Introduction
We use the WordPress CMS which is an extremely secure platform but can be made insecure if not managed correctly. For example, weak passwords, vulnerable themes and plugins and out of date software can all undermine security.
If you have a website hosted with us or are of thinking of doing so, you don’t need to worry about any of this, we can manage this for you. This article is really intended as a backgrounder for anyone concerned or interested in the security of their website.
Why do hackers attack sites?
Hackers attack sites for a variety of reasons:
You may not even be aware of these if they are not visible on the site.
The WordPress Security Team
WordPress have a security team of about 50 including lead developers and security researchers, you can read more about their work here:
The WordPress Security Team
Selecting Themes and Plugins
Care needs to be taken when selecting themes and plugins. Firstly, I would select the themes and plugins from a reputable source such as the WordPress UI. Consider the following:
Backups
A backup is an exact copy of your website, this includes all the files and folders which comprise the site plus the database. These need to be taken at regular intervals, typically once a day for 30 days. If the site is hacked, the worst case option is to restore the from the backup.
Strong Passwords and Unique Usernames
Strong passwords are of a minimum length, include a random selection of upper and lower case characters, numbers and symbols. You won’t be able to remember a password like this so it needs to be stored securely and can be optionally accessed via a password manager.
Do not use standard usernames such as ‘admin’, this will give away 50% of the login information.
Comments
code can be embedded into a webpage, for example to display a Youtube video which is fine but take care to ensure that any code inserted is from a reputable source.
Additional care will need to be taken if your site allows comments. You can allow visitors to submit their comments as draft and then you check and approve them. In this case you’d want to check for any inserted code.
Prevent links unless they add value in which case they should be set as nofollow.
Code, Comments and Links
Code can be embedded into a page, for example to display a Youtube video. Care needs to be taken to ensure that any code inserted is from a reputable source.
Additional care will need to be taken if your site allows comments. You can allow visitors to submit their comments as draft and then you check and approve them. In this case you’d want to check for any inserted code.
Disallow links unless they add value to your site. Any outbound link should be set as nofollow i.e.
<a href="https://yourwebsite.com" rel="nofollow">Your Text</a>
A ‘nofollow’ link tells Google to ignore the link and therefore probably doesn’t impact your page’s ranking.
HTTPS vs HTTP
Sites should be using https not http. If http is used, a warning will appear in the browser indicating that the site is not secure. This can be configured via the hosting software if https is not in use.
Check the browser to see if your site uses http or https. The browser will issue a security warning if http is used.
Brute Force Attacks
A brute force attack is where the hackers software attempts to guess the username /password repeatedly until they’re successful. Security plugins can be useful to protect against this type of attack, an IP address can be blocked after a certain number of failed attempts for a defined period of time. Some plugins check for known troublesome IP addresses and block them immediately though this will affect performance.
2 Factor Authentication
Some security plugins provide 2 factor authentication which sends a code to a phone which needs to be entered as well as the username and password, this makes the site extremely secure but can be bit annoying and awkward if you lose your phone.