete your entire site and even lock you out of your own server.
WordPress uses a MySQL database to store and process the data from your pages and posts.
Your website accesses your database via a username, Database name, password and Location URL.
If these details are compromised then anyone can upload whatever scripts, codes or malicious files they want to.
Use unique passwords, usernames, database names for each site.
Shared servers can be host to hundreds of websites. Not all may be WordPress, but statistically around 30% will be.
If a hacker manages to access one site on a shared server, he/she can quite easily spread malicious code across all the sites on the server.
We have seen a particularly vicious example that infected over 200 sites, that included a countdown timer on the primary hacked site which every 24hrs reinfected all the sites on the server.
Very clever and all that, but a nightmare to clean up!!
If you use a shared server to host your website at a low cost it is vital that you use all the security strategies that you can. Maintain a clean back up of your site elsewhere for if and when the bad man comes a calling.
WordPress maintain a register of ‘approved’ plugins. The reason for this is simple. Outdated plugins represent a security risk for your site.
Most of the updates you will see for WordPress Core, your Theme and Plugins are related to security threats.
WordPress security is taken seriously. They continually work to protect their sites.
Keep plugins and WP Core up to date, (including themes you aren’t using – haven’t you deleted them yet?).
If Wordfence indicates that a Plugin is no longer supported then remove it and replace it with an approved one.
Addressing WordPress Security Issues
If you address all the above areas of WP security then you will be proactively working to protect your website.