WordPress may be the worlds most popular CMS (Content Management System), but how secure is your website. Are there any back-doors and do you have it securely configured?
A Secure Password
First, the basics…. you know to use a “hard to guess” password with a mixture of numbers, letter & strange characters. You shouldn’t write passwords down or use the same one for different websites.
You’ll probably not be supprised that it’s difficult to remember passwords and not make a note somewhere. An unfortunate few may end up picking a password combination with just one or two words, perhaps with a capital or number 123 at the end. It seams unique, who’s going to guess that? Actually, automated web robots can!
1 in every 200 passwords is “password”
1 in every 100 is a string of numbers something like “123456”.
1 in every 20 is in the top 100 passwords list
Passwords that use dictionary words and numbers are easy for automated internet-bots to guess. Even if your website prevents multiple attempts at trying passwords (Brute Force Attacks), where else did you use a that password and is it secure?
Use a unique password for every website
Don’t use words from a dictionary, the name of your pet or children
Include some odd characters like + or >
Make sure it’s more than 8 characters long
So now you have secure passwords, how are you going to remember them all? Over the past few years, I’ve now accumulated over 400 passwords for different websites. A secure password management tool like KeePass is great at this. All you need to do is remember one master password and KeePass will encrypt and keep your passwords safe from prying eyes.
KeePass is FREE open source software and available on android or Windows.
Securing your Web Browser
If you ask your web browser to remember your login credentials, remember to always set a master password for that too. Otherwise anyone or any program on your computer could easily view all your passwords in one go!
Which Passwords to Secure
Initially, we think of ensuring a secure password to our website to protect it’s content. But that’s not the only way to access your website data. Your website is probably stored with a hosting company, such as Bluehost, DreamHost or SiteGround. But is that hosting password secure and is there FTP access access to your data also?
FTP typically allows access to files on another computer over the internet. Once configured those files can be easily accessed via tools such as windows explorer.
Did you know that when using FTP your password is transmitted in plaint text across the internet (It’s not encrypted!)
Instead of FTP use secure FTP (SFTP), tools like WinSCP or Putty (using SSH).
Where do you access your website? Not only from your PC at home on in the office, you may also have access via your mobile. Remember to set a master password to your mobile’s web browser or use a secure way to unlock your phone. (Use a finger print, PIN or phone password)
Ensure data between web browsers and the hosting company is encrypted, especially logins, credit card and personal details. Look for the green padlock in the browser’s address bar.
Check you have an SSL (or TLS) certificate and that your website is only accessible via SSL Test it – Try to access the non-secure version of your website by visiting HTTP://websitename, you should be directed straight to your secure website (HTTPS://websitename).
If not directed to an HTTPS page, your hosting company may have a setting to redirect to secure pages automatically. Otherwise there are various plugins available to do this, such as “Really Simple SSL” – it’s free. (If you’re more technically minded an HTTPS redirect can also be set-up in the .htaccess file)
- SSL (Secure Socket layer) – a protocol that encrypts data.
- TLS (Transport Layer Security) – the successor to SSL, although often referred to as the more well known SSL
- HTTPS identifies a secure website as using secure SSL (or TLS) encryption.
Install a security plugin (such as All in One WP Security & Firewall – which is free) to protect your filesystem, prevent brute force attacks and make your database harder to access.
- Brute Force Attacks are repetitive automated attempts at trying different passwords. To stop this some plugins restrict the maximum number of attempts over a time period.
- File systems can be protected by restricting access to important system files.
- To protect your WordPress database, simple steps such as changing the prefix to the database will stop many automated hacks in their tracks.
Only give users the access they need to WordPress. Don’t “hand over the keys” by giving administrator privileges if they only need to post on a blog or modify pages. Typically WordPress users only need to be an “Author” (to create and edit their own work) or an “Editor” (to create and edit other user’s work).
Create WordPress users with unique usernames and set the “Display name” to something different, such as the first name. This prevents automatic robots from scanning your website for published content with user information, then using that information in brute force attacks.
Keep WordPress Up to date
Just like your PC and mobile phone, WordPress updates are frequently available which sometimes address security flaws. WordPress can be configured to automatically install minor updates, but be sure to update any Themes and Plugins too.
Remove any themes and plugins not in use. Disabled Plugins are still available on your website and may have security holes.
If you don’t login to your WordPress website often, there are Plugins (such as Easy Updates Manager – it’s free too,) to automatically update your themes and plugins. But be aware, there’s always the chance an update could break your website, so be sure to check it loads regularly. Luckily the Easy Updates Manager has an option to email you when updates have been applied.
Check list – securing a WordPress website:-
- Use secure passwords and store them in a password manager
- Check passwords for WordPress, your hosting company and FTP access
- Look for the SSL “Green Padlock” and try accessing your website via non-secure HTTP
- Lock-down WordPress with a security plugin and prevent Brute Force attacks
- Keep WordPress, Plugins and Themes up to date.