Hackers work day and night trying to break into even the most secure of systems. As a web developer, the last thing we want is to hear, “My website has been hacked.” The sad truth is that no system is 100% secure. However, WordPress content management system (CMS) has found a way to curb hackers by reporting and implementing fixes quickly.
WordPress has over 75 million installs world wide and is backed by thousands of developers, hosting providers, hobbyists all reporting vulnerabilities in their WordPress installs. Should you find a vulnerability, simply open a topic on the WordPress.org support forum. Once the team at WordPress is notified, members of their development team start working on the fix immediately.
This article doesn’t come close to covering the other things to consider when securing a website. While this post is primarily about WordPress, many of the suggestions could be applied to any website CMS.
Here’s how to minimize your risks and avoid getting hacked:
Host with a quality provider
Stick with a reputable website hosting provider. Many hosting providers scan their hosted websites for known vulnerabilities like untrusted plugins, themes and misconfigurations. Many of these hosting providers work closely with the WordPress community to flag known issues and some will even update your install automatically.
Keep your site up to date
An out-dated WordPress core, plugins and themes can be an open invitation to hackers who are looking for previously reported vulnerabilities. When website security holes are found in software hackers are quick to exploit them.
Use an SSL Certificate
Seriously… this is becoming more important everyday in fact Google announced in August of 2014 that it’s giving a minor ranking boost to sites with an SSL so if SEO is important you should seriously consider using an SSL. Encrypted connections prevent outside hackers from seeing the data that appears in your browser.
Implement strong passwords
The simplest thing you can do to add security to your website is using unique usernames and strong passwords, you might even consider two-factor authorization perhaps Clef, Duo, or Google Authenticator.* Initially, I was a reluctant convert to two-factor authorization but after looking at logs for the last few years I’m now a convert.
Add security plugins
I use and recommend the iThemes Security Pro.** iThemes Security Pro will provide a list of things you can do to make your website more secure, and adds two-factor authentication to the login procedure
Want more security?
- Get on the a mailing list for your chosen CMS to notify you of system updates. Some like WordPress and Umbraco notify you when you login.
- Strengthen your .htaccess file to prevent direct access to system directories.
- Ensure your file permissions are correct.
- Use the tools provided by your host provider, they are usually quite good.
- Backups… I use BackupBuddy the plugin lets you specify when and how often you want your website backed up, and BackupBuddy has a range of options for safe, off-site storage. The BackupBuddy also scans your website for malware, and your database to resolve common issues.
- Hide your WordPress Version.
- Move your login page, whether it’s WordPress, Joomla or something else if they can’t find it it makes it more difficult.
- Limit login attempts.
* Clef: is secure two-factor auth with no passwords or tokens.
* Duo: Easily add Duo Security two-factor authentication to your WordPress website. Enable two-factor authentication for your admins and/or users.
* Google Authenticator: is a multi-factor app for mobile devices. It generates timed codes used during the 2-step verification process.
** iThemes Security: The PRO version of the plugin will regularly scan and protect your website from malware, provide a list of things you can do to make your website more secure, and adds two-factor authentication to the login procedure – users will require a password and a code sent to their mobile device to login.
As hackers’ methods and abilities grow more effective every day, we’ll always be at risk for security breeches. However, setting up your site with these aforementioned additional security measures may be all you need for now.
Not to blacklist all hackers…there are hackers out there using their skills for the greater GOOD, but that’s for another post. Stay tuned!