Popularity is a double-edged sword, particularly when it comes to online security. Email’s future was questioned repeatedly throughout the Noughties, as an avalanche of spam rained down on the world’s inboxes. Address cloning has seen many successful brands being imitated for nefarious purposes, while PayPal’s phishing problems and Gmail’s spam accounts are nothing short of legendary.
Another victim of its own success is WordPress, which has attracted the attention of criminals from the internet’s murkiest corners. Websites like Hacker Target and Flipper Code confidently explain techniques for breaking into WordPress websites, and this year’s DefCon security conference included a presentation on how to compromise a WordPress site within half an hour of its launch. Platforms may be attacked with SQL injections, while a zero day vulnerability back in February resulted in a hasty patch that wasn’t universally updated by site administrators. That left flaws in unpatched WordPress API which were promptly exploited by black hat SEO campaigns.
The Threat to WordPress Security Is Real
It’s obvious that regular site maintenance is crucial for preventing vulnerabilities that could be exploited, and patch updates should always be manually initiated as and when they become available. Cyber security is a real-time challenge, and hackers won’t patiently wait over a weekend until you update your site on a Monday morning. Diligence represents the best tool in any administrator’s armoury, but what else can be done to maintain WordPress security?
Simple tweaks can improve this, such as removing the version number to prevent hackers targeting known weaknesses in specific platforms. Changing the login page URL from the default /wp-login/ or /wp-admin/ also makes it harder to find a point of entry. Impose lockouts after multiple failed logins, log out idle users, and apply two-factor authentication (2FA) to prevent compromised passwords leading to disaster. An SSL certificate can protect the all-important admin panel, and a mixture of upper and lowercase alphanumeric characters will boost password security.
The Top 8 WordPress Security Plugins
As you might expect, security is a recurring theme among the 52,000 WordPress plugins currently available online. There are numerous solutions available, including the following:
- Sucuri Security. This excellent all-rounder monitors everything from failed login attempts to file integrity monitoring. Its standard settings will protect most sites.
- Wordfence Security. Achieving a customer rating of 4.9 out of 5, Wordfence uses strong passwords and 2FA alongside real-time scanning and monitoring.
- Jetpack. Well known and widely trusted, Jetpack combines a variety of features ranging from malware scanning and off-site backups to brute force attack protection.
- Bulletproof Security. With a one-click setup wizard, this plugin specialises in three aspects of WordPress security – logins, database security and firewall protection.
- iThemes Security. A staple on any security plugin list, iThemes manages sites through a user-friendly dashboard with automatic lockouts and password strengthening.
- All in One WP Security and Firewall. Despite its clumsy name, this slick package adds a dedicated firewall; unique site security scores indicate areas of weakness.
- Vaultpress. From the same family as Jetpack, Vaultpress can back up content to an offsite location in real time or at scheduled periods, for near-instant data recovery.
- SecuPress. Launched last year, SecuPress’s meteoric rise has been propelled by its six key areas of protection. These encompass logins, plugins, malware and firewalls.
Perhaps the most important factors in maximising WordPress security involve organising regular site backups to prevent catastrophic data loss, and choosing a dependable web hosting partner. UK2 offers specialised WordPress site hosting, with three different packages aimed at everyone from beginners to corporate clients. Get in touch with us for more information.