It seems every year now we hear about some mega corporation getting hacked and how the consequences impact their users. Yahoo and Sony are just some of the high profile examples. However, if you think only large Tier 1 businesses are the ones at risk, think again.
Just a few days ago, I was tweaking some settings for a hosting customer and had to scroll through the logs to find some info. As I was working I noticed a few unwelcome (unsuccessful) attempts to access WordPress core files from Russian and Eastern European IP addresses.
Your internet business absolutely must have measures in place to protect against common attacks. While FissionBlue Creative managed hosting customers enjoy these features automatically, there are many web hosts that do not help mitigate risk of hackers. The following recommendations to secure your WordPress website are usually easy to implement (by yourself or a trusted helper) and should not take more than an hour or two. The other alternative is to put your brand and your businesses assets at unnecessary risk if you choose not to follow them.
1. Install a Security WordPress plugin like Wordfence.
Many of the most important features are free, and these plugins will disable some of the most common entry points used by attackers out of the box. When you visit their settings inside the WP Dashboard, you may customize the level of security and logs to your liking. With just a few clicks you’ve got a stronger level of protection for your WordPress site.
2. Make Backups of Your Website Regularly.
The frequency of your site backups is entirely up to you, however we recommend conducting either weekly or monthly WordPress backups, based on:
a. How busy your site is (how much traffic you receive)
b. How often you add or change your content, and
c. How often you update your WordPress version, theme version, and plugins.
There are several free and premium solutions available, so you must be aware of what you’ll need as a bare minimum. Your WordPress website needs two components to run correctly.
The first component consists of your actual files, like the WordPress PHP files, your plugins, and the pictures or graphics you’ve uploaded. These are stored in a directory on your web host and can be accessed via FTP. The second and equally important component is your database, which is where your textual content, settings, orders, or users are stored. The very text you are now reading is being pulled from FissionBlue’s database.
You must ensure you get both halves—if you restore a backup of all your files but your database is missing, your website is worthless.
We recommend WordPress Duplicator or UpdraftPlus to create a restore point of both halves, whether you wish to restore your entire website after a catastrophe or migrate hosts completely. The backup can saved in your host or can be saved externally to your Google Drive, Dropbox, or AWS account. FissionBlue Managed Hosting customers enjoy server-side automatic backups included free of charge, so there is no need for a backup plugin (unless you wish to store backups externally). FissionBlue backups may be accessed by logging into your Control Panel.
3. Signup for a Free Cloudflare Plan.
Cloudflare is a DNS (domain name service) provider, which is like a phone book for the internet. What makes Cloudflare so different is their sheer network strength as well as their emphasis on security and speed—keep in mind that’s all with just their free plan. For example, Cloudflare can cache parts of your website worldwide so that it loads faster, it can provide free HTTPS/SSL (the little green lock for your visitors), and it can stand in front of your website in case of coordinated attacks (like those DDoS attacks we hear about in the news).
4. Personalize Your WordPress Login Slug.
By default, you can (try to) login to any WordPress site by going to www.thewebsite.com/wp-admin. Given how popular WordPress is as a platform, any low-level hacker can try to gain access to your website through this easy channel. Try changing it to something easy to remember for you and your staff, but different enough to avoid being an easy guess either. iThemes Security already has this feature built-in. All you have to do is go to the “Advanced” Settings page, click on “Hide Backend,” and fill out the settings to your own desires. Some customized login slug ideas/examples for inspiration: staffportal, wp-secret-login, or stairwaytoheaven.
5? Customize Your WordPress Database Prefix.
Why should we stop at just four if there is more out there? By default, all WordPress database tables start with “wp_” as a prefix, so that any hacker with basic WordPress knowledge can guess your database structure at the drop of a hat. MySQL injections and other database vulnerabilities become a cakewalk from there. Try using a tool to customize your WordPress table prefixes to something completely unique, i.e. “w2ZbEq_”
Your business relies heavily on having a safe and secure website for your visitors and our customers. In fact, most small businesses never recover from security breaches that take day-to-day ops offline. So even though these easy steps to secure your WordPress website are not guaranteed, nor will they be able to stop more sophisticated attempts, you will avoid becoming the low hanging fruit on the internet. If you have any questions or you think I forgot something important, feel free to comment below. All the best and stay secure!