Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress Security (Hardening) Tips 2017


Published on

Websites 'N' More, a WordPress development agency based in Sydney has put together a list of techniques that can be used to further harden your WordPress website or blog.

Published in: Technology
  • Be the first to comment

WordPress Security (Hardening) Tips 2017

  1. 1. WordPress Security (Hardening) Tips 2017
  2. 2. The Importance of Website Security Website Security is a pressing issue today. We have progressed in the virtual world with better, faster and more reliable technology but so have the hackers. The methods used by hackers have become more sophisticated and more damaging in many ways. As more and more businesses turn towards the virtual world in order to keep up with the changing consumer preferences and the competition, it is important that they fully understand the risks involved with their digital presence and take appropriate measure right from the very start. Here are some recent Facts about Website Security, •As of March 2016, Google reported that over 50 million website users were greeted with a security warning when they visited a website. In March 2015 that number was 17 million. That is almost 3 times increase in a single year. •Google blacklists close to 20,000 websites a week for malware issues and another 50,000 for phishing scams. •A study done by Sucuri on 11,000+ infected websites showed that 75% of these websites were running on the WordPress platform and over 50% of them were out of date. The most basic step towards improving your WordPress website security is to update the core software and plugins. •According to a recent study conducted on the 40,000 most visited WordPress websites, 70% were vulnerable to hacking attacks . •WordPress Plugins are the biggest threat. In a study conducted, 55.9% hacking attacks happened through plugin vulnerabilities.
  3. 3. How do you Secure your WordPress Website or Blog? Here are some security techniques that our team of WordPress developers have put together. Some of these techniques might require advanced knowledge of WordPress. Backup WordPress- There are plenty of techniques that you can use to backup your WordPress website or blog. You can either backup your WordPress Installation through the backup wizard provided by your hosting company or use a plugin from the WordPress Plugin Directory. Not all hosting companies provide a backup service as a part of your hosting plan so it is best that you confirm the same. If you want to use a plugin to take backups then here are some options, • UpdraftPlus • Duplicator • BackWPup Update Plugins - One of the main reason for WordPress websites getting hacked is plugins being not up to date. We highly recommend you login to your WordPress dashboard and check for any notifications on the left hand side of the panel (under updates or plugins).
  4. 4. How do you Secure your WordPress Website or Blog? Update Core Software- Another simple security measure is to update the WordPress core software on a regular basis. By default every WordPress website is set to automatically update the core software if there are minor releases/changes available. However this might not be the case if your website has been highly customised. If you are not sure please check with your web developers. Update WordPress Plugins Regularly- According to a study conducted on 117,00 hacked WordPress websites in 2013, 22% were hacked via a vulnerability in the plugin that was being used. If you are using a plugin that has been downloaded from the WordPress Plugin Directory then you should be able to easily check for any updates through your WordPress Admin dashboard. However if you have a custom plugin created by a web developer, it is best you check with them. Use a Security Question- Using a plugin you can add a security question to Registration, Admin Login and Forgot password screens. • WP Security Question Don’t Use Admin as the Username- A simple fix that is often overlooked by WordPress website owners. We have seen so many websites using admin as their username and this puts your website security at serious risk! All the hacker needs to guess is the password in order to get access to your website. Here is how you can change your WordPress username,
  5. 5. How do you Secure your WordPress Website or Blog? • Go to your WordPress dashboard using your existing login credentials and click on Users on the left hand panel. • On the following screen click on Add New and a form will appear that will allow you to create a new user.
  6. 6. How do you Secure your WordPress Website or Blog? • Please complete the form choosing unique login credentials and select the role as an administrator. • Once the form has been submitted the new user should appear on the User screen. • Now logout from your current admin account and sign in using the new credentials. Once you enter the dashboard please remove the old administrator account NOTE- When you delete the old admin account you will be prompted by WordPress to assign a new user to the pages and posts. Please assign this content to the new admin user account you have created or else these might get deleted. Use 2 Factor Authentication- This adds an extra layer of security to your WordPress admin panel by asking a user for a unique code each time they want to enter the WordPress admin dashboard. This code is sent using the Google Authenticator App and can be used on both iOS & Android. Here is a step by step guide for enabling this security feature on your WordPress website using the following plugin, • Google Authenticator Use Strong Passwords- The same study also showed that 8% of security hacks happened because the WordPress installation was using a weak admin password. Here are some tools you can use to generate strong passwords, • Strong Password Generator • Norton Password Generator
  7. 7. How do you Secure your WordPress Website or Blog? Update your WordPress Theme- In a study of 117,000 hacked WordPress websites, it was found that 29% were hacked into because of a vulnerability in the WordPress theme being used. Most themes come with an auto update option or a plugin that would support this feature. It is best you check your theme documentation or contact the theme publisher. For custom built themes the best option is to check with your WordPress Developer. Use a SFTP connection to connect to the server- Using a SFTP connection to connect to the server will mean that the file transfer between the local machine and the server (remote machine) will be private and secure. More on SFTP connections here. Disable File Editing from the WordPress Dashboard- WordPress comes with a handy little feature on the admin dashboard that allows a user to edit files that are a part of the WordPress installation. But this feature can be misused if a hacker gains access to the dashboard. WordPress itself highly recommends that you turn-off the file editing feature completely. Add the following line at the end of the wpconfig.php file, Use Comprehensive Security Plugin for WordPress- There are plenty of plugins available on the WordPress Plugin Directory providing a range of security features. Here is an article that talks about the most popular security plugins. We have personally installed the following plugins on WordPress websites, • Wordfence • Acunetix
  8. 8. About Us Websites ‘N’ More is a Sydney based digital agency focusing web development using PHP based open source platforms including WordPress, Joomla, Magento and Drupal. Our team of web developers are capable of, • Custom Plugin/Extension Development • eCommerce Development • Systems Integration • API Development & • Theme Development
  9. 9. References References- • • • •