Unfortunately, it’s all too common to hear of websites getting hacked. Whether it’s private photos being leaked to the public or credit card databases being compromised, it’s not hard to think of a time when a security leak made the news. It’s easy to think that if even big corporations can’t keep things under wraps, security is an impossibility for a small, self-hosted WordPress website, but that’s not the case. Here are some tips to keep your site as secure as possible.
Understand the truth about password security
The weak link in your site is your password. Yes, there are other ways for a hacker to access your data, but the easiest way in is for someone to simply figure out your password, either by guessing or through the use of a password-stealing tool. This is known as a brute force attack. So how can you make any password to any site less vulnerable to this type of hacking?
Create a long password. Through the years, we’ve been taught several myths about password security, but one stands out: the use of “special characters” as a way to increase security. Truth be told, it doesn’t matter if your password is all lowercase letters or a mixture of lowercase, uppercase, numbers, and symbols; as long as there’s a possibility that you can use special characters, there’s no way for a password stealer to know whether you did or not. This cartoon illustrates the concept in more detail. It’s a good idea to make your password at least 15 characters long, and the longer you make it, the harder it is to guess. This doesn’t only apply to WordPress security, but any password for any site.
There’s one major exception to this rule, however. Do not, under any circumstances, use one word in the dictionary as your password — for WordPress or anything else. Even if it’s the longest word in the dictionary, some password stealers use a dictionary as their first entry attempt before trying random letter/number/symbol combinations.
Don’t use your WordPress password on another site. This suggestion is frequently considered to be a frustrating one, but it’s an important step to take. If you have the same password for WordPress and another site and that site gets hacked, your login is exposed for every site for which your password is the same. You can use a password manager like 1Password or LastPass to make password management and randomization easier, or at the very least, make your logins unique for sites that store important personal information like your website or bank. If you have two passwords you frequently use, you could combine them to create your WordPress password, which will make it unique and longer all at once! You could also use the same password but add a unique identifier to the end — for example, use MyPasswordBank (replacing “MyPassword” with whatever your password is) for your bank’s online login and MyPasswordWordPress for WordPress.
Keep WordPress, your themes, and your plugins up to date
WordPress automatically installs minor updates for you, but plugin updates and major WordPress updates are installed manually. Be sure to look for the “Updates” tab on the left side of your Dashboard, as it only appears when you have an update waiting. On the Updates page, you’ll be able to install updates for your themes, plugins, and WordPress itself all in one place.
Also be sure to remove any plugins and themes you don’t need. While it’s doubtful that any of these will be updated with insecure or nefarious code, it’s a time when the “better safe than sorry” rule applies.
Change your WordPress username
We’ve already talked about how to make your password more secure, but the WordPress login screen asks for a username and password, and both are important for security purposes. When you first create your site, you’ll be asked to create a username. The default choice is ‘admin.’ Hackers are also aware that this is the default choice, and as a result, most password stealers will try to use the username ‘admin’ to try to log in. If you change your username to something else, you exponentially decrease the chances of a brute force attack, as the username and password must both be correct.
Install a plugin to further increase your security
A variety of WordPress plugins add extra security features such as two-factor authentication and limiting login attempts.
WordFence: This is the most popular WordPress security plugin. It adds a firewall and two-factor authentication, requires users to create strong passwords, and monitors your site. Because WordFence is so widely used, it also automatically blocks computers from entering your site that try to hack another site with the WordFence plugin.
iThemes Security: iThemes Security includes over 30 security features, including two-factor authentication, password expiration (requiring passwords to be changed at a frequency you set, or even immediately if needed), and malware scans.
WP Login ReCAPTCHA: This plugin adds a CAPTCHA to your login page. A CAPTCHA is a type of test to tell humans from computers, normally appearing in the form of twisted-looking words on top of a patterned background.
These are only a few of the numerous WordPress plugins dedicated to securing your site. For more information on WordPress security, visit the WordPress codex articles on brute force attacks and two-step authentication.