Although we hope that the internet is becoming safer by the day; web security is an increasing concern for all. Our virtual identities run parallel to our real ones and protecting them both is vital.
There are a few easy first steps you can take to keep your WordPress website as secure as possible:
This might seem obvious but it’s easily overlooked: make your password as strong and obscure as possible. We certainly hope you’re not using “abcdefg” but if your password is weak, you are essentially handing the keys over to hackers to steal all of your information.
- Combine upper and lower case letters, numbers, and symbols
- 8+ characters long
- Use made-up phrases
- Do not use complete dictionary words (ie: watermelon, dog, candle)
- Change your passwords regularly
Did you know that the average person has 26 passwords to remember? Make it easier on yourself and use a service like LastPass that vaults all of your passwords in one spot making it easy for you to access them at any time.
Also known as TFA or 2FA, two-factor authentication is becoming the new normal. TFA adds an additional layer of security and reduces the chances of your website getting hacked.
There are many different WordPress plugins that make implementing TFA easy. Check out Google Apps login by MiniOrange or Google Apps Login by Lever Technologies for more information.
Read: Why Your Website is Labeled “Not Secure” by Google >>
An SSL is a secure sockets layer and it adds a number of security layers to your website. It encrypts sensitive information, provides authentication, provides trust, and last but not least, it’s required for PCI compliance.
Core updates are absolutely necessary to keep your WordPress website secure. Hackers look for vulnerabilities within your website to attack. When your core WordPress files are left out-of-date they act like huge signs to hackers that say “Come on in! You’re welcome here!” Security breaches on WordPress occur predominantly because core files or plugin files are left un-updated, signifying to hackers that your information can be easily accessed.
Hide your Login Page
If possible, hide your login page. If your website is not a membership site and logins are limited to a few users, there is no reason for your login to be visible on your website. If your website needs to allow users to login then this suggestion will not work for you.
User Enumeration Protection
When you forget your username or password, many websites will say “Username incorrect” or “Password incorrect”. These messages help attackers determine the validity of a username. When an attacker knows a username is valid, they can then start a brute force attack to break in. To prevent this, it’s ideal if usernames are not easy to find out.
- Make sure your HTTP response and the time taken to elicit a response are identical when a username is incorrect and when a password is incorrect
- Incorporate CAPTCHA is usernames are not email addresses
- Do not reveal usernames on “forgotten password” pages
As our web strategist, Calvin, says, “Hope for the best, plan for the worst. Website security is your plan for ‘the worst’.”
Is your website secure? Reach out to us today. We’d love to chat!