WordPress is among the most commonly used Content Management Systems (CMS) today. Billions of web pages are built on this open source framework and millions of users access them every day. With such a commonly used framework, there are risks of these sites being attacked by hackers with malicious intent. And today I am sharing a few best practices that are common precautionary measures, but could prevent unnecessary hours and money lost on recovery, not to mention the loss to business. Though they may not absolutely prevent an attack, they will certainly delay such an attack as long as it can, with all possible entry points strictly sealed for the hacker. And should one ever get access, you will be back up in no time, with relative ease.
- WordPress being an open source platform, you are free to download it from the web. Remember to download it only from the official WordPress website, and trust no other link. And while doing so, do not install it on the root directory, which is the most obvious choice. The idea is to hide the indexes – remember not to store your index.php file and .htaccess file in the admin folder. Save the files in a different folder with an ambiguous name so you can make it obscure for malicious programs/intruders to identify the index file.
- If you have kept the administrator’s user name as ‘Admin’, it’s time to change it. That’s what the hacker will choose. Always keep a personal username, which is not as generalized as Admin or My Admin. In fact it is a better practice to use a username completely unrelated to your website to keep it ambiguous.
- That brings us to passwords – always be careful with them. As they say, a good password should be a complex combination of alphabets in lower and upper case, numbers and special characters. And while doing so, try not to include your name, birth date, mother’s maiden name, or obvious keyboard combinations. A hacker will make an effort to get as much information as possible from your virtual/ social presence (which is readily available on the net), and using information in your password that you may have made public may not be a good idea. And, needless to mention, you will use different/ unique passwords for each account, so even if one is compromised, it is limited to one site, and you don’t let the hacker do you more damage by using the same password everywhere else!
- Once WordPress is installed, it should be updated regularly with each new update. The newer versions come equipped to fight the vulnerabilities on the older versions which were compromised. Therefore, the areas of vulnerability are also openly available on the web. The hacker is sure to be one of the first to go through those and look for a soft target. And that could potentially be you, if you are still using the older version! The same is applicable to the plug-ins and widgets you use. The bottom-line is – always upgrade whenever there is a newer version of the software available – be it the WordPress version, the plug-ins in it, or even the theme. And even with an updated version, if you notice any bug or a dysfunctional area within the backend, report immediately.
- With WordPress, there are a lot of plug-ins available which could help you detect failed log-in attempts and could even block IPs that try to log in multiple times without success within a specific span of time. There are others that can detect incoming spams to your website. These are great tools to further protect your site from potential attack. So make use of plug-ins like Askimet, WordFence, Bulletproof Security, Login Logger and G.A.S.P. And there are more you could search online.
- Last but not least, securing the WordPress Config file will mean putting a strong force in place to fight any potential external attack. The wp-config file operates the major functions on your WordPress site, and making certain modifications here will be a definite precautionary measure. For one, change the database prefix – this will make it hard to guess for the hacker to break in. Two, disable editing of the plug-ins and the theme. This prevents any modification to be made on your existing WordPress theme and the plug-ins used, even if a hacker gets access to your admin panel. And, rename your security keys with different names. This will further confuse the hacker to access the right areas to begin damaging your website. (The how-to step by step guide to accomplish the above can be easily found out on Google!)
- No matter what amount of measures you take, you can never be sure of 100% safety. It’s better to be safe than sorry. Maintaining a back-up of your database could save you a lot of head ache, should your site ever be compromised. Ideally, a backup taken every week or at least once in a fortnight should be a healthy practice. You will be back into action sooner than your hacker can imagine!
Not so difficult to follow, the above steps. The above steps should definitely make a beginner aware of measure you can take to safeguard your WordPress site. And once aware, you can ask your technical geek to get these accomplished first thing your site is up. Should you do it yourself, there are detailed steps available on the web to help you.
A better security means lesser chances of breaking in, and prevention of unnecessary roadblocks to your way to success. Now that you are secure, time to zoom ahead!