Bulletproof WordPress: Surefire Tips to Secure Your Site
WordPress dominates as the world’s go-to content management system — and there are many great reasons for that. Yet, the platform’s popularity alone can make it an obvious target for online attacks. Fear not: there are just a few easy steps you can take to keep that beautiful WordPress site of yours safe. You’ll want to protect all the hard work that’s gone in, after all. Your visitors also need and expect security. So with that, let’s dig into our surefire tips for keeping WordPress under lock and key. Use strong, unique passwords It’s sad but true: 48% of small businsesses are targeted by cyberattacks each year. So, to start with the obvious: you really ought to use strong and unique passwords across all your WordPress accounts. Change your passwords often. This is true for your admin account, FTP and database access, and all other associated accounts. Reused passwords can be compromised. Try your best to make your password over 10 characters long and to include uppercase and lowercase letters, numbers, and special characters. One great tip is to take the first letters of a memorable sentence and put that into a clever password (or a “mnemonic”). For example: “this little piggy went to market” might become “tlpWENT2m”. Password manager tools are also available — both for generating and storing passwords for each account. Change your login URL By default, WordPress login URLs are easy to guess because they’re usually www.example.com/wp-admin or something similar. Hackers know this and will target your login page to attempt brute-force attacks. However, you can protect your website by using a plugin to change your login URL to something unique, making it harder for hackers to find. One of the most popular plugins for changing your login URL is WPS Hide Login, which allows you to change your login URL to anything you want. It’s also easy to use and comes with a simple user interface. Just make sure you keep a record of your new login URL so you don’t lose it and only share it with people who need access to your website. Use an SSL Certificate SSL Certificates are sort of like digital passports and they’re especially important when exchanging sensitive info. Have you ever noticed the padlock icon when shopping? SSL’s work to encrypt the data that transfers between a browser and a web server, making it practically impossible for hackers to intercept. This includes things like credit card details, login credentials, and other personal data. Fortunately, SSL certificates are easy to set up, and you can read more about them here. 123 Reg Managed WordPress actually comes with a free SSL certificate to help keep your website and your user’s data secure. There are all sorts of very good reasons to get an SSL Certificate. In fact, they’re a must-have for any sort of website that deals with transactions or sensitive information. If you’re not using 123 Reg Managed WordPress, you may need to purchase an SSL certificate separately and install it on your server. Once you’ve installed the SSL certificate, you need to configure your WordPress website to use HTTPS instead of HTTP. This is easy to do using a plugin like Really Simple SSL, which automatically redirects all HTTP traffic to HTTPS. Don’t use the default “Admin” username WordPress sets the default username as “Admin,” which is easy for hackers to guess. When creating your WordPress account, always use a unique username. If you’re already using the default “Admin” username, you can easily change it by creating a new user with administrator privileges and then deleting the “Admin” user. To do this, go to Users > Add New in your WordPress dashboard, create a new user with administrator privileges, and then log out. Log back in with the new user account and delete the “Admin” user. Keep WordPress core up to date WordPress regularly releases updates to improve performance, add new features, and patch security vulnerabilities. It’s essential to keep your WordPress core up to date by regularly checking for updates and installing them promptly. 123 Reg Managed WordPress automatically updates your WordPress core to help keep your website secure. If you’re using a WordPress hosting package that doesn’t offer automatic updates, you need to regularly check for updates and install them manually. To check for updates, go to Dashboard > Updates in your WordPress dashboard. If there are any updates available, click on the “Update Now” button to install them. Make sure you backup your website before installing any updates. Keep WordPress plugins and themes up to date, too The average WordPress website has over 23 plugins and themes installed — and over 99% of security vulnerabilites are related to plugins and themes. Just like WordPress core, plugins and themes can also have security vulnerabilities that need patching. In fact, plugins and themes are the sources of the majority of WordPress vulnerabilities. It’s essential to keep your plugins and themes up to date by regularly checking for updates and installing them promptly. Outdated plugins and themes can be a significant security risk, as they can be used to gain unauthorised access to your website. It’s a good idea to test the effect of updating plugins and themes in a staging environment. You can do this from your WordPress Dashboard and looking for the section named (you guessed it) “Updates”. If there are updates available, click on the “Update Now” button to install. It’s also good practice to remove any unused plugins and themes as they can pose a security risk. Back up your website — and do it often Backups are essential to recover your website if it gets hacked, corrupted, or accidentally deleted. It’s essential to have a recent backup of your website stored securely, so you can restore it quickly if something goes wrong. 123 Reg Managed WordPress automatically creates daily backups of your website, so you can easily restore your website to a previous version if necessary. If you’re using a self-hosted WordPress
6 top tips on password security
Almost every week the news channels are busy with a story on another big high-profile password breach, the latest being Yahoo investigating a breach via its Yahoo Voices servers. Here at 123-reg we recently altered our entire password and login procedures to improve customer security and peace of mind, yet even with regular prompting many people still leave themselves open to potential risk. It doesn’t matter how strong the gateway of your information holder, if you make accessing your account easy you make yourself vulnerable. So here’s six tips on choosing your password to minimise the risk of being hacked. 1. Treat your online home as you would your offline home You wouldn’t get the same key cut to open your front door, your back door, windows, car, cupboards, any lockable bags or boxes, etc, so don’t use the same key or password for every account you have. In fact you should use a different password for every website you use. That may sound like a minefield of passwords to remember, but it can be done – perhaps by using passwords that remind you specifically of that site or the services it offers – remember to avoid the obvious though! 2. Ignore Phishing emails We’d like to think we’re all wise to these now, but opening up that email bleary-eyed first thing in the morning you may not be quite as alert as you need to be. The key point to remember is that even if it looks like an official communication – and you can often spot a pixelated logo, or spelling mistake – if you are asked to reveal personal information such as name, password, etc make sure you are certain it is a genuine site. Also beware of the links you click to avoid downloading harmful malware. 3. Change your passwords regularly It may sound like it is complicating matters again, but it pays to be ahead of the game. By setting password change as part of your monthly or even weekly schedule you will re-inforce the importance of password security too, so it will keep your mind focused and help even more towards minimising the risks. There’s a reason many sites will regularly prompt you to change your password, so follow the protocol across all sites you login to. 4. Make sure your password is strong Most sites will give you an indication of password strength when you input a new one, so pay attention. A combination of letters, numbers and symbols works best, as does a mix of lower and upper case characters. 5. Consider using a combination of pass words to create a passphrase If remembering a whole host of passwords is going to prove difficult, this little cartoon may help inspire. Basically using a combination of four random words and swapping their combination between websites, will give you a higher protection than even a standard mix of numbers, letters and characters that you re-use across sites. While it is difficult to guess – even with advanced computerised checking systems – it is very easy to remember as you know the four words used in the passphrase generation as well as your own name and probably have them ingrained in your brain. 6. Don’t be lazy or lax It sounds silly but so much that we do is online nowadays it is easy to forget basic protections. Don’t write passwords down and certainly don’t store them on your PC or laptop – even in encrypted form they are tempting for a keen hacker. Apply the same rules to your password creation whatever site you are creating an account for. Firstly this keeps you focused and trained to using a more secure system and secondly. Finally, while password management sites, apps and programmes may have a place in helping you, remember they are just as vulnerable and probably bigger targets when compared to other websites. Last year LastPass admitted a security breach with the issue again highlighting the vulnerability of using weak passwords. Do you have any password top-tips? Care to share?