WordPress started out as a blogging platform, offering novice / people with absolutely no knowledge of any scripting or programming language to post their content easily and effectively. Today, WordPress users exploit this CMS software for developing membership sites, online stores, learning and school management systems… the list is endless.
Its popularity can be measured from the fact that 28% to 32% sites are powered by WordPress. Moreover, it powers a wide range of domains and industries making it extremely versatile web publishing environment.
Although, WordPress’s core environment is resolute in terms of security, it nonetheless has several sore areas. However, it also needs to be understood that most of the compromised WordPress websites are because of Webmaster’s / admins complacent / lethargic behavior.
In this 2 part write-up, we will be discussing how admins / owners can prevent their websites from getting hacked. So, here we go.
1. At the very outset as an owner / developer / webmaster you need to choose a hosting environment which is absolutely secure. It simply means that various inherent technologies such as PHP, Database ( MySQL ) and inbuilt fire walls are tweaked to their latest versions. Servers with obsolete components are prone to compromise.
2. SSL is the second on the list of making your website secure. So, how does SSL offer protection? SSL stands for Secure Sockets Layer, a cryptographic protocol designed to provide communications security over a computer network. It simply means sensitive information such as credit card details are encrypted before traveling through various servers. A security lock along the browser address bar puts off hackers. It costs less than $100. Buy one today! Secure your sensitive data, and also protect your customers.
3. One of the most common reasons why WordPress websites get hacked is the password strength. A simple password is… simply asking for trouble. Hackers can easily brute force their way into your admin panel and take control of your site. Make sure you use a combination of characters, numbers and symbols. A complex password will force hacker towards multiple attempts, and over multiple sessions. As a webmaster / owner you are bound to notice this unusual activity.
4. Themes – Remember free is not always the best option. Free themes for WordPress are generally not tested for security loopholes. Moreover, they don’t offer technical support or updates, at least in the majority of the cases. In such a scenario using these themes can compromise your site through badly written code or obsolete practices / technologies. A theme has several sensitive files / elements which can pave way for greater threat. One such example is cross-site scripting attack, especially forms. Therefore download themes from WordPress.org repository or reputed theme builders.
5. WP Admin URL – This one is hacker’s favorite route. WordPress’s file and folder hierarchy are open secret. Everyone knows the path to admin area is /wp-admin. It offers an easy way to use brute force. So, what is the option? Change the URL of this folder. It is easy to change using a plugin ( Make sure you choose a reputed Plugin ).
6. Strengthen the admin area with additional security such as two factor authorization. So, even if your new admin area is breached by the hacker he/she still needs to provide multiple answers / inputs to actually get entry into your website’s admin panel.