Education: CMS - Adding additional security to WordPress
Posted by Matt Kinne on 12 July 2016 11:37 AM
WordPress is one of the most used content management systems in the world by a large margin. According to Marketing Land, WordPress is on 25% of the world's websites as of November 2015. To compare, the next closest content management systems which are Joomla and Drupal, are just over 2% of the market share. Since WordPress is so popular and well-known, that means it's the perfect target for hackers. So now you're probably thinking, how can I add additional security to my WordPress site to keep the chances of hacking low? Don't worry, we're here to help.
There is no such thing as too much security
The internet is always changing, that means security needs to change along with it. That means that keeping your plugins up-to-date is very important. Updates aren't always just to add new features, most of the time they are to fix security vulnerabilities. There are a few plugins that we always install on our sites to provide the maximum amount of security.
Wordfence Security is an excellent avenue to take when it comes to bolstering the security of your website. Not only does it provide real-time scanning, but it also acts as a firewall. If you jump into the premium version, which we highly recommend, it includes the ability to block traffic from certain countries, check if your site's IP is generating spam, real-time threat defense feed and more.
This plugin can be very helpful to stopping hackers from getting into your WordPress site. One way hackers find there way in is running a program on your login fields, randomly guessing usernames and passwords. So with Brute Force Login Protection, you can limit the amount of login attempts a user can make. Once they have used all of their login attempts, that IP address will be blacklisted.
Make a longer, more complex password
This one is by far the easiest and one of the most secure things you can do. We see a ton of WordPress sites that have basic passwords such as ChangeMe!, password123, admin123, and so on. Those definitely aren't secure and can almost be guessed without the help of a program. We use a website called Password Generator and use 16 character passwords.
To give you an example, a password that is 8 characters long, only using lowercase alphabetical characters, has 208,827,064,576 options. That's over 200 billion different passwords! Now, if you were to add capitalization to the letters, that’s 53,459,728,531,456 options. If you were to add numbers and even special characters, you have yourself a very strong password. Increasing the length will only increase the amount of different passwords. Just don't make it abcdEF!#, that's still relatively simple.
Not using comments? Disable them site-wide!
An easy way for hackers to use your site as a spam center is to comment and provide their links. This not only is not good for your site in the customer's eyes, but Google is not a fan of this. We use a lightweight plugin called Disable Comments. It is very easy to disable comments site-wide.
To go along with having a stronger password and brute force protection, to make it really difficult on perspective hackers, we add a math captcha. Whenever someone goes to log into your site, they will have to complete the math captcha before they are able to sign in, even if they have the right username and password.
Now, all of these plugins and methods do not guarantee that your site will not be hacked, but they will definitely help out and lower the chances. If you have any questions about WordPress security, or security in general, check out our official blog or feel free to contact us!
Don't forget to Subscribe to the Help Desk for weekly news updates!