In this article I will give some pointers on how you can prevent a security breach, and avoid being another statistic.
Stay up to date
Personally, I believe the most important aspect of security is staying up to date. Realize that a cyber attack can come from any angle. Whether it be on your server, home computer, or even your mobile phone – you need to stay current. If you decide not to stay up to date on any platform, It isn’t a question of if your server can be compromised, it’s a matter of when. You can spend a million dollars securing your website, yet it’s all for nothing if there is a key-logger on your computer or phone that will swipe login details because you didn’t think updating your antivirus was a priority.
If you really need to, plan a day at least once every two weeks to sit down and update everything. Your server, your personal information, and potentially your customers, will be much better off.
Use different and secure passwords, and good security questions:
This seems really obvious but most people just don’t do it. Your passwords are probably weak. I think the brutally honest approach is the best to break this habit. The bottom line is, your best bet is choosing something completely unrelated to your life, and then throw in random numbers – or something to that effect. Even the codex backs me up on this one, the weakest link in your site’s security is you. You can learn more about brute forcing passwords right from wordpress.org here.
Add extra layers of protection to your site and home network:
Use SFTP as opposed to FTP to transfer files, that way your password and data is encrypted when it is transmitted to your site. Don’t do anything on public WiFi, and even keep an eye on your home network. If you’re using WEP encryption to secure your router, I could crack into it in under 15 minutes and start sniffing traffic. Hackers can too. Switch to WPA2 Encryption for your router. It takes two minutes, and isn’t practical for hackers to break into.
Also, installing some form of brute force protection on your admin panel is never a bad idea. Brute forcing is using a wordlist of predefined words, or generating passwords, with the intent of trying thousands and thousands to access your account.
Hackers, and even automated bots could very well be trying to access your site, and you would have no idea. A simple plugin can prevent this, and there is plenty out there for free. JetPack includes something like this, but find something specialized, because I can tell you from firsthand experience, it isn’t bulletproof.
Manage your access.
WordPress, and many other content management systems, offer the ability to have different user roles. If you are managing a large WordPress site, not everyone needs to be an administrator. Contributor and Editor roles allow a user to add/change content, without giving access to the nitty-gritty stuff that could damage your site. If editing and posting content is all a user needs access to, give them a lower level account.
Be very picky about who you give an account to. Even your best friend with good intentions can accidentally leave the admin panel logged in when working somewhere. When it comes down to it, no one will be as protective as you (should) be about your site.
I’ve tried to keep everything here short, sweet, and not so technical. I try to keep it that way so an average person has a decent shot at securing their site. WordPress is, in fact, a beginner platform. If you follow my blog, at some point I will get into the nitty-gritty technicalities of securing a site. Until then, remember – thinking you have nothing to hack or steal, doesn’t mean it won’t happen. Your site could very well just be used as a launching point to attack other sites. The possibilities are limitless, stay safe.