Why Your WordPress Site Needs Security, Like…Right Now
March 2, 2018 | By Jeff | In Tips & Advice
If you’re running a website, chances are that you are probably running it on WordPress. In fact, around 60% of all CMS (content management system) websites are powered by WordPress. Since WordPress is the most popular CMS of choice, it comes as no surprise that it’s also the number one target of hackers. If your WordPress website is out there and public, it more than likely has been a target of hackers at one point or another. In fact, more than 70% of WordPress sites are not secure, and these are ripe for the picking of hackers all over the world.
“But my website is not important. Why would anybody want to hack me?” That’s a good question. There are many reason why hackers would want to get into your website. The most likely reason is so that they can throw “ad injection attacks” on your site. These are basically just spamy ads that drive traffic back to their website or redirects. It has also become a popular practice to install background scripts that mine bitcoin, which can greatly slow down your site performance. Most importantly, if you’re running an e-commerce site, hackers can get credit card info and other compromising information. Lastly, sometimes people are just jerks and like to mess up your site for fun.
Brute Force Attacks
About 90% of hacks done on a WordPress site are done via “brute force attacks”. This is basically just attempting to guess the login & password through several attempts over & over. A human being can perform this task, but when a bot with a database of common login & passwords is used, it’s much more effective. Once they are logged in with your admin account, they will have free reign to wreak havoc on your site.
How To Secure Your WordPress Site
Make sure your WordPress version is up to date
Make sure your WordPress version is up to date as any security holes are always being fixed with each update. Having an older version can make it easier for hackers to break in. If your host doesn’t offer automatic updates, you can install Companion Auto Updater to have things update automatically. Also make sure that your plugins are up to date, as out of date plugins can pose a security risk. Companion Auto Updater can also keep your plugins up to date.
Use Safe Login Names & Passwords
Do not use any login names like “admin”, “test”, the name of your site, your email, or any other obvious “first guess” login names as these are the first things that bots and hackers try. Also, a password like “12345” is ripe for the hacking. Make sure you use passwords with not just letters, but numbers and special characters.
Install Wordfence, NOW!
Install a security plugin. The most popular is Wordfence. In my opinion, the first thing you should do when you set up a WordPress site is to install Wordfence. Be sure to follow all the setup Wizards when you install to make sure everything is optimized. A few of the things that Wordfence can do is prevent brute force attempts by locking out addresses that attempt too many failed logins. It also protects against several other popular hacking attempts. It is constantly being monitored and updated. The free version should be good enough, but if you are running a website that has the potential of being hacked more severely, the paid version also allows you to block entire countries and has more robust firewall capabilities. It also automatically blocks addresses on a blacklist.
For additional security with Wordfence, navigate to Firewall > All Firewall Options, and find this field halfway down your site.
Then enter some common “hacker guess” login names. Examples are (login, admin, test, ‘the name of your site’, your name) etc etc. If anybody attempts to login to your site with those names, they will be immediately locked out. It really gives the bruteforce hackers a run for their money. For even additional security, the latest version of Wordfence now has “two factor login security” which lets you set up an optional additional PIN that you must enter when logging in. The pin is obtained from a app on you phone that is linked to your site login.
It’s a scary world out there and pretty much everybody around the world wants to hack your site. So if you don’t want your website riddled with viagra ads or worse, it’s best to follow these simple security practices for your WordPress website. The peace of mind alone is worth it.