Large-scale cyberattacks have been making a splash in the news recently. In light of this, you may be thinking about how to keep your WordPress site secure.
Web databases vulnerable to cyberattacks
The BBC recently reported that cyber thieves had held thousands of companies to ransom for data held in online databases.
The attackers deleted gigabytes of sensitive data held in MongoDB databases, replacing it with ransom notes demanding bitcoins in return for restoring the data.
Over 5,000 systems have been hit so far. Victims include small businesses, hospitals and educational institutions.
How did the hackers get in?
The databases in question used MongoDB, an open-source database programme. It’s free and incredibly easy to use, which makes it very popular.
In the past, MongoDB was easily accessible to anyone by default. Newer versions have changed, but many organisations had failed to upgrade their systems – which left the databases vulnerable to attack.
Hackers used automated scanning tools to search the web for unsecured MongoDB systems. Once found, the hackers could access them easily.
How can I keep my website safe?
This story highlights the importance of keeping your data secure. Even a small vulnerability could give hackers a way in.
The threat of a cyberattack may seem far-fetched – the stuff of movies and high-level corporations – but the truth is it could happen to anyone.
In a survey by Wordfence, 38.9% of of 7,375 WordPress users surveyed reported that their website had been compromised in the last 12 months.
That’s a significant percentage. If you want to avoid the same fate, it’s essential to have the right attitude to cybersecurity.
An attack may seem unlikely – until it happens. And by then it’s too late. Luckily, there are some simple steps you can take to mitigate the risk of being hacked.
Here’s how to keep your WordPress site secure:
1. Implement two-factor authentication login
Two-factor authentication, or 2FA, is one the simplest – but most effective – ways of preventing attacks.
2FA works by requesting an additional form of authentication, like a mobile-generated code, to add an extra layer of login security.
The U.S. Democratic Party would have done well to implement 2FA. John Podesta, chairman of Hillary Clinton’s election campaign, reportedly responded to a phishing email revealing his email password.
2FA may have helped prevent the resultant email leak. It didn’t help that Podesta’s password was the word ‘password’. Which leads us seamlessly on to our next point – it’s almost as if we thought it through…
2. Use secure passwords and update them regularly
As Podesta’s case demonstrates, sometimes the most basic security steps are the first to be overlooked.
Having a secure password is one of the easiest ways to protect your site. If your password is easy to guess, you vastly increase the likelihood that a hacker will be able to break in.
For the best results, make your password at least 10 characters long, and use a combination of uppercase, lowercase, special characters and numbers.
If your website has multiple users, consider forcing them to use strong passwords. Plugins like Force Strong Passwords ensure that users choose secure, difficult-to-break passwords.
Update your password regularly and encourage any other users to do the same.
3. Change your admin login URL
During installation, WordPress sets the admin URL to its default – either wp-admin.php or wp-login.php. Many people don’t bother changing it from this default.
Changing the URL to something more difficult to guess is a simple way to protect against brute force attacks.
Brute force attacks are the most common type of website security breach. Automated software will exhaustively ‘guess’ login credentials until it hits the right combination.
A brute force attack would need to correctly guess your username, password and login URL to succeed. Having a custom URL makes things significantly harder for the attackers.
4. Have a login limit
Putting a limit on the accepted number of login attempts is another easy way to prevent brute force attacks.
The WP Limit Login Attempts plugin will temporarily block any IP address that crosses the threshold of incorrect login attempts.
5. Switch to HTTPs
A man-in-the-middle (MITM) attack is where an ‘eavesdropper’ – for example, a malicious router offering free public wifi – intercepts and controls the communication between two parties.
You can protect against MITM attacks by switching your website from insecure HTTP to secure HTTPS using an SSL certificate. This enables a secure connection between the web server and browser.
On top of the security benefits, Google announced HTTPS as a ranking signal in 2014, and has begun indexing secure pages before unsecured pages. Better security and better SEO? Sounds like a good idea to us.
6. Stay updated
Using an outdated version of WordPress or out-of-date plugins leaves your website vulnerable to hackers.
Make sure you’re using the most up-to-date version of WordPress, and keep your plugins updated too. Lots of plugins have an option to automatically update, so consider enabling this to keep your site secure.
7. Backup regularly
Hopefully these steps will lower the risk of your site getting hacked. But if it does happen, you want to be able to pick yourself back up as easily as possible.
The best way to ensure you can is to regularly backup your site. That way, you’ll be able to restore your site from a previous version if you need to. There are plenty of backup plugins available to help you do this.
WordPress site security: a summary
It’s all too easy to be complacent – but the results of an attack could be at best annoying and at worst devastating.
Making a few simple changes to your WordPress site could vastly improve its security, so take the time to give it a review as soon as you can.
If you’d like to know more about WordPress site security, give us a call – we’d be glad to help out.