How To Keep Your WordPress Site Secure

After it was discovered earlier this year that one of the largest ever botnets (consisting of over 90,000 individual IP addresses) was attempting to attack thousands of WordPress sites, the importance of keeping WordPress sites secure has become more prominent than ever.

Did you know…?

– that WordPress powers 17% of the world’s websites
– 17% of the world’s websites accounts for around 64 million sites
– in 2012, more than 170,000 sites were hacked – more than double than in 2009
– it can take just 10 minutes to crack a 6 character (or less) password

If that’s not enough to pique your interest in ensuring your site is as secure it can be, then we don’t know what will. Maybe these tips and advice on keeping your site secure will help…

Get Rid of Your WordPress ‘Admin’

Literally. We don’t mean there should be no administrators for your website, but if you’re still using the ‘admin’ username, then you’re practically asking for a botnet to target your site.

Sites with users who continue to log-in with the standard ‘admin’ username are most likely to be attacked, as demonstrated earlier this year in one of the largest security attacks on WordPress to date.

To delete the ‘admin’ user: once you have created a new user through the profile section, and added this user as an ‘administrator’, the option to delete the ‘admin’ will appear when you hover the mouse over the username.

Pick a Strong Password

Sounds obvious but it’s true – and it’s a tip that many people don’t heed until it’s too late. Many sites – WordPress included – will tell you that you need at least seven characters including symbols and numbers; a strength detector is often provided, informing you of the strength of your password.

Even if the password is ‘very secure’, we recommend still adding some extra numbers or letters for good measure – you never can be too sure! Think about replacing letters with numbers – for example ‘1’ can take place of the letter ‘L’, or ‘5’ instead of the letter ‘S’.

Install Recommended Extensions

Better WP Security – with thousands of positive reviews on the WordPress site, this plugin works through obscuring, protecting, detecting and recovering. It will hide site vulnerabilities from attackers, protect the site by increasing password security and blocking unwanted visitors, keep a constant monitor on your site, as well as recovering the site in the unlikely event that an attacker does gain access to your site.

Akismet – this plugin is free though does require an activation key, available from their WordPress page. This anti-spam plugin protects your website, ensuring only genuine comments from visitors are posted, blocking any spam.

TimThumb Vulnerability Scanner – the well-used timthumb script suffered from vulnerabilities, meaning bots actively target sites with the original extension. With this scanner, problems can be addressed, ensuring your site is secure whilst still benefiting from the advantages of the timthumb plugin.

Update, Update, Update!

How many times have you ignored a WordPress update at the top of your screen, thinking, “Oh, I’ll come back to that later…”? I’ve already done it today – I know, call me a hypocrite – but I will go and update just once I’ve finished writing this post…

Seriously though: keeping your WordPress up to date. It’s easy to do and means that your website is less likely to come under target from bots. Older versions are prone to attacks, given that they are more likely to be prone to issues that attackers have already worked out how to get around.

Don’t forget to backup your site and databases before you do though; there’s more information on that here.

Keep Scanning…

Firstly: install a virus scanner on your computer. Second: make sure it keeps up to date and scans are scheduled frequently. Not just those quick 1-minute jobs, but full ones too. Leave it scanning whilst you’re on lunch if you’re worried about it slowing your computer down – it’s worth it.

If you have – or suspect there may be – any problems with your website then ensure to scan other computers which may have accessed your WordPress admin area.

Anna Tully works for Solar Communications, a unified communications provider, based in the UK. Using WordPress operating systems for the Solar website, we strive to share our WordPress knowledge, and have also been developing WordPress plugins and extensions. Solar Communications recently launched the PPC Call Tracker Extension, a marketing tool to track offline enquiries and sales generated from digital search advertising campaigns.