WordPress is an interesting platform. It’s fully open-source, so anyone can take it, look at the code, change it, sell it, give it away for free, etc. Many people feel that this leaves it vulnerable to hackers who can find security holes in the code and take advantage of them.
But I feel that this open nature is its strength. Thousands of well-intentioned eyes are on the code every day. Coders frequently submit vulnerabilities to the WordPress team to help them fix it up.
But it is true that there are hackers trying to find holes in the code every day, as well. So it’s important to at least take some basic steps to keep malicious actors out of your site.
Here are 3 basic steps you can take to enhance your security
1. Strong password (and not-so-obvious user name)
One of the ways hackers attack WordPress sites is called “Brute Force.” They use a bot to try a new username and password thousands of times, over and over until they can log in. So I’m sorry to say this, but if you can remember your password, it’s probably too weak. These bots can figure out passwords that make enough sense for your brain to remember.
But if you use a truly strong password, you can make it nearly impossible for hackers to randomly guess. Try one of these two methods for a strong password:
- The WordPress “generate password” button — you can find it in your WordPress profile editing screen.
- Norton’s password generator: https://my.norton.com/extspa/idsafe?path=pwd-gen
I recommend turning on all the character options and using 30+ characters.
2. Keep your code updated
We’ve heard a handful of “I got hacked!” stories, both from acquaintances and from customers who reached out to us for help. In my evaluation, all of those cases have one thing in common: the site owners were not updating their WordPress installations!
One customer we helped was running code that was easily 5+ years outdated. His site was hacked twice and flagged by Google as a deceptive, dangerous site.
What should you do?
WordPress is made up of 3 parts, and they all need to be updated from time to time.
- The WordPress core — the engine that runs everything
- The theme — this controls the main style and features of your site
- Plugins — these give your site extra functionality
Update these at least every 3 months. Although sometimes critical security updates come out, which should be updated immediately.
These updates are simple to perform for any site owner, but there is always a risk of breaking the site. If you’re not prepared to repair a broken site, it could be down for hours or days until you can get help.
Our Hoshu Plan
We perform these updates for customers of our Hoshu Plan. They get the most up-to-date code without any worries of a broken site, because we take measures to repair any issues quickly, as they occur.
3. Security Salts
I was hesitant to add this to the list because, while simple, it does require some expertise. But I think it fits here as a fundamental step that can add serious power to your security.
Security salts are complicated sets of characters that help with encryption. They get mixed into your password, cookies, and other critical data. They make this data unreadable to anyone who manages to steal it as it travels between your computer and the server.
Setting them is as simple as visiting a web page (https://api.wordpress.org/secret-key/1.1/salt/), and copy+pasting the randomly-generated text into a file.
Some caution and expertise is required though, because you have to edit a raw file on your server.
This is another step that we include in our Hoshu Plan.
While there are more steps one can take, these three are absolutely essential, and should be done for every WordPress site.
Reach out to us if you’re concerned about your own site and would like to know more about our Hoshu Plan!