Website Security
Before installing WordPress, here are a few basic points to help you secure your site against the most common attacks by hackers. It’s important to know before actually installing WordPress, as some of these measures you can implement while installing WordPress.
NB: The idea with security is to manage the risk.
Backup and restore
Make sure that your hosting company has a backup and restore service AND that it is ON. Some hosting companies expect you to configure your own backups. This must include website and database, as well as your emails.
NB: Note that hosting companies do not guarantee their backup services will have a working backup of your site. If your files in the backup system becomes corrupt, they can’t restore the site. Always have your own backup, and do not rely on only the hosting company.
You will be surprised how many people I have spoken to did not realize that their website was hacked. Then when they contacted the hosting company, there were no clean copy of the site in the backup.
Use security plugins
These are specifically for WordPress. For example Wordfence and Sucuri (also offers online scanner)
Follow WordPress best practices when securing the site.
• Use a secure password
• Avoid commonly used ones eg. 123456, password, the dogs name etc
• The most vulnerable part of WordPress are its users.
• Select a secure username/password i.e not “admin” as username
• Give other users limited access to your site
Use a good hosting company
• Big not always the best
Upgrading WordPress
• WordPress releases regular updates to the core files eg. bug fixes, secu­rity patches, and improvements to the plat­form
• Make sure you’re always running the most up-to-date version
• WordPress makes it easy to upgrade using the automatic upgrade feature.
• To do an automatic upgrade, when a new version of WordPress is released, you will see a notification at the top of your WordPress Dashboard. Click “Please Update Now”.
As a reminder, be sure to always back up your site and files before making any changes to the core! Ask your Hosting company for a .zip file, or create on yourself via the cPanel/KonsoleH. A great alternative is to use a service like backupbuddy or managewp.com for backups.
WARNING: The upgrade process will affect all files and folders included in the main WordPress installation. This includes all the core files used to run WordPress, two plugins (Akismet and Hello Dolly) and the default themes included with WordPress. If you have made any modifications to those files, your changes will be lost.
Tip: To prevent this kind of data loss, it’s recommended that you use a child theme for any modifications.
Why do people hack websites?
Curiosity
Some hackers driven by the desire to understand how things work. One example is an American teenager who managed to bring down the CNN and Yahoo websites a few years ago. He started the process of hacking on his home computer, then went to school and forgot about it. Only when he returned home did he hear the news and realize he was to blame. He was caught btw.
Money
Hack into a website where you think there may be credit card details stored. Or for email details etc. These are resold on the black market.
Politics
Stuxnet virus used to infiltrate Iran nuclear power facilities.
Anonymous – They hack websites in order to draw attention to causes they believe in, like opposing child pornography.
Vandalism
Some do it because they want to destroy property. Many times they may leave a message that says something like “Your website security is bad, so we hacked it as a warning”. It’s like saying I am going to scratch your car because it’s dirty.
Ego
To show other hackers your abilities.
Can you avoid getting hacked 100%?
A website can be 100% hack proof, but then you will need to disconnect it from the Internet, which is obviously going to make the site useless. The risk that your website can be hacked must be managed, it cannot be eliminated altogether unfortunately.