By Shawn Hoagland
How secure is your website?
When’s the last time you backed up your site files, site database?
Have you tested your site for vunerabilities, ever? (A good place to start is at Hacker Target.)
These questions, while paranoid in nature, are actually viable and logical.
You’ve heard it many times. “Secure your website…backup your data…you can never be too careful…it’s not a matter of if, but when…eat your vegetables…” and so on. Truth be told, the basic warning is valid. Unfortunately, unlike virus protection or SPAM prevention, website security is not quite that simple, but rather involves a number of steps and precautions, as well as maintenance and vigilance. For the purpose of this discussion (in which I’ll be the only one talking), we’ll focus on WordPress website security.
While a basic recommendation in website security is to use an open source coded platform (like WordPress), thus ensuring the code is tested, implemented, and updated by many well-versed programmers, that same thinking can also put a bull’s eye on your site. Who wouldn’t like to be the genius villain that disrupted thousands of sites in one fell swoop?
The basic security theories and measures are outlined here by WordPress.org. These strong suggestions and guidelines fall into several categories including:1
Furthermore, according to WordPress.org, the most common attacks usually fall into these categories:2
1. Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software. (Which is akin to poking around for any unlocked doors or open windows.)
2. Attempting to gain access to your blog by using “brute-force” password guessing.
That being said, what can you do to better protect your website?
One of the first and most basic things you can do is to change the name of the admin user from admin to something more secure. You can follow that up by using a very strong password.
Passwords like “123456”, “password”, as well as your birthday, license plate, or common dictionary words are begging for trouble and should be avoided. Here’s an interesting site to help you: http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time. Your password ‘s main and only purpose is to prevent unauthorized access, even if it’s a bit of work to remember.
Use a combination of letters, numbers and special characters and make sure they are at least 10 characters long. Online password generation sites like LastPass and KeePass are available to help you generate and keep track of strong passwords.
Security through obscurity (hiding or renaming elements) should not be used solely, but can be a good start for beefing up your site security. Measures in this category include: deleting/renaming the default administrative account (admin) used for installation, changing default WordPress table prefix (wp_) to something else, and keeping your WordPress version up to date (very important and easy to do).
While the list goes on and on, increasing in complexity and thus security, we’ll turn our focus now to some plugins that can enhance security and give you some more peace of mind.
We’ve previously discussed WordPress plugins as a way to take your website to another level, but they’re also great for security.
Here are some WordPress Security Plugins you should check out:
Research and testing will help determine the right plan and tools for you and your site.
The goal of this article is to alert you to the dangers that lurk, and inform you of some potential methods and tools to protect your site and data.
No matter what strategy you choose to implement, the important thing is that you do create and implement a disaster recovery plan.
How important is it? How important is your website and data?