Concerned about the WordPress security in your site? You should be. Is it true about Russian hacking computers and websites? Probably. It’s even easier than you may think. It’s not a room of Russian geeks smoking cigars, drinking vodka, and targeting your sites specifically (unless your last name is Trump, or Clinton, or your site ends in “.gov”). Based on this BBC News article regarding the arrest of Pyotr Levashov in April 2017, Levashov controlled a botnet. A botnet is “a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages,” according to Google’s dictionary (and if anyone would know, it is Google).
There has been a lot of talk in the American media, not to mention stupid investigations, about the Russians hacking some and other parties helping the others attack the other and blah, blah, blah. Back to the original question. Are the Russians hacking your site? The answer is yes, and it’s not only the Russians. I wouldn’t believe it if I had not seen it with my own analytics. If you have installed Google Analytics into your WordPress site (which I highly recommend), you can see which countries your traffic is coming from. If you find that you had a post that you wrote last year that has become really popular in another country, it was probably a hacking attempt of some sort. So what can you do to protect your WordPress website from a security perspective?
Here are a few suggestions:
1. Get WordPress Managed Hosting
I had some extra money a few years ago and bought a couple of domains. The sales rep asked if I would like WordPress Managed Hosting because my other sites were not on WordPress Managed Hosting. I said that I would give it a shot. After working on building the sites for about a year, the sites were not a priority due to several distractions at the time. I was just about to discontinue the WordPress Managed Hosting and then I was hacked in March 2017. I had never been hacked before but discovered that I was the victim of a htaccess attack. To make a long story short, I was hacked again a few months later but it was thwarted and a quick fix on my part. I got on the phone with my host and discovered that my sites on my WordPress Managed Hosting had tools to prevent hacking, and search and fix malware. WordPress Managed Hosting costs more than your basic low-cost hosting, but it is well worth it if you value your web presence. I am now in the process of shifting all my sites to my WordPress Managed Hosting account.
2. Install a security plugin
Until I was hacked, I never thought about my web security much. After I was hacked, it became a priority. Now that being hacked is quite the rage in the media, a lot more website owners are becoming increasingly aware of web security. I read this article to help me install the best WordPress security plugin for my unprotected sites. I never realized the importance of installing a WordPress firewall to prevent brute force attacks on my sites. I didn’t even know what a brute force attack was. Now, I do and I’ve chosen WordFence to help reduce the risk of being hacked again.
3. Make sure your themes and plugins are current and updated
Outdated and old plugins and themes can create a “backdoor”‘ for hackers to enter your site and add content or links you probably didn’t want in your site. Installing the right security plugin can also notify you by email of plugins and themes that need to be updated. This is a must-do step to help decrease your risk of being hacked.
4. Get an SSL Certificate for Your Site
If you use PayPal (or another third-party payment service) to process credit cards, an SSL certificate is not required to process payments. However, if you use a credit card processor on your site such as Stripe, an SSL certificate is required. Why? An SSL certificate encrypts the information between your server and your browser making it difficult for hackers to enter your server through their browser. It’s meant to keep the credit card information you process more secure, but this is also a secondary benefit of having an SSL certificate. Another good reason to get an SSL certificate is because Google will start requiring SSL certificates to be listed in search engine results. I’ve been hearing this for a while now, but maybe it is around the corner.
There are several methods for getting an SSL certificate for your site such as contacting your web host, as well as some free options that require you to redirect your name server information. Your current budget will dictate what is right for you, but I highly recommend purchasing your SSL certificate through your hosting company.
5. Limit Log In Attempts
Without limiting the log in attempts, users can attempt to login as many times as they want. By limiting the login attempts, you greatly reduce the chances of a computer-oriented attack or a brute force attack to your website. There are a couple of ways to do this. One method is to install and activate a website firewall which can be done with most security plugins. If you have a WordPress managed hosting plan, the firewall may come with your plan. Another method is to install the Login LockDown plugin.
6. Rename Your Login URL
If you have been working with WordPress for any length of time, then you know the login page default url is yourdomain.com/wp-admin or yourdomain.com/wp-login. This will get rid of approximately 99% of the brute force attacks that can happen. The simplest way to do this is by installing the iThemes Security plugin. This plugin also has over 30 ways security features making it one of the best security plugins available.
While WordPress makes up over a quarter of the most popular websites on the Internet, it isn’t without security issues. WPBeginner’s The Ultimate WordPress Security Guide – Step by Step (2017) is a great resource as well as 20 Simple Tricks to Secure Your WordPress Website in 2017. I used both of these articles as reference material for this post.
Be secure or get hacked. A little extra effort to secure your site can save a lot of embarrassment and unnecessary expense later.