How secure is your WordPress website and what you should do about it?
Cases of high profile hacks appear to have grown exponentially over recent years and even the largest companies have been victim to major hacks. The following are just some of the major hacks of 2014:
- ICANN Hacking – ICANN’s announcement of the incident.
- Sony Hacking – An excellent Analysis of the event from the beginning.
- Home Depot – Over 100 Million records stolen.
- JP Morgan – Over 80 million customer and small business accounts compromised.
- EBay – Over 145 million users affected.
- Target – Over 100 million records stolen.
- Apple’s iCloud Hacking – Many celebrities lost their personal files.
Recently, while not as big as Sony, Jamie Olivers website has been hacked into twice, exposing users to a virus embedded onto the site.
If companies like Sony can get hacked then there is a very real possibility of your own site getting hacked. This is especially true for websites running WordPress or any other off the shelf CMS. This is not because WordPress is inherently insecure but it is because it is the world’s most used CMS and therefore it is an obvious choice for hackers. Once they find a weakness in WordPress they should be able to exploits thousands of websites with relative ease. This issue was highlighted recently with the security flaw found in most popular SEO plug-in on WordPress, Yoast SEO.
When we take over client websites we nearly always find very limited thought has been put into security. Most web companies are just happy churning out a design that a client likes and getting the sign off and payment as quick as possible.
The following is some of the essential procedures we follow whenever we launch a new website or take over a website. We strongly recommend any business running a WordPress website to ask their current web designer to carry out the following procedures, do it yourself or ask us to do it for you!
- Carry out a full backup of the file system and database
- Carry out regular weekly backups of the database and file system
- Perform updates on the WordPress core files and plug-ins
- Carry out weekly updates of WordPress and its plug-in
- Remove any default usernames such as Admin
- We also use a unique username for all our sites, so one compromised website is less likely to lead to others.
- Change all user passwords to something unique, random and highly secure.
- We randomly generate all our passwords and we cannot recommend LastPass highly enough.
- Implement a WordPress security plug-in
- We are fond of Sucuri Security as it informs us of brute force attempts to login to an admin. It can also be used for a malware scan and harden insecure files.
- Implement a captcha on logins
- This doesn’t appear to stop brute force attempts on admin logins but it should help reduce the number of attempts
- Once you are happy the website is secure, take another full backup and store it across multiple locations.
- Ideally set up a scheduled automated backup that uploads the files to the cloud as well as stores them locally.
If you would like help in securing your website then feel free to contact us today via our contact form or on 01253 804 510