According to research published by Netcraft recently over 27% of the world wide web uses WordPress to build their websites…that’s over 75,000,000 websites are built using WordPress!!
Part of the huge attraction for people using WordPress is its ease of use especially for small business owners who can’t afford to invest great sums of capital in setting up a website initially.
So here are 6 simple tips to help you protect your WordPress website:
1. “ADMIN” User – All you need is my password!
With older installations, WordPress helped you along the install process by using a default user of “admin”, and some users think that it is still the best way to go.
WordPress uses two key pieces of data to manage login, User & Password.
By using or continuing to use default “admin” user, hackers are halfway in their knowledge to access your website. Use a weak password (read # 3) and your website is an easy target.
How to fix:
During the installation process WordPress gives you the opportunity to use a different user name … make it something different, BUT not too easy!
If it’s easy to guess, like your domain name, you might as well stay with “admin”!
What about your pet’s name or maybe the street where you grew up, something you know that a hacker won’t. Then to make it stronger … mix it up!
If you are unsure how to fix your Username, it’s best to contact either your web designer or if you don’t have one, contact me for help.
2. “ADMIN” Access – Keep your friends close and your admins even closer!
Your website has a problem and you need help? A friend suggests they know how to fix and you either give them your admin access details or you create a new admin user for them.
Giving admin rights is like handing over your credit card details. Don’t allow any admin access to get into the wrong hands. Only allow admin access users you know or developers who are working on your website, as and when access is needed.
Even if you don’t manage your website yourself, you should have full “admin” access level, so that in an emergency you have the access needed to be in control of your website.
How to fix:
Problem: You don’t have details as an admin user.
Solution: Ask your website person for an “admin” user role, remember it is your website.
Problem: You have created a new admin user and that access is no longer needed.
Solution: delete the user!
Problem: You have given your access details to another person and access is no longer needed.
Solution: change your password, now!
In the future:
Use WordPress’s build in role editor or a plugin like User Role Editor, to manage different access levels.
3. Passwords – Easy to remember passwords are also easy to guess!
We are only human and it’s easy to forget, so you create a simple password so that you won’t forget it, right?
The easier your password is for you to remember, the easier it will be for hackers and their “brute-force” attacks to crack that password.
How long will it take a hacker to guess a simple 8 alpha character password Using a supercomputer – not many hackers have these but they do set up “botnets”, a network of small computers that they have hacked that operate as a supercomputer … the time was 7.6 minutes!
One standard home computer can try around 2 million combinations a second.
Don’t panic! The 7.6 minutes is pure computer processing time. There is still the inherent delays of the internet connection, accessing your website login page, unsuccessful logins, accessing the login again etc that slows the process down.
How to fix:
A strong password has a minimum of 8 characters, with a combination of upper case letters, lowercase letters, numbers & special characters.
If you are struggling, use a password generator to help you create a strong password.
Install a plugin that monitors login attempts and can then lock out the computer once a set number of failed attempts are identified. eg 3 failures within 5 minutes.
4. Updates – Outdated versions are a hackers welcome mat!
Ignore the updates of the WordPress core, theme and plugins at your peril!
Outdated versions present hackers with a range of vulnerabilities that they can exploit. The outdated versions can be traced along where the problem exists … basically putting out the welcome mat.
How to fix:
WordPress will tell you when updates are needed and what need to be updated.
Simple … well not quite, there can be missteps!
Misstep 1: Updates have been known to break functionality, with so many different pieces there can be the occasional clash and a specific function will no longer work.
Always have a backup of your website before you start updating and check the main functions after updates have been processed.
eg. Contact forms, adding products to a shopping cart, connecting to the payment gateway.
If anything is broken, restore to your backup until you can work out what caused the problem.
Certain website hosting providers do have automatic update processes, making your life easier. The challenge with automated processes is that updates may break functionality within the website and you may not actually be aware of the problem until you get that dreaded phone call or email informing you that your website isn’t working!
Misstep 2: An update may actually add another security vulnerability when it is designed to fix one.
A real website story …
A popular plugin that allows website visitors to share your website content to various social media platforms released an update that created a security vulnerability.
The dreaded details arrived via two early morning messages, a text from the client saying their website had been hacked and an email from a security plugin supplier warning that the particular plugin had a serious vulnerability and should be removed.
The fix … two hours to restore the client website from the backup prior to the plugin update, then hours to go through all other client websites to check the plugin version and remove if required and then another two hours to re-install and update the plugin once the supplier had remedied the issue.
So remember, backup, update and then check!
If available through your hosting provider, use a staging / test version of your website to run updates before applying to your live site.
5. Plugins – You can have too much of a good thing!
With over 40,000 plugins available in the WordPress plugin list, it’s can be like a candy store tasting of trying them all.
You need to think minimal, installing too many plugins will cause your website to bloat and be slower than a sloth, it also adds to the possibility of creating clashes of functionality within your website.
Plugins are generally created by individual separate developers who are working towards one goal … what their plugin is designed to do. They do not consider the impact on what they do inside their plugin to other plugins.
A real website story … a particular plugin created a clash that prevented the automatic running of scheduled backups. Solution: find an alternative plugin that added the functionality while allowing automated backups to run.
How to fix:
Choose your plugins you install wisely. Simply, is it necessary to the functionality of your website?
Uninstall plugins that you no longer need.
For plugins that you may need occasionally, eg Database Cleanup, ‘deactivate’ when not is required, when needed you can simply ‘activate’, use and then deactivate again.
6. Backups – Make sure they are around when you need them!
Would you spend time writing that important document and then not press the “save”?
Not running consistent backups of your website is the same as not pressing that save button for your document.
Creating that backup is critical so that you don’t lose your website should that “Oh My God” event happen.
How to fix:
Generally website hosting providers do have automatic update processes that backs up files, databases and emails every night, ie. your full hosting account including your website.
However these backups generally only go back 7 days. These backups are perfect if you identify an issue with your website within the 7 days, anything before and you are without a solution.
For backups going back further that 7 days you will need to consider a WordPress backup plugin and also a form of storage away from your hosting account, for that just in case situation.
For my clients… backups are undertaken both on the daily basis (retained for 7 days) and also weekly which are retained for 5 weeks. They are then available for download and restore if ever needed.
Just remember if something does go wrong, don’t panic!
Backups and knowledge are your best friends!
Contact me or your website person on the best way to fix any of these protection steps.