“My website was hacked!” is never what you want to hear. However, the sad story is that it happens all the time. The internet can be a dangerous place, with vandals just waiting for an opportunity to hack into your corner of the electronic landscape. We’re going to examine the subject of website security through the lens of WordPress.
Is WordPress Secure?
There are many different solutions for managing your website content like Joomla, Drupal and Perch, to name just a few. We have chosen WordPress as the Content Management System (CMS) for our sites due to its ability to support, extend and manage. However, WordPress has a shadow looming over it: “Is WordPress secure?”
We hear that question all the time. The reality is that it’s not just about WordPress; this is a question of any web management solution. The reason why WordPress seems to be in the headlines more often is that it is used by more people in the world than any other CMS; therefore, when there is a breach you are more likely to hear about it. It’s simply a matter of statistics.
Securing your website
This information can be applied to any CMS and not just WordPress. There are many defensive strategies I could discuss, but for sake of brevity, I will pick what we consider to be the top three.
Usernames
Never use “admin”, “administrator” or your domain name such as “elementthree.com” as a username to log into your site. These are too easy to figure out. You should use something more unique, although I would steer clear of names such as “john” or “mary,” or extended names such as “johndoe” or “marysue” as well. Try something as simple as “site_manager” or “jdoe.” Even these obvious usernames can throw off the majority of hacker tools.
Passwords
You should try to use upper and lower case letters, a number, and a special character in your password and it should be 6-8 characters in length. Never use simple things such as “password”, “qwerty”, “monkey” or “123456.” While these might be easy to remember or type, they are also easy for hackers to figure out. Something more appropriate would be “h-c6Yf4@” but something in-between is better than nothing.
Updates
Always apply site updates for your CMS, modules or plug-ins. These add functionality and patch items that are broken or insecure. If you don’t apply updates, the reason you are using a CMS is going to be lost. You are expecting the CMS to grow like the internet, and this includes improved security and functionality.
In truth, it isn’t the CMS that makes a site secure. It’s experienced operators, updates, unique usernames and strict passwords.
Here are some great articles and resources to help with hardening your CMS security:
- WordPress Security: Tried and True Tips to Secure WordPress
- Hardening WordPress
- WordPress Security: The Ultimate Guide
Website Firewall
The best line of defense I save for last, which is a website firewall. It sits in front of your website and filters all of the traffic that comes to your site. This gives it the unique ability to see hacks as they happen and block the attack.
Multiple layers of website protection can make a difference, in addition to solid passwords and regular site updates. But that doesn’t mean that you are safe yet.
Every day, new vulnerabilities are discovered and used to attack websites worldwide. A website firewall allows internal security companies to provide protection as soon as the hack is identified instead of having to wait for the programmers to figure out how to correct their code. Element Three uses Sucuri to perform this service for our clients.
Hosting consideration
Element Three uses Rackspace Virtual Private Servers (VPS) to host all of our websites. We leverage our internal staff experience to make the systems as secure as possible using the techniques already discussed. However, if you are going to use a third-party hosting service we would suggest that you use one that is geared to support WordPress. Here are a few that we have worked with:
Conclusion
The best way to keep your site secure is to keep it updated, use strong passwords, create unique usernames, have a website firewall and ask experts to help where you are unsure. Element Three keeps an eye on the latest techniques to help with this tough topic. Contact us if you are concerned about the security of your site.