Do you need to secure a WordPress website? Here are our top three strategies to keep your site running and hackers out.
Secure a WordPress Website - Passwords
One of the most basic and important rules is to always use a strong password for your WordPress accounts. Website hackers have complex “brute force” algorithms that automate guessing passwords based on commonly used words numbers and character combinations. The most effective way to combat brute force algorithms is to use a password that is at least 10 characters long, uses a combination of letters numbers and special characters (!@#$%^&*), and has no commonly used words or names in the password.
Of course making up and remembering these passwords can be a challenge, so there are websites that can help. We like Strong Password Generator but recommend altering even these passwords slightly unless you can be 100% sure your local computer is free of spyware/malware (which is a hard thing to ensure completely) AND 100% sure you are not visiting a dummy site. As far as remembering the password, you can store it in a document on your local machine if you’d like, but again, you should be confident that your local machine is clean. The safest password storage is handwritten and hidden.
Securing a WordPress Website - SFTP
Beyond passwords, if you access the backend files for your WordPress account frequently, you should always use secureFTP (SFTP) instead of standard file transfer protocol (FTP). The WordPress Codex has this to say about using SFTP:
“Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.”
In other words, if you are using standard FTP your password is transmitted in the clear, and anyone listening in on your network will be able to see it in plain text, making SFTP the safer choice. Of course having a secure network–WiFi or otherwise–will guard against eavesdroppers. We’ll discuss securing your local network in a future post.
WordPress Website Security – Updates
The developers at WordPress.org work hard to search out the latest vulnerabilities to their software and implement changes to combat them in the most recent release. If you have one of the most recent version of WordPress (3.7 or 3.8), security related updates are automatic.
And although theme and plugin developers may not always be as on top of their game as WordPress.org in terms of security, you should still upgrade those files when available to be sure you’re taking advantage of the most recent code and security fixes.
Information on SFTP obtained from WordPress.org. To read more in detail about WordPress security tactics visit: Codex – Hardening WordPress