Simple Ways to Secure and Maintain your WordPress Website
“Why Would Someone Hack My Site”
Sites get Hacked for both Fun & for Profit.
Majority of hacks are automated and target vulnerabilities rather than your specific your site.
Types of Hackers:
Script Kiddies: generally known as unskilled individuals who use scripts or programs developed by others to attack computer systems, networks, and deface websites.
Botnets: collection of Internet-connected programs communicating with other similar programs in order to perform tasks…often used to send spam email or participate in distributed denial-of-service(DoS) attacks.
Botnets are used for profit(holding sites hostage) or for political reasons.
How Often are Web Sites Hacked?
In 2013, Forbes did an article stating that Sophos identified 30,000 Web Sites are hacked every day!
In December 2014, over 100,000 WordPress sites were hacked due to a security vulnerability in the Slider Revolution plugin.
Denial Of Service (DoS) attacks
From Wikipedia:
“In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users.
A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
As clarification, distributed denial-of-service attacks are sent by two or more people, or bots, and denial-of-service attacks are sent by one person or system. As of 2014, the frequency of recognized DDoS attacks had reached an average rate of 28 per hour.
Perpetrators of DoS attacks typically target sites or services hosted on high- profile web servers such as banks, credit card payment gateways, and even root nameservers.”
How do WordPress Sites Get Hacked?
First, it’s important to understand that your WordPress website is a collection of programs(or apps).
Just like your computer, you need to update it regularly, mainly to get security vulnerabilities patched.
Watch Out for:
● Outdated version of WordPress.
● Old versions of themes with security vulnerabilities.
● Old versions of plugins with security vulnerabilities.
● Use of easy to crack passwords:“password” “123456” “qwerty” “11111” “iloveyou” “admin”
Backup – Backup – Backup!!!!!!!!!!
Back up Regularly!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Backup your Database, uploads, custom code.
Do a full backup at least weekly.
Do a full backup daily if you change your site frequently (such as an ecommerce site).
Backup Plugins/Services:
Vaultpress: https://vaultpress.com/
iThemes BackupBuddy: https://ithemes.com/purchase/backupbuddy/
Updraft Plus: https://wordpress.org/plugins/updraftplus/
Where do I back up to?
● Dropbox
● VaultPress
● Amazon
● Google Drive
Best Practices on Securing WordPress
➔ Users & Passwords
➔ Timely WordPress Core, Theme & Plugin Upgrades
➔ Detect and Recover — Site Statistics
➔ Recover from Disaster — Backups
“Trust No One” – Users & Passwords
★ Never ever use the WordPress user “Admin” with administrator rights.
★ Create new administrator accounts when working with developers and designers.
★ Delete old accounts not in use.
“Trust No One” – Passwords
★ Use strong passwords with CAPITALS, numbers and symbols: MyDogF1D08!T#
★ Use a password manager to generate random passwords: LastPass & 1Password
★ Use two-factor authentication.
Keep WordPress Up to Date!
❏ Keep WordPress Core Version up to date.
❏ Use Only Vetted & Trusted Plugins.
❏ Keep Plugins Up to Date.
❏ Keep Themes Up to Date.
❏ Don’t Rush to Update*.*Some plugin updates you don’t want to rush into(for example your ecommerce plugin)
Protecting with Plugins & Online Tools
Strengthen WordPress Security
iTheme Security: https://ithemes.com/security/
Brute Protect: https://wordpress.org/plugins/bruteprotect/
Scan & Monitor Your Site
Securi: https://sucuri.net/
Cloudflare: https://www.cloudflare.com/features-security
Google Webmaster Tools: https://www.google.com/webmasters/tools/
Virus Total: https://www.virustotal.com/
Monitor site for anomalies & spikes using Google Analytics.
How to Recover from Disaster
➢ You’ve been backing up right?
➢ Do you know how to access your backups?
➢ Do you know your recovery procedure?
➢ Do a test recovery on a test or development WordPress.
Protecting Outside of WordPress
Wi-fi Access from Public places like Starbucks
If you are working on your website from an unsecure Wi-FI network, someone could grab your data & passwords. (Use a VPN Service)
Keep your computer secure and up to date so it doesn’t get infected with Malware (another way your data and password can get stolen)
Special thanks to my friend and security expert:
Chris Wiegman
http://www.ChrisWiegman.com
@ChrisWiegman on Twitter