As a business owner with a website, it’s vital that your site is hardened from attacks. ‘Hardening’ essentially means adding layers of protection around the site to protect it from potential hackers.
The aim is to protect your data, your customer’s data, and ensure your business doesn’t get blacklisted by Google (which will stop you appearing in search results – bad!)
In this post, we’ll talk through some relatively simple steps that any business owner can easily use to ensure their site has an adequate level of security, that will protect it from most attacks.
1. Stay up-to-date:
WordPress is an open source software with openly available code, which means it is a target for some of the more questionable characters using the Internet. To keep online hackers from taking advantage, the WordPress platform is regularly updated, both with minor and major updates.
Minor updates are automatically installed, while major updates require manual intervention. If you have any 3rd party themes & plugins on your website, they will also need to be kept up-to-date.
2. Declutter themes & plugins:
The more plugins and themes you have installed on your WordPress, the more possibilities a hacker has of accessing a loophole that could be hiding in one of those plugins, even if you’re not actively using it.
Reducing the number of plugins enhances the performance of your site, so go through a decluttering exercise ask if every plugin installed on your site actually serves an important purpose.
If not, it’s better to remove them. If they do, you can ask your developer to build custom functions to do the task more efficiently. The less complexity on the site, the better your performance – and the less likely there are loopholes hackers can use to get in.
3. Only use trustworthy sources for themes & plugins:
When looking to install a new plugin, visit the WordPress plugin repository and read online reviews, the number of installations, & the ‘last updated date’. Do you feel comfortable that the theme/plugin developer will look to continue to support the plugin in future? As above, keeping plugins updated is vital to security and performance, so you want to install plugins that will get continued support.
It’s always best to install free themes/plugins from the WordPress repository.
4. Check your permissions:
If you're managing and maintaining your site yourself, you’ll need to understand your file permissions. If you don’t understand file permissions, you’re best off contacting your host or developer who can help. If you do, read on.
For most users, the correct folder & file permissions for WordPress are 755 for all folders and subfolders & 644 for all files. This is enough to let WordPress to write to those files.
You can use an FTP client, select all files & folders and right-click to check ‘permissions’. With most FTP clients, you can use the dialogue box to make bulk edits to your permissions.
5. Remove the ‘admin’ username:
When WordPress is initially installed, it creates a user called ‘admin’ by default. Hackers are well aware of this, and if you haven’t changed this, they already know 50% of your username & password. Hackers can then use brute force attacks to break into your site.
If your username is ‘admin’, make sure to create a new username for administrative roles and delete the default ‘admin’ user. This is a small thing, but it can help make your site harder to hack into for potential wrongdoers.
6. Use a secure password:
Like most people, you’ve probably chosen a password that’s easy to remember for you. The problem is many people use similar passwords, and a hacker with a relatively basic system can use a bot to repeatedly enter a series of passwords until they break into a website.
The most common passwords used in a study earlier this year were:
A good password should consist of a combination of letters (both lower case & upper case), numbers, symbols, making sure it doesn't contain any sequences (eg. 'abc', '123').
It’s also important to create different passwords for different accounts. If a hacker can get access to one account, you want to make sure they don’t have access to anything else. A hacker getting into your site is a bad day. A hacker then getting into your internet banking is a really bad day.
And don’t write it down beside your computer or email it to yourself either! At Drijen Digital, we use a secure password manager such as 1Password or LastPass to create, remember & enter our passwords for us.
7. Use two-factor authentication:
To improve security at the login page (a key area hackers use to get in), you can use a two-factor authentication system. Many organisations, banks, for example, do this to add an extra layer of safety to log in to accounts. As well as entering a password, you will need to verify your identity in another way, for example, entering a PIN number sent to your smart phone.
Here is a good comparison between various two-factor authentication systems that you can use: https://wpcerber.com/two-factor-authentication-plugins-for-wordpress/
Follow these 7 tips and you’ll have gone a long way to hardening your site against potential hack attacks. Nobody is every completely safe from hackers, but upping security as much as possible can go a long way.
We’ll be posting more advanced ways to improve security using your .htaccess file shortly. Stay tuned! If you would like to review the level of security on your site, please get in touch.