There are a number of Content Management Systems that can be used to create, maintain and develop your website. However, not all CMS offer the same kind of security benefits as WordPress. Maybe this is why WordPress is the Content Management System behind some of the world’s most popular and frequently visited websites.
So why do the biggest companies put their faith in WordPress?
If you’re a large company, brand, perhaps even a celebrity, it’s pretty much a given that you’ll be a target for some sort of abuse. Whether the abuse is deserved or not is beside the point, if visitors flock to your site, then hackers are going to target you.
The security of your website becomes an even more important issue if you are a commercial merchant, selling goods or services from your site. Your databases will be stored with the kind of information that hackers crave: passwords, credit card details, home addresses – you name it, the chances are it’s probably stored in your website’s database somewhere. Hackers will then sell these details to the highest bidder. It’s a dirty game and it pays to be protected.
Hackers are always going to find new ways of attacking websites, it’s something that is unlikely to change any time soon. It almost becomes a game between hackers and developers to see who can outsmart who the quickest.
And just to make things that little more difficult, there are numerous ways in which your website can be attacked.
Brute force attacks
Although the word ‘bot’ may give you visuals of adorable little baby robots, these critters are anything but cute and cuddly. Bots are nasty little strings of malicious code that like nothing better than to access your website’s login screen and try to force their way in. They do this by combining infinite variations of login data in the hopes that one of them will be the key to unlocking your site.
Bots are extremely dangerous due to their automated nature and the fact that they will attempt to continuously crack your login combination. These little blighters don’t eat or sleep, they don’t stop for a second, and nothing deters them from their pre-programmed goal of hacking your website.
Hackers like nothing better than to attack websites, bending them to their own will. While in most cases the attacks are nothing personal, most hackers seem to enjoy showing how superior their programming skills are by cracking your login details and posting something awful or potentially harmful on your pages.
Your website can be vulnerable to this kind of attack, especially when the server-side client’s security has been compromised. Of course, if you’re login details have already been accessed, a hacker may well be inclined to add a string of malicious coding to your database just for the hell of it.
Probably the most recognisable form of hacking is the dreaded spam attack. I’m sure we’ve all been prey to the bulk email messages landing in our inbox offering the latest in pharmaceuticals etc. and some of us may even have had the misfortune of having our own email hacked and our contacts list being peppered with some rather unsavoury emails.
Not only is spam an email issue, it is also a common problem when running a website – especially one that invites comments at the bottom of each page. Hackers who use spam attacks will think nothing of bombarding your website with useless comments in an effort to overwhelm your database and slow the overall functioning down to a snail’s pace. With this kind of warfare, hackers will target any kind of website that allows for comments to be made – the bigger the website the greater the pleasure in grinding it to a halt.
Prevention is always better than a cure
Hackers are always going to be around, such is the nature of the internet, but you can take steps to ensure that your WordPress website is as secure as possible. It’s no fun to find out you’ve been hacked and the best way to limit the chances of something like this happening to you is to arm your website with as much protection as possible.
Keep everything up to date
Although those ‘new update’ pop-ups on your computer or tablet can seem annoying and time-consuming, taking ten minutes to update to the latest version of WordPress could very well save you a lot of time and effort in the long run.
Each time a new version of WordPress is released, the developers behind it also add new security patches to negate any known weaknesses in the previous version. Because development and hacking go hand in hand, there will always be a need to update WordPress – and any of the plugins you’ve installed – on a regular basis to ensure that your site is protected against the latest attacks.
Let’s be honest, there probably aren’t many of us who back things up on a regular basis when it comes to our computer or any software associated with it. Why waste the time when we could be on Twitter on YouTube instead?
Well, once you’ve been hacked you’ll know why having a website backup is so important. If a hacker gains access to your site and decides to delete elements of it on a whim, you’re in big trouble – especially if your site is large and contains a lot of information. The website that you spent so long making could be gone in an instant with all of your hard work will have coming to nothing.
Having a backup of the latest version of your WordPress site means that, should you ever have the misfortune of being hacked, you can quickly restore your site with the least fuss possible. Take a few minutes to install a backup plugin to your CMS or schedule a regular manual backup system at server level and save yourself a great deal of work further down the road.
Custom logins and IP whitelists
The default setting for all WordPress site logins is something that even the most inexperienced hacker knows – ‘your site name’ followed by /wp-admin. This means that anyone can access your login page by virtue of knowing the name of your site, it is then a case of letting the bots out to play and unleashing a brute force attack on your website.
There are ways of getting round this security vulnerability and one of the simplest methods is to change your login URL to something unique, that way hackers will find it much harder to find your login page, let alone use a bot to try to gain access to it.
IP whitelists are also worth considering. Whitelists are the opposite of blacklists. To create a blacklist of all possible hackers would take far too long and would not offer much in the way of protection from unknown hackers. The ideal way to ensure that you’re as secure as possible is to limit the number of URLs that can access your login page – that way a hacker on the other side of the world can’t access your login page because WordPress won’t recognise their IP as being on the safe list. Think of a whitelist as being a bouncer of sorts – if your name’s not on the list, you’re NOT coming in.
Modify your admin user settings
WordPress defaults to standard admin user settings when you sign up for an account. Changing these settings will increase the security of your website. Hackers do their homework and know that the default user name for most sites is ‘admin’ and from thereon in they only need to generate multiple random password attempts to gain access to your site.
Why make it easy for them?
By not changing the admin user default settings you’re basically inviting hackers to come to your site and attack you. It’s a bit like giving your house keys to a stranger and telling them which street you live in – they only have to try a limited number of front doors to see which one the key fits because you’ve given them half of the tools they need to break into your home already.
WordPress already comes with the Askimet plugin as standard and so whatever you do, do NOT disable this feature – not unless you want a lot of random comments filling up your website and slowing it down to a crawl.
Plugins such as Askimet are tasked with spotting and blocking spam comments, placing them in the comments section of your WordPress dashboard to be reviewed and/or deleted by you. Some of the largest and most popular sites are victim to these kind of spam tactics on a daily basis, can you imagine having to go through tens of thousands of spam comments a day and delete them manually?
No website will ever be totally secure nor impenetrable, but there are a number of ways in which you can make it a great deal harder for hackers to gain access to your site. Some of the tips provided may seem laborious but what is ten minutes out of one day compared to weeks, possibly months, of putting your destroyed website back together after a hacker’s had their way with it?
Prevention is most definitely better than a cure, don’t make it a walk in the park for hackers to ruin all your hard work. The tips suggested in this article are all tried and tested ways of shoring up your website’s defences and are essential to maintain its security.
For an added layer of protection, always make sure that your computer or tablet’s operating system is up to date, install quality anti-virus software and engage in safe web browsing. And as far as passwords are concerned, make sure you change them regularly and DO NOT use the same password for all accounts or ever write them down. It may sound like common sense, but you’d be surprised at how many internet users don’t follow these simple rules.
You’ve worked hard to create your web presence, don’t make it easy for someone to take all of that away from you.
There are many elements to consider when developing your website, our team at DonCharisma.com are experienced in all elements of web design, development and security. We would be happy to assist you with your project. Please contact us at http://DonCharisma.com/contact/ for further information.