If your site has ever been hacked, you know it is a very unpleasant experience. I've spent a bunch of time this week helping two website owners that were hacked and then hardening their sites to help prevent this from happening again.
If you haven't been hacked yet, not having some basics in place means it is not a matter of if -- it is a matter of when you will be hacked. I'm not saying this to be over dramatic. It is just the facts.
Small Sites are Great Targets
Why would hackers be interested in your little old site? Because it is a web server that they can then manipulate and use your resources for their nefarious activities. You don't have to be a big famous brand-name to be hacked.
Actually the little guys (and gals) are more of a target because many times it is the little guys that do not have the necessary blocks in place to prevent exploitation. Recently a site I helped was a little non-profit with a very local market. They even had a security plugin in place (this is where a good host comes into play). And foreign troublemakers caused them a lot of problems.
I'm going to share with you some basics and a couple great info-graphics from the folks I trust over at iThemes Security:
Top 5 WordPress Security Issues
Here are three things any site owner can address right now:
- Once your site is up and running, delete the "admin" username account. Since that is the default user setup on install that will be looked for to exploit. It is also a good idea to not have your nickname and username be one in the same. Use passwords that are at least 8 characters in length and are a combo of capital and lower case, numbers, letters and characters to make it as difficult as possible to be guessed. Use the password tool on your user page to get a password that cannot be guessed. The best passwords don't spell anything out and are difficult, even for you, to remember. This goes for your WordPress database password too!
- Upgrade WordPress to the latest version and continue to do so promptly as new releases become available. All releases include security hardening updates due to bugs and newly discovered issues that need to be addressed. This means updating your theme and plugins as well when they update to ensure you have the latest most secure plugin versions. (If you are uncomfortable with this process, check out my White Glove Support Plans.)
- There are several "techie" things that also need to be covered such as server, folder and file permissions. Permissions are what allow access, or not, to your files and folders on your website hosting server. While this access can be controlled via your .htaccess file -- which gets a bit techie for many, there are a
plugins that can do some of this for you. I've used iThemes Security Pro and several free plugins such as All in One Security & Firewall and Sucuri Security.
Top 5 WordPress Security Vulnerabilities
Security plugins can check your WordPress installation for security vulnerabilities and suggest corrective actions. Things like:
- hiding your file editor
- hiding your login page
- file permissions
- database security
- version hiding
- WordPress admin protection/security
Security Needs to be Taken Seriously
I log into sites every day that require updating. I know the site owner doesn't think much about it being a time-sensitive priority -- that is until their site is not accessible, redirecting to porn or illegal sites or simply not responding.
Worse yet you discover Google is warning searchers that your site has malware or may have been hacked. That will really ding your brand! You'll then have to get your site cleaned, secured and then ask Google for a review. This is called baptism by fire.
Security is NOT Set and Forget
Even with the best security plugins, you still need to monitor your site regularly for any unforeseen occurrences or file changes indicating trouble is afoot.
Be sure to get the processes and procedures in place to avoid that from happening. The time it takes to remedy and recover is something you don't want to have to deal with! Both from a time and cost perspective. [FOR MORE READ: Hardening WordPress]
As a site owner the onus is on you to protect your investment from those with too much time on their hands or who may have diabolical motives. Review these issues carefully and make sure your WordPress site is as secure as it can be. Now.
At your service,
P.S. Disclosure: Some of the links in this post are "affiliate links". Read my full Affiliate Disclosure Statement here.