Show:

Secure Your WordPress Site with these Hand-picked Tips

November 16, 2021 Business

Hacking has progressed from being a mere nuisance a decade ago to a full-fledged industry.

In 2019, 88% of businesses experienced some type of phishing attempt.

According to Accenture, 68% of business leaders worry about data security.

As a site owner, your first step should be to hire a WordPress developer and perform a site audit for any security flaws. This would reduce the possibility of WordPress hacking. 

Is the risk due to hacking over-hyped?

The companies that have suffered severe security breaches recently read like the who’s who of the internet world. This is a sample of the more well-known incidents.

Marriott Hotels (2018)

MyFitnessPal (2018)

Cathay Pacific (2018)

DoorDash (2019)

Alibaba (2019)

LinkedIn (2021) 

the list goes on…

Yahoo was breached not once, not twice, but thrice!

Not to be left behind, Facebook outdid Yahoo and was hacked four times, including twice in 2019!

Are there security issues with WordPress?

It’s not that WordPress suffers from any vulnerability. 

Due to constant updates and a very informed user base, the platform continues to be remarkably reliable. 

WordPress has a 64% share of the CMS market and 40% websites run on it. Its size has made it vulnerable and the target of attacks.

Back in the 2000s, when hackers used to play with viruses, Windows OS with a 90% market share was the favored destination of malware since a small minority used macOS. The same is playing out with WordPress versus the rest (Wix, Weebly, and Squarespace).

Hackers would always be attracted to a large user base since the techniques they use can be replicated thousands of times. The pain of the learning curve is therefore worth it. 

How to secure a WordPress site?

1. Use HTTPS

Despite repeated warnings, many site owners do not enable HTTPS and enhance WordPress security. 

Not being technically inclined, they do not grasp the benefits.

Your website resides on a hosting server. The data traffic between it and any device can be easily read. Much of this is sensitive information – credit card numbers, phone numbers, addresses. If a hacker has found this door he can cause havoc. 

HTTPS stands for Hypertext Transfer Protocol Secure. It uses complex encryption for masking the data.

The encryption works at both ends – the server and the client device. But anyone in between who intercepts the traffic gets a meaningless string of alphabets and numbers. Without the key, the cipher is impossible to crack.

Does HTTPS add to the overhead? Yes, there is a recurring charge for renewing the certificate every year.

But that is a few dollars and in return, you can guarantee your customers that their personal information is safe.

Further, if you do not use HTTPS, the Chrome browser would not allow users to proceed to your site. Since Chrome has a 67% market share, you lose two from every three visitors to your site. 

The cost of not using HTTPS is steeper than the annual renewal of the SSL certificate.

2. Buy Reliable Hosting

As the price of servers have dropped (price per TB of storage, not sticker price) and the market for hosting has expanded, a plethora of substandard hosting services have popped up. 

They offer WordPress hosting for rock-bottom prices. Some charge as little as $5 per month for hosting a basic ten-page static WordPress site.

Even if we leave aside the other problems that a subpar host brings (increased downtime and lack of customer care) how do you know if they take security seriously? 

For internet security to be ironclad, all the links in the chain have to be equally strong. There is no use buying SSL certificates if you are buying cheap hosting.

On the server, your website shares space with unknown entities. There is no guarantee that a malware attack on another site will not spread to your site.

Although I am not in the business of recommending, hosts go with a trustworthy service e.g. Blue Host, HostGator, Hostinger, and Amazon Web Services.

3. Update WordPress and Plugins

Though WordPress is a versatile software it needs to be updated. This feature is exactly like the security patches you receive on your Android or iOS device.

No matter how good a platform, security flaws are always present. Thanks to close inspection by the WordPress community, these are unearthed quickly and a fix is baked into the next version.

Ensure you update frequently and always view the changelog. 

A changelog is a document that summarizes the problems with the last version and the fixes applied. It is also advisable to visit the official WordPress community and remain informed.

This strategy applies not only to the core platform but all the plugins. You would be using several for themes, website builder, SEO, email marketing, e-commerce, and so on.

The plugins are supplementary code packages that sit on the top of WordPress software and provide additional functionality. 

These might provide a backdoor to malware and must be updated. It goes without saying that any plugin you install has to be from the official repository and not something you have found as a standalone install from a website and decided to use.

4. Customize Login URL

If I were a hacker how would I start? I would first discover if you were using WordPress. Simple enough task. Open Chrome > Right Click and View Page Source or Ctrl + U.

A WordPress site would have plenty of code snippets marked wp such as: 

http://www.johndoe.com/wp-content/uploads/2020/11/man-in-raincoat.jpg 

By default, the login page is going to be http://www.johndoe.com/wp-login.php or wp-admin/

Now that the hacker has arrived at the admin page, he has to guess your password, and voila, the site is his for all practical purposes.

It’s easy to teach him a lesson. Change the URL from /wp-login to /my-personal-login-page (or whatever you want).

Without access to the login page URL, he can’t gain access to your site even if he has the password.

5. Use Secure Password

If I had a dollar for every time I have given this advice in a security seminar or workshop, I could easily retire.

For some unknown reason, most like their password to be something they can easily remember–<my name> 123, or <wife’s name> <birthday>.

In 2019, Avast, the makers of one of the world’s best antivirus suites, found that 16% of Americans use their family members’ names and 15% their pet’s names. An overwhelming 83% use weak passwords. Since human psychology is fairly homogeneous, the same more or less holds true for the rest of the world.

To make your password impregnable, use at least five alphabets, five numerals and one special character. 

Since any brute force attack first tries common words from the dictionary, mix and match the alphabets.

For example, 

If your password is awesome123 change it to awsm#e111213 (awesome changed to awsme makes it near impossible to crack and the # sign introduces a high level of difficulty; 111213 is a strategy that morphs 123 into a random collection of numerals). 

The stranger it looks, the better a password.

To make it uncrackable, use a complex password such as 9ajk&250#ds$ 

You would probably need LastPass to keep track of it. It’s free. Give it a try. 

In Summary

It’s a mistake to think that you won’t be attacked because you are not a mega site with a million views a day. 

Malware, phishing attacks, and ransomware are surprisingly democratic. Implement these steps as soon as possible and seek help from an experienced WordPress developer. He can add useful plugins such as two-factor authentication and a CAPTCHA which makes your site almost invincible.