Like many sites on this here internet, this one is powered by WordPress.
I’ve used WordPress for years and can even remember back to the “olden” days when to install it you had to manually download a zip file, install it onto your server, set up a database and then do a bunch of manual configuration.
Not these days though, the advent of cPanel hosting accounts and other technologies mean that it can usually be installed with the push of a few buttons (and these auto installers also take care of some basic security).
There are even specialist hosts out there that only focus on hosting WordPress, giving you an optimised hosting platform and managing your updates etc for you, which is great if you’re not a techie.
You get it, it’s great, but why worry about security?
Well, with the widespread use that WordPress has, and some early history of not being the most secure platform in the world, WordPress is definitely a target for hackers.
Part of the beauty of WordPress also provides opportunities for people to try and exploit your site if it’s not correctly configured, or you’re running an out of date theme or plugin.
Ironically however, many people who run WordPress are probably not even aware that their site(s) will have been attacked. But believe me, it’s more common than you might think.
Will your site really get attacked?
I’m going to go out on a limb here and say… YES!
Why do I say that?
Well, it’s because I’ve witnessed it on my own sites and sites I have developed for other people.
Not that I’m talking about high traffic or complex sites, one of the them is literally one page but I still get emails from my security plugin telling me that it has taken action to lockout someone trying to break in.
The thing is, most of these attacks are automated, so it’s not like there is someone sitting in front of their computer browsing the internet and trying to break into random websites.
They can simply write some code to do it all automatically for them, meaning if the script can find your site, then it’ll happily spend an unlimited amount of time trying to exploit it.
So what can you do to protect yourself?
For starters, use a decent bloody password.
The stronger the password, the less likely that even a sustained automated attack will result in your site being compromised.
Use a password generator and include special characters, make it a decent length and you’re a long way to ensuring that a random hacker is going to be able to take over your site any time soon.
Beyond that, make sure to keep your themes and plugins up to date!
There have been a number of recent exploits for common plugins making the rounds and while developers have fixed the issues nearly immediately, I’ll hazard a guess that there are still plenty of sites still vulnerable because they are running old versions of plugins.
Don’t be afraid to install a security plugin to take care of some of the more advanced configuration options, Wordfence and iThemes Security are a couple of the best ones.
And seriously consider using Two-Factor Authentication for all of your users, this means that even if someone manages to get a hold of a username and password, they’ll still need another code to access your site.
You’ll definitely sleep better at night if you do this.
Oh, and don’t forget to ensure that you are using SSL on your website, not only will you avoid any dreaded “Not secure” flagging from the major browsers, but it will also mean information is encrypted between your browser and the site.
An advanced technique
Did you know that (in most cases) finding your WordPress username is actually really easy?
Go and browse your favourite WordPress blog and find a post with the author name, then click on it to go to the authors page.
No doubt you’ll end up somewhere like blogname.com/author/somename
That last little bit at the end there, that’s usually the author’s username.
Even if you’ve come up with a convoluted spelling of your name thinking it’ll be harder to guess, WordPress will sanitise it and create a author link from it, meaning someone now has half the info they need to login.
WordPress calls this user_nicename and it’s not something that can usually be configured within the dashboard, so you’re going to have to get your hands dirty if you want to make this change.
Thankfully, there are a few tutorials out there that will show you how to do the job (they’re whole posts in themselves), so feel free to take a look at:
Hopefully you’ve gotten some good ideas from this post about how to secure your WordPress website, although I’ll admit this only really scratches the surface of what can be done to protect yourself.
Don’t think it won’t happen to you, the internet is full of stories of people who have visited their site one day, only to find it behaving badly and discovering that they’ve been hacked.
Treat your WordPress website/blog like an asset and make sure to keep it up to date to reduce the chances of being exposed to security issues.
Grab a security plugin and take the necessary steps, and hopefully you can avoid any issues.
The key is to be diligent and take the time to learn a little more about the best practices are when it comes to WordPress security…
And remember, you can start with using a very secure password, so go and make sure yours fits the bill (and change it if necessary).
Until next time.