Daily we hear some scary news on internet about major site hacked or attackers leaked Database and compromised Web Servers, Really this kinda freaks everyone out!. What to do ? Who's to Blame ? How to Secure ? – Let's put some thoughts to this questions.
Why to get serious in WordPress security ?
Everyday many security researchers make us aware of popular web attacks! but why all the security talk ? Because security is never-ending responsibility for any WordPress site owner. In fact, it's an ongoing responsibility for everyone [Internet User], whether you're using WordPress or not.
Well, If you don't have a technical background, the risks and safeguards can be little complicated, and I know that security can sometimes be a nebulous, obtuse topic. Okay now enough beating around let's discuss the main points.
photo credit: thisismyurl
1. Create & Maintain strong passwords
I hope you all are aware of most common web application attack on your login panel is – Brute Force Attack (Similar to Dictionary Attack). Why don't we just kick off the list with the easiest step you can implement immediately. I expect you already have strong passwords!.
If not, then go to your panel and create strong passwords. Take this seriously – Attackers often try to guess password patterns and attack on your login panel. Please create at least 10 characters password with strong patterns like – numbers and letters, capitals and lowercase, If you go with special symbol then it's enough to throw attackers off!
2. Protect against brute force attacks
As we've talked in previous topic – Brute force attacks are little serious matter!. Here are some helpful steps to protect against it.
First, your web host should be helping to protect you from brute force attacks. Second, should be programs t installed such as Limit Login Attempts, that will make it much more difficult for brute force techniques to work.
Second, make sure you’ve checked off tips 1, 2, and 3 above.
Third, there are programs that can be installed (such as Limit Login Attempts) that will make it much more difficult for brute force techniques to work.
3. Always keep up your site with updates
Never ignore any WordPress updates they are released to fix bugs, introduce new features, and most importantly to patch Security Holes/Vulnerabilities. Do not believe that your site is secure or WordPress will protect my site, No they ain't got time for this – It's your responsibility to care and update your WordPress.
I know that many of feel trepidation, when it comes to updating WordPress, You're afraid that it might break your theme or corrupt any plugin's functionality. Well I'll say: if you're afraid of it, then you need to re-evaluate your theme and plugin strategy.
Do not install any third-party or suspicious plugins! It might affect your WordPress site, Please be up to date and analyze your plugins, site, server etc.
4. Protect your WordPress admin access
The most common name found on WordPress site is “admin”, it's common and now attackers only needs password. It certainly isn't going to hurt you badly.
Hackers can find usernames fairly easily from blog posts or elsewhere. More important the specific admin username is to make sure that every username of your site with administrator access is protected by a strong password. Yes, I’m referring you back to #1 in this list. (As I've said)
5. Choose the right Web Hosting
I've already made you aware about the server-side scanning. One major security risk is being on a server. Think on it : Take the security risks inherent in your own WordPress installation, then multiply it by the number of sites on the server. And if you go with generic hosting, chances are you’re going to be lumped in with hundreds and hundreds of other websites. It's pretty kinda boring but just for a moment, Have patience and protect yourself.
Also, find a host that doesn't get complacent about security. and Please Don't : Your own VPS may not the right option for you and your traffic may not necessitate it. That’s fine. But if you’re going to be on a shared server, make sure it’s shared with just a small number of sites our shared servers have no more than 10 sites on a hosting stack that has proven safeguards in place to protect it.
6. Monitor for malware
It's really very important that you should have some kind of program in place to monitor your site for malware. Choose any program or method that can actually dive into your file structure and detect deep breaches, rather than one that just shows you where you’re vulnerable.
7. If you got malware then do something
Just Monitoring for malware is not a solution. The solution is what happens once malware is detected. You might get little threatened, Am I already Hacked ? or I'm being watched ?
A couple of the oft-overlooked “true costs” of WordPress ownership are those associated with downtime due to security issues and cleaning up those issues. This is part of the value proposition that should be rolled into your managed hosting provider’s offering.
8. Clean your site like you clean your Car and Kitchen
That's the main issue of bloggers, they leave traces, bad affected plugins, codes etc..
If you have old themes and plugins that you’re not using anymore, especially if they haven’t been updated, you can basically just go ahead and start the countdown to your next security breach.
A messy site also makes it much more difficult for security professionals to operate should your site be compromised. And that's not any risky job.
So Please clean up and organize your file structure, Directory like you would your kitchen or a car. It will keep you safe.
9. Control sensitive information
After when you are doing that cleanup of your file structure, check to make sure you are not leaving bits of valuable information available for all the world to see. For example, the readme.html file by default will say what version of WordPress you’re running. If you’re running an older version of WordPress with a known security hole, hackers will find you and deface your site.
Again, look into your phpinfo.php or i.php files. They’ll tell a hacker everything about your setup and serve as a “road map to the house” before they're planning to break in.
Most Important, Do not leave .sql database backups files, If a hacker can download your entire database they’ll have every username and encrypted password.
10. Stay vigilant, aware and alert!
Always be aware and alert while using WordPress site!, Do not believe on fake plugins and files. Well You don’t need to understand the intricacies of a DDOS attack, But when an issue like the TimThumb fiasco rears its ugly head, are you aware of it? Early detection is the best prevention. You should be with a managed WordPress host who has your back, but it never hurts to have your own too.
Most importantly, we need to respect the critical nature of taking website security seriously.