WordPress has historically had a bad reputation for being a vulnerable, insecure system that would leave your website open to hackers. However, this is not the case if you have taken the key steps to making your website secure.

Make sure you have a secure password and username

This seems as if it should be pretty obvious however, you’d be surprised at the number of clients we have come across that have not used a secure password or username and then wonder why their website has been compromised.

The most common password configuration companies choose to use is their company name but spelt with letters and numbers that look like letters for example, Lucid Digital as ‘Luc1d-d141tal’. A lot of companies seem to think that this is a secure way of using a memorable password when in fact, it is quite the opposite. When choosing a username for your website, make sure it is not your business name or any other common names such as ‘admin’, ‘username’ or ‘administrator’. These will be one of the first usernames that are tried when hacking a website, here is a list of the top ten usernames and passwords hackers try.

When we design and build a website at Lucid Digital and hand it over to a client, this is one of the first pieces of advice we will give them. Make sure your login credentials are secure! WordPress inherently has a built-in feature that will create super secure passwords for every user of the system. We strongly advise that our clients take advantage of this feature.

Furthermore, make sure you keep different passwords for each system. We’ve often encountered companies who use the same password for everything in their I.T infrastructure. This causes huge problems as hackers only need to access one area and then they have access to everything.

Make sure your website has an SSL Certificate

SSL (Secure Sockets Layer) certificate is used to establish a secure connection between your server and whatever device your user is viewing your website on. If a website is not encrypted, any would be snoopers could view sensitive information if they knew how. But, by using an SSL Certificate this will add in extra defence from prying eyes trying to view this data.

An SSL certificate is an easy way to add a little more security to your website and is a must have if you are an online store taking payments within your domain and/or handling sensitive data. There are also added advantages for your site’s ranking performance as Google will naturally rank a website with an SSL Certificate installed higher than a site that has not.

At Lucid Digital we provide a free SSL Certificate as standard for all websites that we host.

Install Wordfence Plugin

If you’re using WordPressCMS for your website then the best security plugin in our opinion, is Wordfence. If you’ve had a site built by us hen this will come already installed and set up ready to block any users trying to gain access to your website. Wordfence is a security plugin that offers free enterprise-class WordPress security against hacks and malware on your website.

Via Wordfence, we will block all the most commonly used usernames so as soon as anyone attempts to login to the CMS of the website using one of these usernames, they will automatically be blocked via their ip address for 24 hours.The same applies for anyone entering the wrong details 5 times in a 24 hour period. Don’t worry if you accidentally do this yourself, we will simply whitelist your office I.P address within Wordfence so even if you are locked out Wordfence knows this is a safe I.P.

There is a Premium version of Wordfence available that you can upgrade to however, we feel confident that the free version gives you all the tools you need for any basic website or ecommerce store.

Adding extra security to htaccess

If you’re a bit more advanced with web technologies and don’t mind doing some coding, here is some extra code that you can add to your htaccess file which you will find in the root of your WordPress installation. If you haven’t got an htaccess file, you can create one using a text editor and upload it yourself to the root of the installation via ftp or through your cpanel. Make sure you test after adding this and it is not conflicting with any other code of plugins on the website.

#Disables folders from being browsable
Options All -Indexes

#Protects the wp-config file
<Files wp-config.php>
order allow,deny
deny from all
</Files>

#Protects the .htaccess FILE
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

#Deny all .exe files
<files "*.exe">
order deny,allow
deny from all
</files>

#Do not allow access to hidden php files
RewriteRule ^\.(.*)\.php$ – [F]

#Disable XMLRPC
<Files "xmlrpc.php">
Order allow,deny
Deny from all
</Files>

#Protects from injection
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

#Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Good hosting

Hosting is so incredibly important for your website’s performance and security and yet it seems to be overlooked and undervalued. Often we will see a company spend a few thousand on a new website and then just settle for the cheapest hosting solution when they launch their site instead of investing in a trusted provider.

Providers such as Fasthosts and GoDaddy which you can host your website with for under £5 can seem like a bargain until something goes wrong. Cheaper web hosting solutions will have your website on a shared server with thousands of other websites. This means if a hacker gets through to one site that isn’t secure it can through to the other websites on the same server. Most cheap hosting providers do not let you add security add-ons to bolt extra security onto your server either.

If you are using a cheaper option, just make sure your hosting company is taking and storing backups of your website and database. Cheaper hosting will only store these for a very short period and this could mean if the worst happens, you may not have a copy of the site before it was compromised. At Lucid Digital, we store backups for the last 30 days but also keep your website and our server regularly up to date with the latest security updates.

Adding a load balancer

If your website generates large amounts of traffic then a load balancer is a good way to step up security. A load balancer will distribute web traffic across multiple servers when too much traffic is coming in to your website.

The main way a load balancer will add security is to offload your traffic on to another server to balance the amount of users using one server or if a denial-of-service (DDoS) attack is happening on your website. Although this is a great feature we would only recommend this to organisations with a very large amount of traffic and also a large budget, this type of security would be an unnecessary expense for smaller businesses.

If you have any concerns or questions about your WordPress website then please do get in touch with us for a no obligation chat about how we can help.

Written by Lucid Digital in Blog