According to the WordPress Attack Report (October 2017), in December 2017, WordPress websites were under the highest brute force attack.
Digital security is of foremost importance to the website owners at the present time. WordPress being an open-source script is quite vulnerable to all sorts of attacks. Without any doubt, its core software is very secure and audited regularly by the developers; still, there are some loopholes that lead to external attacks on the websites. A hacked website can bring serious damage to your business. It can even be infected by some malicious software which can get distributed to the users in the future. In the worst case, you can even land paying ransomware to the hackers to regain the access.
Let’s take a look at these numbers of actionable steps that can improve the security of your website:
- Avoid using “admin” as a username
Usernames make up half of the login credentials and an easy username like “admin” is something which is easy to guess and simplifies things for hackers as well. All they need is a password. So, select a username with capital letters and something which is not easily approachable. You can also try implementing the below mentioned:
- Create a username with administrative privileges
- Assign all the blog posts and pages to the new admin
- Do not forget to delete the old “admin” user from the WordPress.
These little steps of precautions will definitely make it harder for the hackers to get access to your website.
- Pick a strong password and change it often
You must have a strong password not only for admin area but also for FTP accounts, WordPress hosting account, database etc. Consider the following points while creating a password:
- Keep at least 15 characters long
- Use symbols and numbers
- Use Uppercase letters
- Avoid using dictionary words
These passwords should be changed frequently to make it difficult for the hackers to approach.
- Password Protect WordPress Admin and Login Page
We can use additional password protection (htpasswd) on a server side which will effectively block those requests.
Directory indexing gives an opportunity to the hackers to look out for the files with vulnerabilities. It also enables persons to look into your files, copy images, and find directory structure and other information.
Nobody would ever want a third person to know such intimate details of the website. So, it is highly recommended to turn off the indexing of the directory browsing.
- Use 2-factor Authentication (TFA) for Login
Two-factor authentication is another good security measure for your website. It requires two successive factors to log in. It enables the website owner to decide on these two components. It can be a password followed by a secret question or a code, a set of characters or something else. It creates an additional layer of security.
You can even use some of the plugins available for implementing the 2-factor authentication for login. Rublon and Clef are the two most interesting e-mail based two-factor authentication plugins. It should be noted that all the plugins should be downloaded from entirely from known resources.
- Hide the common WordPress paths
Common WordPress paths help hackers to track the sensitive website data. So, hiding this path is a great way to restrict the sensitive information leakage to the intruders.
- Limit Login Attempts
By default WordPress allows users to log in as many times as possible. It is an easy way for hackers to crack the password with different combinations and gain access to the website. This leaves the website vulnerable to brute force attacks.
However, it can be easily taken care of by limiting the number of failed attempts a user can make.
- Automatically log out Idle Users
Idle users can pose a security risk. When an account sits for too long without interaction, it increases the chances of session hijacking. This is when a hacker can gain control of the account without actually using credentials to log in. This is one of the driving points why most banks and other institutions automatically log out idle users.
- Change Default Database Prefix (WP_)
WordPress Database is like a brain for your entire WordPress site because every single information is stored in there thus making it hacker’s favorite target. Spammers and hackers run automated codes for SQL injections. Well, unfortunately many people forget to change the database prefix while they install WordPress. This makes it easier for hackers to plan a mass attack by targeting the default prefix wp_. The smartest way you can protect your database is by changing the database prefix which is really easy to do on a site that you are setting up.
- Disable File Editing from WordPress Admin
By default WordPress allows users to edit the theme and plugin codes through the admin panel. While it is a handy feature, it can be very dangerous as well. A simple typo can end up locking you out of your site unless ofcourse you have the FTP access.
- Disable Trackbacks
Some people really like the fact that WordPress sends pings from your own site to the same location when you write posts. It gives them a trail of related posts. Unfortunately, 99% of them are completely spam. Disabling them entirely from the WordPress settings is a must to keep the website secure.
Powering over 26.5% of the websites, WordPress holds a large piece of market share. Along with the increasing worldwide popularity, comes the need for high-security strategies. Using clever passwords, keeping core and plugins up to date, and choosing a secure managed WordPress host are just a few that will keep your WordPress site up and running safely.
Author: Neeraj Gupta
Neeraj leads the ecommerce practice at Sigma. With over 20+ years of work experience in companies like L&T, Infosys, Motorola, Agilent & Dell R&D he has in-depth knowledge on software Services, Program Management and Product Development. He is passionate about emerging technologies within the ecommerce space and loves sharing his views around them.