With an open-source platform like WordPress, there are bound to be occasional security issues. But before you decide to jump ship and have your site developed completely from scratch (and break the bank doing so), consider this: almost 1/4 of ALL websites are powered by WordPress. Just as Microsoft learned in the early days of competing with Apple (and is still learning), when you’re the big boy on campus there are going to be more hackers committed to learning the in’s and out’s of your product. As any fan of the free market understands, the very same decentralization that makes WordPress great in plugin and theme development, also makes it great when it comes to security. If a vulnerability is detected, a patch is almost instantaneously developed to address it by the awesome WordPress community.
That being said, there are some things you can do to make your website a little more secure. No content management system is completely foolproof. You’ll want to make sure these basic steps are taken especially if your website handles ecommerce or payments of any kind.
- SSL stands for Secure Sockets Layer and is the standard encryption method between servers and browsers. Most major sites like Facebook, Paypal, banking sites, etc use SSL encryption. You know you’re on a secure site when you see the “https://” in your browser bar highlighted in green with a lock icon instead of a plain “http://”. If you handle transactions or private information of any kind, you will want to make sure your site has SSL encryption.
- Username strength is also another big one. Don’t use “Admin” as your username. If a hacker knows your username it’s much easier to hack the second part of the equation (your password). Use something a little obscure like you would for a password if possible.
- Password strength is another easy thing to correct. Don’t use the same password you use everywhere else. The longer, more complex your password the better. Passwords with special characters, numbers, capitalized and lowercase letters and no discernible words are best. WordPress actually generates some pretty strong passwords randomly, utilize that tool.
- “Limit Login Attempts” is a good go-to battle tested plugin that improves security. It does exactly what it says. It limits the number of login attempts if a hacker is manually attempting or using an algorithm to run thousands of variations to hack your site.
- Move your wp-config.php file out up a level, out of the public folder on your server. Remove one more point of access for an potential threats.
Images used under creative commons license – commercial use (2/14/2016) Phil Oakley(Flickr)