WordPress Security Is Yours Up To Date?

What type of security do you have?

What type of security do you have?

If like many small businesses you use WordPress then you may have been concerned by a recent report stating that, “Hosting providers around the world are seeing a massive increase in brute force attacks against WordPress and Joomla sites”. It certainly prompted me into action, to ensure my website was as secure as possible.

I’ll take you through the precautions you can take to protect your site.

For those that don’t know, a brute force attack is where an attempt is made to access a secure area of a website, in this case the admin area of WordPress, by trying combinations of usernames and passwords multiple times until they find one that works.

This isn’t performed by one person sitting at a PC and manually typing usernames and passwords into your login page. No, the perpertraitors use somehting called a Botnet, a group of computers controlled remotely and working automatically to attempt a login.

You maybe interested to know that Botnets are largely created from unsuspecting PC’s, normally Windows based, infected through malware or other types of virus. It could possibly be your own!

You’re Not Alone

It must be said that WordPress is not alone in terms of vulnerability. Many websites and web based applications are potentially at risk from attack. If you have a custom built CMS (Content Management System), then you should check with your developer how they update against new vulnerabilities.

Strength & Weakness

One of WordPress’s strengths as well as it weakness is its popularity. Very much like the Windows operating system sees far more virus’s than its counterparts Mac and Linux.

One thing WordPress has in its favour is the volume of people working to identify and close those vulnerabilities.

Learn to Protect Yourself

There are some simple steps you can take to protect your WordPress website:

1. Change your username

Make sure your username is not the default, admin. You can’t actually change the username via the WordPress dashboard, but there are a couple of solutions.

The first is to create a new user and swap over control from the old admin user. My preference though is to alter as little as possible and use a plugin called Admin renamer. This allows you to change the admin username directly in the database using a user friendly interface.

2. Change your password

It still amazes me the amount of people that use ordinary words or dates of birth in their passwords. If you website is your business, then please treat it the same as you would your house of car. Protect it adequately.

A strong password consists of 8 or more characters ideally random in upper and lowercase, including numbers and symbols. These type of password are infinitely more difficult to crack. Read this article if you want to see just how easy it is to crack even an encrypted short password that is a common word.

I use an application called 1Password to create and store my passwords, it is cross platform and works on mobile too. So I always have access to my totally randomly generated passwords wherever I go.

3. Keep it updated

Probably the easiest of all is to keep your website updated. WordPress release around 4-6 major security updates in a year. There will also be updates for your plugins. Backup your website before updating, maybe with a plugin like BackupBuddy and ensure you apply updates on a regular basis.

I had an old unused WordPress installation that had been on a server I owned since 2007, and through this install the whole server was infected.

So make sure you delete any plugins or WordPress instances you no longer require and keep the rest up to date.

4. Install some protection

During my update process I came across 2 plugins that can help protect your WordPress site from attack.

The first is Wordfence Security, a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more. This is a substantial, yet easy to use plugin that scans your website for infection, and then locks it down from attack.

Then install BulletProof Security, recommend by a friend Simon at SoCreative, which provides website security protection against: XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection hacking and many more.

It’s Not Personal

If someone does attempt to hack your website, most likely it is the work of a randomly generated bot working from an infected PC. They are not necessarily after your website information but looking to use your server to help them create bigger and better Botnets to wreak further havoc.

Don’t give then the opportunity and protect your website and your business proactively!

If you have any further security tips for WordPress please feel free to mention them in the comments below – no bots allowed…

About Sean Clark

Building successful online companies since 1999, we help you market your business online. Whether you need help with Search Engine Optimisation (SEO), Paid Search (PPC) or Social Media Marketing call us today on 01603 343477 for a free initial consultation.

Find Sean on:

  • Great tips! I keep seeing so many posts about this with people sharing information on how to protect themselves however, the same ppl sharing these security plugins are failing to see that that plugins they are recommending haven’t been updated in almost a year or longer! Security risk in itself.

    I’ve heard good things about Wordfence. Thanks for sharing!

  • Brenda good point. You should always check whether plugins you are installing are kept up to date. You can check this by searching the WordPress repository for the plugin and seeing the last updated date. It is also an idea to see if the plugin author is active in the support forum for the plugin too in case you need help.

  • Some good information, thanks.

    I have always used “Login Lockdown” to block logins after failed attempts and “Login Alert” to email me when anyone (including me) gets in. I’m not sure how up to date they are but I feel it gives an extra layer of protection.

  • Oh I definitely do but I don’t think enough wordpress users know to check these things out BEFORE recommending a plugin to someone. One really needs to be careful. Fab post. I resharing!

  • Richard, great to here from you! And thanks for the suggestions much appreciated.