In this high-tech era when hackers have become very sophisticated and intelligent to penetrate into any sort of system with their malicious hacking techniques, securing your system from any such attacks is of utmost importance. Especially if it’s a web based application or website, you need to take extra care to protect it, as hacking a web-based system is relatively an easier task for a seasoned hacker.
WordPress is a well-known PHP based CMS that is being used by millions of websites around the globe. According to an independent report in 2014, almost quarter of the overall websites on World-Wide-Web are using WordPress as their backend CMS. Since it is open-source software and its source code is easily available on internet, it has been a very soft and easy target for the attackers, unless the website owners take extra steps to safe-guard their wordpress website.
In this article we are going to list down 10 most important security measures that you MUST take to ensure your wordpress website is protected against any possible attack. So let’s get started.
Strong Username & Password
This of course goes without saying, even for websites built on any other CMS. You must ensure that your username and password to log into WordPress Dashboard are strong enough, always use Alphanumeric passwords in combination with digits & special characters. Also get rid of the “ADMIN” username, as the admin username makes hacking a wordpress website much easier. Also never share your username and password with anyone, and save it in a very secure place. If you have to give someone access to your wordpress dashboard, instead of giving them your admin username & password, create a temporary user for them in WordPress with limited access, and give them credentials of that temporary account.
Making the Login Page More Secure
After securing your username/password, you will need to secure your login page as well. As a dedicated and seasoned hacker can, by one way or the other, retrieve your username and password through brute-force attacks. Thus, it is critical to protect your login page against brute force attacks as well. Ideal way to go about it is to limit the number of unsuccessful attempts a single user (IP Address) can make before the IP address gets banned (either temporarily or permanently).
Furthermore, the login screen should not inform the user making unsuccessful attempts to log-in to the system, what field was invalid so they don’t get to know, which field was right and which field needs more brute force attacks or guessing.
Another thing that must be used on Login page is Captcha, this alone can make a lot of bots stay away from your login page and thus your website`s dashboard.
Files & Folders Should Have the Right Permissions
If you really want to make your wordpress website secure, you must learn the basics of File and Folder permissions as they can play a major role in determining whether your website is easily vulnerable to hacking attacks or not.
Two of the most common file permission modes are: 644 & 755, these codes define the rule through which each file or directory is governed and accessed by different user levels. You will find out that most of the files in WordPress are set to the permission of 644, which means this file can be modified by its owner (user who created the file) only, however, it can be viewed by everyone. Some plugins require certain files or folders to have the permission of 755, but before granting this permission you must find out exactly why the plugin requires such permission to be granted and whether the plugin is of good reputation or not. Furthermore, 777 is a permission that makes the file or folder to be completely readable as well as writeable by the hackers, so this permission should never be granted even if a plugin explicitly asks for it.
Regular & Complete Backup of Website
Most of the website issues can be resolved almost instantly if you have taken regular backups of your website. Bugs, Code Manipulations or Hacking attempts can occur at any time, and only if you have taken backups of your website, you would be able to recover from the issues caused by such attacks. If you don’t have timely backups done, recovering from such issues and attempts can be extremely long and painful for you as a website admin as well as a business owner.
Weekly or bi-weekly backups are ideal for most of the websites, but if you have website that is updated more frequently, you might need to take the backup on daily basis; as otherwise, you might have to restart from an out-dated backup. Since both the online and offline disk spaces are dirt cheap now, there is no point in not taking regular backups and saving all of them in a safe and secure place.
WordPress Core & Plugins Should be Up to Date
WordPress is updated quite regularly, with quite a few changes and advancements, both in terms of functionalities and security. Using an out-dated version of WordPress will make your website an easier target for the hackers, as your website would be missing the necessary bug & loop-hole fixes issued in the latest version of WordPress.
It can be a pain to update your WordPress every now and then, but trust us; it is well-worth it. There are strong reasons why team at WordPress constantly updates the system and push forward these updated for all of us.
Similarly all the plugins you are using in your website should be up-to-date, as having an out-dated plugin is an even bigger threat to your wordpress security. Updating your plugins will also ensure that all of your plugins are compatible with the latest version of WordPress, otherwise some incompatibility issues might occur as well.
If you are serious about your online business, securing your website from potential hackers should be the first thing in your mind. This list of security measures, is by far not complete, however these are the 5 most important measures that you must take before anything else.