A little bit about WordPress security
When it comes to WordPress security, there have been many holes, exploits, discussions, patches, and fixes throughout the history of WordPress. If you’ve kept up with what’s going on, you’d know that it’s like a constant battle between those who secure WordPress and those who would exploit it for their own reasons… whatever those reasons may be. Now, when it comes to security, let me be the first to tell you that there is really no such thing as a perfectly secure web site, whether it’s WordPress or not. 100% security doesn’t exist on the Internet and anyone who claims they’re 100% secure is just begging to be hacked. Many hackers see claims like that as just another challenge. The only secure website is one that isn’t connected to the internet.
But, there is still hope. The one thing that you can do is to make your site prohibitively expensive to crack. What this means is that it just isn’t worth a hackers time to crack your site.. And you’re in luck because I’m going to give you some easy tips on doing just that.
First, let me give you a little history about my experience with web security. I learned about web security the hard way. To be blunt… my site was hacked. More accurately, my entire server was hacked. And I thank my lucky stars that I had a backup of my data. It was this event that forced me to take web security very seriously. Looking back, it’s been over a decade since that nerve racking day, and I’ve learned quite a bit about web security since then.
Password security. This is a big one
If you don’t read anything else in this post, at least read this section. Making sure passwords are secure is the single most important thing when it comes to WordPress security. I can’t stress it enough how important it is that your passwords are secure against hackers…. IT’S REALLY, REALLY IMPORTANT!!
Let me start by saying this… Most WordPress websites are insecure. If your website is using WordPress and it’s not secured with mandatory SSL (Secure Sockets Layer), then getting your admin password is as easy as sniffing the network packets that travel between your computer and your web server. Literally ANYONE that can sniff packets along the route between you and your web server can get your admin password. They only need to wait until you log in as an administrator. As soon as you do, and they are listening, they can literally own your website. What’s worse is if you use that same password for your online banking or PayPal account, they can own that too! As a matter of fact, it’s good practice to ALWAYS make sure that when you enter a password ANYWHERE, you make sure it’s over SSL. This is especially true when it comes to public networks like coffee shops, and hotels. If you are connected to a public network, you should assume someone is always listening.
So, how can you tell if you are using SSL? Simply glance up at your browser’s address bar. If you see a “Lock” icon, then your password is encrypted before it is sent and you’re safe. Of course it’s still possible for someone to get your password or hack your account even though you are using SSL, but only the most elite hackers would be able to do this, and it wouldn’t be easy. (Hence, prohibitively expensive like I mentioned above)
If you want to learn more about your SSL connection, click on the lock icon and you’ll get all sorts of information about your secure certificate.
What if your site doesn’t have the lock?
If your site’s address bar doesn’t have the lock, and you are about to login as admin… DON’T. Instead, try entering “https://” before your WordPress login URL. If your WordPress login URL is “www.mysite.com/wp-admin”, then enter “https://www.mysite.com/wp-admin” instead. If you get a security warning, then you need to purchase an SSL certificate in order to secure your site.
If you have Web $en$e, all you need to do is contact us to have us secure your site for you. There is a rather affordable monthly or yearly fee for securing your web site.
For those of you who do a lot of shopping online, you know better than to put your credit card number into a website that doesn’t have the lock icon. You wouldn’t enter your card info, so why would you enter your password? Especially if you use that same password (or something similar) for your online banking account.
Is there anything else I should know?
I’m glad you asked. Because, yes… as a matter of fact, there is something else you should know. If other users login to your WordPress site as well, you are putting their passwords at risk too if you don’t have SSL. Let’s say you run a blog, and you allow registered users to comment on your posts. You’re not selling anything, so you don’t need SSL right? Wrong! Your users have to register and login before they can comment. And when they enter their password to login, it’s open season on that password. What’s worse is the fact that you have no control over whether or not they use that same password for their banking. If a user enters a password on your site and that password is stolen, the hacker could use that same password to login to their banking account, and who knows what kind of lawsuit you may face.
In short, it’s all easily and cheaply avoidable. Just secure your site with SSL…. Do it… It’l let you sleep better at night.
