Why Bother About WordPress Security?
WordPress security is crucial – did you know that WordPress accounts for over 90% of hacked content management systems (CMS) in 2018? Shocking right? But true. WordPress, according to WebArx, powers over 34% of all the websites on the Internet. No wonder it’s the target of many hackers because of its large user base. Additionally, WordPress being an open source platform makes it more vulnerable to attacks.
It’s not all bad news though; by following the steps highlighted in this article you will increase your chances of staying out of harm’s way.
If your website runs on WordPress then this article is for you. If it doesn’t, read on to learn a few things as some of the tips shared apply to other kinds of content management systems and websites generally. You might consider using WordPress after reading this article.
No system or website is hackproof but doing the under-listed things on your website will reduce the chances of your website being compromised.
1. Install SSL
At the point of buying your domain and hosting plan ensure it comes with an SSL (secure socket layer) certificate. Having an SSL certificate installed on your website is paramount if you take WordPress security important.
Some hosting companies give out free SSL certificates, check with your hosting provider if that applies to you. If not it’s easy to purchase an SSL certificate and have it installed on your site.
2. Do not use easy to guess usernames and passwords
Every 39 seconds an attack is carried out on the web and having easy to guess usernames and passwords increase your chances of being compromised by 60%. Usernames names like admin, administrator and passwords like password, password123, qwerty123, 123456, letmein and other popular passwords on this list should be avoided when setting up your login credentials.
3. Stay away from nulled themes and plugins
Plugins account for over 50% of WordPress website hack. What has made this even more easy is the use of nulled themes and plugins by lots of WordPress users. In their bid to get premium plugins and functionality for free, they install nulled (cracked) plugins and themes which sometimes contain malicious codes on their websites.
To keep your WordPress website secure, ensure that only verified plugins are installed on your site and always update them to the latest version when available. Additionally, do not install plugins that are not compatible with your version of WordPress as it might cause vulnerability issues and break your site.
4. Prevent Directory Browsing
WordPress uses a filing system comprising of folders (a.k.a directories) to store critical files necessary for the website to run as it should. Some of those folders include wp-admin, wp-include, wp-content and many others. If the contents of this folders are exposed, they pose a security risk and increase the chances of someone inserting malicious content into your website.
Unfortunately index browsing is ON by default on WordPress, so except you’ve actually disabled it or your developer did, it’s on. You don’t want to take chances though; check the status of indexing on your WordPress website by going to yourdomain.com/wp-includes. If it looks like the image above, then index (directory) browsing is on. This can compromise your WordPress security.
How do I turn off directory browsing?
All you need to do is add the line of code below to your .htaccess file. This .htaccess file is accessible through your File Manager in cPanel.
Options All -Indexes
5. Install Security Plugins
Installing security plugins on your website increases your WordPress security. To not do so is to leave your website defenceless. There are several security plugins that work just fine. You don’t, however want to install every plugin you lay your hands on as this affects the speed and performance of your website.
I recommend WordFence Security plugin for your WordPress security. It comes with a ton of features including a firewall, a brute force attack prevention module and an alert system to keep you notified of changes to your site capable of compromising it.