So you have a Wordpress website? Congratulations on choosing this awesome and power content management system. Now the bad news. Out of date and badly secured Wordpress websites are hacked every minute.
If your Wordpress is one version behind in updates, runs an old theme or has an outdated plugin it is probably being hacked right now. Hackers have automated scripts that find your out of date website and use it for nefarious reasons. Almost everyone who has had a Wordpress website for longer than a couple of months has experienced this.
However, there are some precautions you can take to bring down your risk. Here is my recommendations on how to deal with Wordpress security.
- Never allow your Wordpress system to get out of date. This includes the themes and plugins. If you are a web developer and create multiple Wordpress websites this can become a bit of a pain to manage. Well you kinda have to. The best way to keep up to date on multiple Wordpress websites is to run a plugin called InfiniteWP.
InfiniteWP ( http://infinitewp.com/ ) is a plugin that tracks out of data Wordpress websites and its plugins. You can easily update your sites and plugins from one central point.
If you install a website through Softaculous, I would recommend installing the default Wordpress install through it, and then using the automatic backup and update system that comes with it.
- Change the default Admin username. By default hackers will try brute force hack your website with the username, “admin”. This is because that is normally the default admin username. There are multiple plugins that can be used to change your admin username.
- Install a powerful Wordpress firewall. After years of experience we have found one of the best defence systems out there is a powerful plugin called Wordfence ( http://www.wordfence.com/ ). They have both a free and a premium plugins to choose from. In most cases the free plugin comes with more than enough useful features that it is on our “have to have” list. If you have a some loot in your pockets, dont be cheap, and buy the premium version.
- Use DNS filtering. This is also on our, “have to have” list. We use a system called CloudFlare ( http://www.cloudflare.com/ ). Cloudflare comes with multiple systems to protect and enhance your website. It is a very powerful firewall. It stops almost all DDoS attacks launched at your website. It comes with a CDN (content distribution network) that enables you to serve your site faster. It also comes with a neat ability that automatically filters out most hackers and that hides the IP of your server from hackers. You will need to install the Cloudflare plugin to get accurate statistics.
The steps listed above are easy to get going and anyone with a Wordpress website should be able to get it right. For those of you with more advanced knowledge of Wordpress and who want more information on hardening your Wordpress website I would recommend that you read the following guide:
Two other things you should consider. You should always have regular backups of your website and if possible, use a system that monitors and alerts you of changes in your website code. A system like Codeguard ( https://www.codeguard.com/ - Not Free ) is recommended for that.
I hope you find this information useful, and I really really hope you implement it. You can take control of the security of your website, and if you dont, I promise you that some dodgy little hacker will.