WordPress is used by 59.5% of all websites with a known CMS – says W3Techs [1].
Out of 34,371 infected websites, 83% of them were running WordPress – says Sucuri [2]
The two statistics do make for uncomfortable reading. Does this mean that WordPress is inherently insecure? No. Is it likely that the sheer number of WordPress installations makes it a soft target for hackers? Yes. Is there anything you can do to make your CMS more secure? Absolutely.
Protecting your WordPress website is like climbing a mountain; you need to work upwards from a strong foundation and know who to depend upon. Here we take a brief look at some of the ways in which you can protect your website, for your business and for your users.
Base camp – patch, backup and SSL
WordPress works hard to fix security vulnerabilities and supply upgrades. Hackers exploit known vulnerabilities, so applying patches regularly and quickly will reduce your risk of attack.
Backups are also a must-have for any business. If the worst should happen (not just hacking), you need to be able to recover to a known state. It’s also insurance against an admin error on your part.
Encrypt web traffic using SSL; your WordPress web hosting UK partner will be able to help with this. In addition to increasing protection, it will give your end-users some reassurance about your site and will improve your Google ranking.
Foothills – how can I secure my WordPress website login page?
On installing WordPress, change the admin username and set a strong password. Also change the default URL, making it harder for a hacker to target.
The wp-config.php file is your crown jewels, move it up a level out of the installation folder and disable it for editing. You should also reset the permissions on the folders using chmod. This is a must-do step if you create new folders.
Trust your sherpas – get help with your WordPress website
Your WordPress web hosting UK partner will be able to advise you on DDoS attacks. This will involve firewalls but also analysing incoming web traffic.
Anyone using online banking will be familiar with 2-factor authentication. These types of features are unlikely to be added as WordPress security enhancements due to the underlying code architecture, which has prompted the growth of a new sector: 3rd-party plug-ins. These can give state-of-the-art protection, such as:
- Lockout an IP address after a preset number of failed logins
- Logout a session which has been idle for a set amount of time
- 2-factor authentication using secret questions, or a code sent to the end user’s mobile
- Preventing hot-linking (where another site streams from yours by linking to your URL)
The summit – confident (but vigilant)
Having your website hacked and seeing your business put at risk can create a terrible sinking feeling in your stomach. It’s far worse than reading the statistics on WordPress security. WordPress is not inherently insecure, the risk is from failing to put sufficient effort into implementing and maintaining it.
By focusing accordingly during installation and keeping a keen eye on operations, you can be one of the people whose WordPress CMS didn’t get hacked.
[1] https://w3techs.com/technologies/details/cm-wordpress/all/all