(originally posted on Bring Your Own Design)
If you have a WordPress site, eventually you’ll become the target of a hacking attack. Whether it’s brute force, SQL injection, or something even more sinister, no one is safe. However, you don’t have to end up becoming a casualty as well. We’ve recovered more sites from attacks than we care to count, and more often than not, the initial intrusion was 100% preventable. It’s time to stop being lazy, and start being proactive about WordPress security! We’ve compiled a list of three things you need to do right now to help prevent becoming the next on the list of victims.
- Use strong passwords. Especially nowadays where the average person has anywhere from 7 to 30 online accounts, most people use the same passwords repeatedly, and they’re usually quite simple. This means if, by chance, one of your online accounts is compromised, it’s pretty easy for the rest to follow suit. There are a number of plugins available that will force strong passwords for your user accounts in WordPress, so take advantage of those. Also, don’t forget to change up the rest of your passwords often, and use smart self-policies when doing so.
- Invest in great hosting. It’s easy to get lured in by cheap hosting, but it’s truly a get-what-you-pay-for product. Proper WordPress hosting is going to be faster, easier to work with, and more secure, because it’s specifically tailored to run WordPress sites. The concessions that have to be made to run all types of software will be non-existent, and therefore, less chance of a security hole being exposed. We recommend managed WordPress hosting by companies like WPEngine and Synthesis.
- Use a firewall. You wouldn’t leave your vehicle unlocked and unattended on a busy city street, would you? Leaving your website up without an application-specific firewall is just as dangerous! Having a good firewall can prevent brute force login attacks, attempts to inject malicious code, and many other performance-degrading actions that hackers take to mess with your website. While the best firewall is always the one built into the server itself, you should also use a firewall plugin in WordPress to help catch the rest of the dirt. WordFence will help monitor and act on traffic in real-time, as well as scan your site on a schedule for unknown alterations and vulnerabilities that might have popped up. You can even go as far as blocking entire countries. Since many US-based sites don’t do business outside of the country, it could be beneficial to block incoming traffic from an entire country where a lot of hacking activity originates from.
- Backup, backup, backup! We’re consistently surprised how often we find sites that have no backup. When it comes to sites that have been hacked that we’ve repaired, the number is nearly 100%. Really, it’s not a surprising number at all; if you aren’t backing up regularly, you’re begging to get hacked. Many folks use BackupBuddy, but we prefer ManageWP. It has a ton of great features (like managed upgrades to WordPress and plugins, database cleaning, etc), and will let you back up to multiple sources like Amazon S3, Dropbox, and others.
It doesn’t matter whether or not you’re a WordPress developer, designer, or just a guy who has a blog. Anyone can do these four simple things. While the old saying of “if they really want it, they’ll find a way” holds some truth, these steps will put you well on your way to having bulletproof WordPress security for your site.