HOW TO PROTECT YOUR WORDPRESS WEBSITE
Once upon a time there was a very skilled and ambitious young woman. She loved writing about business so she decided to run her own blog, concerning marketing advices for people who don’t have a great knowledge of that. She knew the ropes so her website started to be recognisable in no time.
As her blog was getting more and more traffic, she started receiving plenty of e-mails regarding a possible cooperation. Finally she scheduled her first appointment with a representative of a big company. They met in a famous restaurant. She was to open her website in order to discuss details, but… something went wrong.
While she was trying to open the site, it turned out that it doesn’t work. The businessman looked at her suspiciously, like she was a fraud. She didn’t know if she would get a heart attack in a moment or burn with a shame. She needed a few minutes in order to recover and realise that her website has been hacked.
Do you think it is an imaginary story? This actually truly happened. I guess you think “It doesn’t concern me. It will not happen to me. My website is small and doesn’t have much traffic.” Really? Do you have at least a backup version of your website? Mhm.. I know what this silence means.
Building your own website requires so many activities that sometimes security issues are simply disregarded. Everyone explains it as a lack of time, however the website restoring and preserving again will take you at least twice more time, money, nerves and in some cases you will not be able to bring it back.
In this article we want to advise you what to do in order to protect a website based on WordPress. If you stick to this rules, the probability of being hacked will decrease significantly.
1. KEEP YOUR WORDPRESS VERSION, THEME AND PLUGINS UPDATED
Many people forget about this easy and not complicated activity, that should become a “healthy” habit of the website maintenance. Why is this step so important? Each time WordPress is being updated, previous bugs and errors are being fixed in order to affect positively the security and functionality of the website. If you don’t respect these rules, you shyly invite hackers to your online place.
Similarly, in the case of themes and plugins, keep them updated, as plugin authors repair any vulnerabilities very quickly when detected.
To delete unused plugins is just as important as updating them. Hackers could find a way to gain access to your website by using a gap found in outdated add-ons.
However, bear in mind that if a plugin hasn’t been updated for a long time, it doesn’t prove that it works properly. It is possible that the development of it has been stopped and it’s not safe anymore. Be always vigilant in terms of plugins!
2. USE THEMES AND PLUGINS ONLY FROM SECURE SOURCES
Internet is plenty of places where you can find plugins and themes for WordPress. Did you know that anyone can create them without having a strong background in security issues or build it basing on a deliberately nulled script?
It means, hackers could transform a completely safe, well-known plugin into a malicious one by modifying a source code.This is why you should think twice before you download anything from a third party websites.
Before you decide on any activity, check the review, rating and the date of the latest update in order to make sure that these add-ons are safe and good quality. Try to choose these with four and five star ratings.
If you really want to take care of your website, download them only from reliable providers – almost everything you need for plugins and themes you will find in the official WordPress repository.
3. MAKE THE PROCESS OF LOGGING IN MORE DIFFICULT
Is your username “admin” and you haven’t been hacked yet? You were lucky! By choosing this super easy guessable username, you are going to get into trouble. Now hackers have to figure out your password only and your website is in their hands.
Unfortunately username is something you can’t change. Once you establish it during installing the WordPress, you will not be able to choose a different one.
In this case, your obligation is to secure the process of logging in as much as possible.
We recommend you to implement a two-factor authentication. In this way, before you get the access to your platform, you will be requested to additionally prove your identity by answering to secret questions or entering the code sent directly to your mobile phone.
Another way is to implement login limits, that will protect you from unauthorized login attempts.
4. CREATE A COMPLICATED PASSWORD
Difficult password could be your best weapon against hackers. Have you ever heard about brute force attacks?
It’s the situation when attackers guess passwords and usernames as long as they figure them out.They try to enter the most commonly used combinations of words including these related to the site domain.
Even the password strength detector recommends you to invent something very strong. It is suggested to use lowercase and uppercase letters, punctuation, numbers and special characters when creating a lengthy password.
5. KEEP A BACKUP OF YOUR SITE
I am sure that you have heard at least one thousand times how important it is to have a backup version of your website. Nobody actually takes it seriously enough or just does it in a wrong way. Remember, that even if you have taken every precaution against hackers, you will never be safe in 100%.
Why is it so important? Let’s assume that your website has been attacked by intruders. You are devastated. However, if you had done a backup of files and databases before, you would be able to restore the website very easily. Then, to be safe, you will need to secure and update everything again. Remember that it’s your duty to create and keep a spare version of your site, no one else will do instead of you. Avoid losing your precious data and starting everything from scratch.
Sometimes there is a possibility that your hosting company provide you this service. If not, there are some useful, highly rated plugins like BackWPup – find out more information about it.
6. CHOOSE A GOOD HOSTING COMPANY
It should be, basically, your first step to keep the website safe. Before you choose a particular firm, make sure that company’s clients are glad of the service they offer – check all available reviews.
The most important is that your hosting company operates on a forceful server and reliable network connections.
When something bad happens with your website, good provider will help you decrease damages and assist you in this stressful period, finding best solutions.
You should also consider the possible traffic on your website and basing on that, choose the right type of hosting between shared hosting, VPS hosting and dedicated server hosting.
For instance, if you run a blog with a small traffic, shared hosting most likely will be enough for you. However, if you have a big e-commerce store with hundreds of orders a day, it would be probably better to choose a dedicated server hosting. A web host should enable you to follow the path of development that fits your needs, without causing a slack period.
If you’re looking for a reliable partner, take a look at Mserwis services.
7. CHANGE HTTP TO SECURE HTTPs
Do you want your website to be marked by a search engine as a dangerous one and discourage potential customers to visit it? If you have still http in front of your site address, probably you are going to reach this.
Have you ever heard about SSL (Secure Socket Label)? If you buy a SSL certificate, you will protect the connection between your website and its users. It’s especially important in the case of running an e-commerce store, when customers have to give their personal data in order to place an order.
This situation could be highly dangerous, as their data could be captured by a third party if you don’t make this operation secure.
In some countries there is even a legal requirement to the protection of personal data to acquire SSL.
How to recognise that the website is safe through the SSL solution? You will notice that the website’s address begin with https instead of standard http and there should be located a green padlock next to it.
Moreover, do you want your website to be located on of the last pages of search results? If your site doesn’t have a SSL certificate, you will get a worse position in the Google Ranking.
Do you need a SSL certificate?
Summing up, all steps mentioned before aim at protecting WordPress wp-config.php file, which contains your most vulnerable data – database username and password. What’s more, the file points which machine your database acts on.Through capturing this data, a hacker can do whatever he wants with your website.