Password strength and uniqueness
Another thing to look out for is making sure your password is strong and unique. Don’t use your pet’s name, or birthdays, or “password” (which, incredibly is still the most widely used password), or simply add a “1” to the end of any of those. It’s amazing how easy passwords are to crack. The reason for this is because even though you are using passwords with upper case, lower case, symbols, and numbers, the fact remains that humans are extremely predictable. There now exists software that can easily guess your password based on information about you like on your Facebook profile. Here are some helpful tips to make sure your password is strong, unique and can’t be guessed by a computer.
- Use a password manager. A password manager can generate truly random passwords. Don’t make up passwords yourself, they aren’t as random as you might think. Plus, with a password manager you never have to remember them. Your password manager remembers them for you.
- Use extremely long passwords. I recommend using passwords that are at least 15 characters long… minimum. Using 30 character passwords is even better. Since you are using a password manager, you don’t have to remember the password anyway so… the longer, the better. Computers are only getting faster. A password that used to take years to crack can now be cracked in a fraction of the time.
- Use a unique password for every single website. Never use the same password twice, ever… Don’t do it, it’s just asking for trouble. A password manager makes this easy too.
Other threats you should consider
Ok, now that we’ve gone over password security, we can get into the other things you can do to protect your WordPress website. This is a simple list of things that are a MUST for anyone running WordPress that is security conscious.
- Don’t install themes or plugins from untrusted sources. Always, always install themes and plugins from trusted sources. The reason for this is that you never know what code the theme or plugin has. It could contain a back door that allows hackers easy access to your site. Themes and plugins from the official WordPress repository have gone through an official review process to make sure the package is free of malicious code.
- Be cautious with rookie web programmers. Now I’m not saying that all rookie programmers are bad, but a lot of them just don’t know what security threats are out there. It’s likely that a rookie web programmer will add code that has a security hole in it that will open your site up to hackers. In most cases, the programmer is unaware he / she has compromised your site.
- Always keep your site updated. Many updates are put out to patch security holes, so don’t ignore them. Updating is usually as easy as clicking “Update” within your WordPress admin panel. It only takes a few seconds. You may want to make sure your site is backed up though before updating. If you are using Web $en$e, your site is always backed up, so we got you covered there.
- Be cautious with plugins or themes that haven’t been updated in a while. If you have a plugin or theme that hasn’t been updated in a while, it’s possible that the developer has stopped developing it. Remember, plugin developers don’t get paid, so there’s really no incentive to patch security holes.
- Contact your hosting provider and ask if your site is protected with a “Web Application Firewall” (WAF). You really have no control over this one (unless you’re a hosting provider or you host your own server) so choose your hosting provider wisely. A WAF is a piece of software that inspects all traffic into your website for malicious behavior. A lot of hacking attempts can be detected and stopped before they ever get to your website, even if your website has a security hole. And that’s exactly what a WAF does. If you have a Web $en$e website, then your site is protected with a WAF.
- Don’t use FTP. Instead of using FTP which is insecure, consider using SFTP or FTPS which are both secure. FTP suffers from the same problem as a website that isn’t protected with SSL. FTP Passwords are sent in plain text and anyone who is listening can simply grab your password. If you have a Web $en$e site, you don’t have to worry, because we don’t allow FTP.
- Be cautious with backup plugins. If you use a plugin to backup your WordPress website, you should research the plugin to make sure it backs up your site over a secure connection. If your site is being backed up over an insecure connection, then anyone can simply grab your database as it’s transferred which contains hashed passwords. If you have a Web $en$e website, then backup plugins are strictly forbidden. There’s no need to worry though, because backup is handled for you.
- Contact your hosting provider and ask if all sites on your server are “CHROOTED”. If your hosting provider provides CHROOTED websites, then you are protected from other websites on the same server. If another website on the same server is hacked, it’s possible for the hacker to use that site as a gateway to hack all other sites on the same server… that is, unless all sites are CHROOTED. A site that is CHROOTED is walled off from the rest of the server so that the damage is limited to that one website. Think of it kinda like a submarine.. we’ve all seen the movies where a single compartment is sealed to keep the water from getting into the rest of the sub. It’s kinda like that. If you have a Web $en$e website, you are indeed CHROOTED along with all other sites.
You can never be too careful when it comes to web security. Many common mistakes are easily avoidable by following the guidelines I’ve provided. Also, if you have a Web $en$e site with the SSL option (which I highly recommend) you are good to go and don’t have to worry about security because we take care of it all for you.