Let’s cover some basics first. What is site hacking? It’s simple: a site is hacked if an unauthorised person has access to your site files.
According to a study conducted in 2019, hackers steal 75 records every second (Breach Level Index). On average, 30 000 new sites are hacked every day (Forbes). No wonder, TechCrunch recommends you to be cyber security paranoiac about your startup.
Every site may be a subject to different security risks. They vary depending on the method of site building and the type of information stored on the site. To reduce or avoid these risks, you should use effective data protection methods.
Secure your login page to prevent brutal attacks
Use strong passwords
One of the easiest ways to improve security is complex password usage. The password should contain letters, numbers, and specific symbols, and you should change the admin username to the unique one.
Rename your URL to sign in to your WordPress website
By default, you can easily access the login page of WordPress through wp-login.php or wp-admin by adding it to the main URL of your website. When hackers know the direct URL of your login page, they may try to search for passwords for a specific username, such as “admin”.
Use your email address to login
By default, you need to enter your username to log in to WordPress. Usernames are easy to predict and email IDs are not. Quite simple, right? in fact, any WordPress user account is created with a unique email address – a ready-to-use login ID. Also, please do not choose “admin” as the username for your main administrator account.
Set–up the automatic exit of inactive users from the site
Users leaving your site open on their computers may pose a serious security threat. To avoid this, make sure that your site disconnects users after they have been idle for a certain period. You can set this up with a plugin such as BulletProof security.
Limit the number of login attempts
If a hacker or bot attempts to crack your site password, limitation of the number of attempts to log in from the same IP may come in handy.
The Limit Login Attempts plugin allows you not only to limit the number of login attempts from the same IP, but also to decide how long a certain IP will be blocked after too many failed login attempts. The popular Login LockDown plugin works the same way.
Keep the number of users on your site as small as possible
The more people you let into your site, the higher is the chance that someone will make a mistake or that the user will cause problems. In particular, try to limit the number of administrators and other users with high privileges.
Beware of plugins that allow arbitrary file uploads
Some websites allow users to upload their files, such as profile pictures or PDF files. If a relevant plug-in lacks security measures to check what exact type of file is being uploaded and what content it contains, – we may have a problem here. Meaning, instead of downloading a .pdf file, a hacker can download a .php file containing executable code and get access to the site.
Protect your site from the control panel
Protect the wp-admin directory
If this directory of your site is violated, the entire site may be damaged. One of the possible ways to prevent this is to password protect the wp-admin directory. With this security measure, the website owner can access the monitoring panel by sending two passwords. One protects the login page and the other one protects the WordPress administrative area. If website users need to access certain parts of wp-admin, you can unlock those parts with blocking the others.
You can use the AskApache Password Protect plugin to protect the administration area. It automatically generates a .htpasswd file, encrypts the password, and configures the correct security access rights.
Enhance SSL security
Depending on the type of information on your site, you can use additional SSL certificates. Such certificates are necessary if your site contains personal data or payment information.
SSL certificate also affects the Google rating of your website and the amount of traffic it gets. Google tends to rate sites with SSL higher than ones without it.
Use strong permissions for files and folders
There are three types of file permissions: Read, Write, Run. It is important to understand which files need this or that level of permission for the website to work properly. These permissions for files and folders can be configured through the File Manager or using the FTP software.
Protect site database
Back up frequently
Even if you have paid lots of attention to your site security, there is the possibility of losing it all. Be a prepper: schedule a regular process to create a backup.
Control your logs
When you use WordPress multisite or manage a site with multiple authors, it is a good idea to be aware of what type of user activity is taking place there. Your content creators and users may change passwords, but there are other things you may not want them to do. For example, the changes in the theme and the widget are reserved for administrators only. When you check the audit trail, make sure your administrators and members are not trying to change anything on your site without your approval.
Protect the site at the hosting level
Use a reliable hosting service
Not all web hosts are equally good and safe. A huge number of WordPress sites are hacked through the fault of vulnerable hosting. Pay special attention to how to organize a system of backups for the future hoster.
The same is true for plugins. Update them as soon as new versions are released. If you update the plug-ins in time, the probability that your site will be hacked is reduced drastically.
Protect the wp-config.php file
File wp-config.php contains important information about your WordPress installation, and it is the most important file in the root directory of your site. Protecting it means protecting the core of your WordPress blog. Just take your wp-config.php file and move it to a higher level than your root directory.
Keep each account and WordPress site isolated on the server
A good server architecture can protect you from cross-site infections, i.e. when hackers use one infected site on a server to infiltrate and attack other neighboring sites on the same server.
Hosting servers with poor account configuration and management, where users can install and create as many sites as they want, are the main target for attackers.
Protect the site at the theme and plugin level
Periodic software updates
If you use WordPress to create a website, make sure you have the latest version installed and check for updates for plugins and themes. Security risks can occur all the time. To reduce them, developers are constantly improving the software, making it resistant to new threats.
Use only themes and plugins that you can trust
To determine if you can trust a topic or plugin, first look at its rating. There you can find clues as to whether there have been security breaches or problems in the past. Analysis of the popularity of a plugin or theme is another way to make sure that you are not installing malicious code on your WordPress site.
A highly popular plugin or theme is not necessarily less likely to be a target for hackers but is more likely to be regularly updated with security patches due to its widespread use.
Avoid using too many plugins and themes
Using too many plugins can slow down your site. It can also make it vulnerable to attacks if you stop using certain plugins and ignore their updates. It is not enough to simply disable a plugin if you no longer use it. All inactive topics and plug-ins that are still on your server can be easily used to inject all kinds of malicious code.
Loved what you read? You might also be interested in “How to Protect Your Website From Spammers”, then. Stay safe and contact WebTotem now and get free security check of your site!