WordPress sites are popular targets for cyber attacks. We’ve designed our hosting environment from the ground up with security features that reduce the risk of these attacks, but our role in your site’s security is only part of the story. Did you know there are things you should be doing to keep your site safe as well? More often than not, attackers exploit the software running your site, and not the hosting environment underneath. As a site owner, you play a big role in helping mitigate these sorts of issues. We’ve put together a list of five things you or your developer can do to address your site security:
1. Keep WordPress, plugins and your theme updated
It’s important to keep your software updated to reduce your site’s risk of becoming a target for attack. Many times, attackers find a way into your site through outdated versions of WordPress, plugins, or your theme. Updates to these often include performance improvements and security patches that reduce vulnerabilities. If you update regularly, or whenever you see a notification in your admin dashboard, you can minimize the risk of successful attacks and keep your site running at its best.
In addition to regularly updating the software running on your site, you should delete plugins or themes you no longer use. Attackers can use deactivated, outdated plugins to access your site as well. So, the lesson here is to always update and throw out the clutter!
2. Rename Login Page
Renaming your login page from the default location hides it from attackers; “security through obscurity.” You can do this by changing your login URL from the standard
/wp-login page to a new URL that you define. That helps prevent automated, brute-force attempts to guess admin passwords. They can’t try to guess if they don’t know where to look!
There are a handful of plugins available to help you rename your login page. Look for one that has good ratings, and is updated regularly. One that we recommend is Move Login Page. Read why in our AGhosted Plugin Pick: Move Login feature.
3. Pick a strong password
Besides renaming your login page, you should also pick a strong password that can’t easily be guessed by attackers. This is trickier to get right than most people think!
One common but ill-advised approach is to choose a password composed of special characters, numbers, and upper- and lowercase letters. This usually results in using a dictionary word, with numbers and special characters substituting the letters that make up the word. Hackers know people do this, and have programmed their password crackers to guess accordingly.
Instead, we recommend using a passphrase. As shown in the comic below, a passphrase can be made up of random, but common words, making it harder for a computer to guess and easier for you to remember.
4. Use SSL encryption for sharing personal information
Another way to keep your site and user information secure is to setup an SSL certificate on your site, providing encryption for any information passed between your users and your website. Some examples of information passed between your users and your website include things like credit card numbers (which require an SSL certificate) and WordPress login credentials. Without encryption, others can snoop on the information that is being passed through your site.
A quick way to check if your site is using SSL encryption is to load your site and look at the address bar. If your URL begins with
https:// or contains a padlock before the URL, your site is using SSL encryption. If you’re not using SSL encryption, these will not be present. If you do not have an SSL certificate and are passing user information through your website, we recommend purchasing one and setting it up on your site.
Of course, we can help with that! Visit the Add-ons section of the Help Center to get pricing information about the SSL certificates we sell (and install for free).
5. Try Wordfence
Wordfence provides multiple layers of options for your securing your site. We use the free version of Wordfence for this blog and have been pleased with its performance and security features. You can set maximum amount of login attempts, get alerts of suspicious login attempts, and more. There is a paid version that has further options for customization, including setting up additional alerts and more. Check out the plugin at https://www.wordfence.com.