Data breach is serious stuff. 2.6 terabytes of data, 11.5 million documents, and over 214,000 shell companies were exposed in what is considered as the largest data lead in history - the Panama Papers leak. And what led to this? Outdated WordPress and Drupal installations.
Mossack Fonseca, the Panama law firm entrusted to protect assets of prominent people through shell companies experienced firsthand how devastating data breaches caused by lax cyber security.
Their WordPress-powered site was said to be three months outdated while their Drupal version was surprisingly three years old too.
This is very serious because security updates are released every now and then for the very purpose of protecting the sites and missing three years of update may cause serious security problems, and it really did.
Mossack Fonseca learned the hard way how outdated versions of websites pose grave problems. That is why it is extremely important that all websites, including all the tools that come along with it, are kept updated not only with the latest features, but also of security protocols. Companies who hold very sensitive information, especially big ones should be mindful of this to prevent a dreadful incident such as a data breach.
Most data breaches target banks, government sites, e-commerce sites, and websites of big companies. This is because it is with these that the hackers can gain something.
They can either get money directly by transferring from an unsuspecting person's account to the hacker's account, or by using a person's credit card information to purchase often luxurious items, or to get the public's attention about a cause they are fighting for. This is the reason why these companies must take their cyber security seriously.
Whether you are from a small company or a big one, you can follow the following tips in order to keep hackers at bay, maintaining the security of your WordPress Site:
Please note that some of the links provided in this article may be affiliate links and we will earn commission if you buy their products through our links.
1. Use Strong Passwords and Change Your Admin Username
The password for your administrator should be hard to crack. The simpler the password, the easier it is for hackers to guess it. By all means, please avoid using "123456", "password", "admin" as your password because these are very easy to crack.
A Strong Password Is Long Enough , has both uppercase and lowercase letters, numbers, and punctuation marks. In as much as possible, your password should be readable, but do ensure that you can remember it. Also, never write your password on a notepad and paste it on your computer.
Also remember to change the admin username. It is set to "admin" by default change it.
If you're looking for a plugin for your WordPress site, you can use Loginizer to help fight against bruteforce attacks. You can manually blacklist or whitelist any IPs through this plugin. It helps strengthen your security starting from the login page itself.
On the other hand, you can check the recommended security settings for cPanel . It has standard recommendations on Tweak Settings, Security Settings, EasyApache configuration, and on the Global Configuration checklist. You can rely on these recommendations since it's updated regularly.
Prevention is better than resolving a security attack. It's better to limit user access on your end so rogue hackers won't have an opportunity to get inside your WordPress site.
Recommended Tool: Random Password Generator, Strong Password Generator
2. Update Regularly
WordPress updates regularly. Updates include bug fixes, better features, and improved security. WordPress' core team are keen on keeping WordPress safe from vulnerabilities as soon as they are discovered.
Your WordPress Site is as safe as it can be the moment you create yours but to keep it that way, you must update as soon as you are informed of the availability of updates.
If you don't take a little time and effort to apply these updates, you are leaving your site open for hackers to take.
In order to update your version of WordPress, go to Dashboard, then select Updates. If you have Multisite installs, go to the network admin's dashboard, then select Updates, then select Available Updates.
On the other hand, if you're too lazy to browse through the Updates page of your WordPress site, it is recommended that you configure your site to automatically install updates .
3. Utilize Security Plugins and Other Trusted Plugins and Themes
Security plugins are made to help you keep your WordPress site safe. If you haven't used a security plugin, then try one now and be surprised at just how your WordPress site may already be the target of hackers.
And speaking of plugins (and themes), make sure that you are only using trusted plugins and themes for your WordPress site. WordPress is home to countless plugins and themes but ensure that the one you will be using are from trusted sources.
Never, ever, download premium plugins from unknown sources like shady websites that offer it for free, or from torrent sites. These are likely injected with malware that could damage your site.
This warning is also applicable to downloading premium themes from unknown websites.
Related: 15 Essential WordPress Security Plugins
4. Security Socket Layer (SSL), Secure FTP, and Secured Shell Access Can Help You.
Instead of "http://" secured websites are now starting with "https://" all thanks to their SSL certificates. Once you are using SSL, your site is secured and your connections is encrypted.
And to keep your files safe, use a secured file transfer method either through SFTP or SSH.
To give you a quick idea, these are the best practices in implementing SSL for WordPress sites:
- Select a reputable, trusted web host (ex. BlueHost) with white labeled IP. Search for reviews before you purchase a plan from a web host provider.
- Purchase SSL Certificates from trusted Standard Resellers
- Opt for a Content Distribution Network (CDN) that is SSL enabled.
- Set up proper .htaccess redirects
- Communicate with third party services you'll be using, like payment gateways.
- Never serve the website in both HTTPS and HTTP URLs. Choose to go with HTTPS. Data encryption isn't only called for eCommerce site. Whenever you collect personal information, from a simple subscription to sign ups, you're better off with HTTPS.
5. Limit File Permissions and Access To Important Pages
To ensure that hackers cannot access sensitive information, keep the access to your files very limited.
Also, keep the admin dashboard and login page at maximum security because after having hacked these pages, they can get access to your entire site.
There are numerous plugins that you can use to limit permission within the admin area, especially for a site with a large number of users. These are well-recommended plugins that can help you limit access and permission to your dashboard.
Check out this guide if you need to strengthen your WordPress site . This comprehensive guide on setting up security precautions covers every concern when it comes to security. You can regulate file permissions, database security, backups, logging, monitoring and more.
These are just some tips that can help you keep your WordPress site safe from hackers. Always remember that it is better to be extra safe than in doubt, no matter how small or how big a company you may be a part of.
Keep your website safe from data breaches. And remember, it is better to be safe than sorry. Follow our tips now and protect your WordPress site free from hackers!
See Also: Smart Tips on WordPress Security - How to Improve WP Security