Wordpress is an open-source Content Management System (CMS). Its technology stack is based on PHP and MySQL — the most popular programming language and database system.
It is no news that most blogs and few websites are making use of the Wordpress platform, hence the need to write this post to enlighten users of the risk and take proper actions in protecting their online assets.
Because Wordpress is open-source (meaning its codebase is free and open to anyone and everyone who wants to access it), it become vulnerable to hackers.
The point is: no one wants their website/blog to be hacked.
But the good news is: There are various ways to ensure your online website (built on wordpress) is secure. Here are a few but important steps to take to ensure online safety.
1. Secure the entry-point of your backend — Your Login
For optimum protection to your site’s content, plugins, and codes, there is a free WordPress plugin that can ensure this. It is called iThemes Security (Formerly Better WP Security). It currently has over 800,000+ installs. You can use it for free, and if there are additional Pro features you want, you can pay for the Pro version. iThemes plugin does the following:
- Scan your site to instantly report where vulnerabilities exist and fixes them in seconds
- Prevents brute force attacks by banning hosts and users with too many invalid login attempts
- Strengthens server security
- Enforces strong passwords for all accounts of a configurable minimum role
- Detects and blocks numerous attacks to your filesystem and database
…and many more
2. Change your default Admin Login URL
By default, to login to a wordpress admin backend, you visit <yourSiteDomain>/wp-admin. All WordPress users (including hackers) know this and it makes it easier to gain access using SQL injection or other means.
Careful study of the iThemes plugin can help you change this default URL.
Another means of changing this URL is using the .htaccess file. This is a file at the root of your site’s FTP. It contains configuration settings for your website.
3. Change Your Password Frequently
Most sites say this and its effective. Changing your password frequently ensures a level of security. It prevents people with current access to it to be banned out after a while. Prolonged access is dangerous.
4. Secure Your Password and Do not Write It Down
We always tell people this. Never ever write down your password. The human brain is enough to recollect over a thousand passwords (if not more). If you must coin your password, replace letters looking like numbers with numbers. E.g Use “Nomb3rz” instead of “numbers”. You can also include special characters like dot, comma, !, #, $, ^, & and so on.
5. Use SSL to secure Your Site
There is no harm in installing a Secure Socket Layer on your website. This ensures that all queries sent to the server and responses are encrypted, thereby making it difficult to decrypt when intercepted.
Contact your website administrator or provider for this solutions. It might cost you a few cash but its worth the security.
6. Backup Your Site Regularly
Backup is good. It gives you some fresh air when you think you have lost all your content either mistakenly or as a result of attack. Some wordpress plugins you can use to ensure regular backup are: VaultPress, BlogVault and Backup Buddy. What you really need to backup is your database as this is where most of your site’s content are stored.
7. Disable Directory Listing
If the index file of a directory on your website is missing and that directory is visited in the browser, it lists all the files and folders inside that directory. This is risky. To ensure this does not happen, you need to write/add a single of code to your .htaccess file. Here is the line:
Options All -Indexes
It is advisable to place the .htaccess file in the root of your website. This ensures folder-deep level of security. It takes effects in all folders and sub-folders on the entire website.
The issue of security cannot be over-emphasized. Security is a continuous process. Ensure to always keep your website, cpanel, webmail and other accounts passwords secret. Should you suspect your password has been compromised, change it immediately.
Dont hesitate to contact us for further guides and if you would like us to implement this for you.
We offer other services like mobile application development and support services.