As we recently saw with the @n attack, website security isn’t just a big business concern. It’s everybody’s concern, and the only way to protect your website from potential attacks is to take the time and learn about website security. With that in mind, let’s look at a few basic things you can do to protect yourself, and your website from attacks.
I appreciate we’re all sick of hearing how important it is to have secure passwords but it really, really is. The main weakness a prospective hacker will employ is to attempt to breach your security via a weak password. So, be sure that your password follows some simple rules:
- the longer the better, aim for at least 10 characters;
- include a variety of character types (UPPERCASE, lowercase, numeric, and special characters such as !@#$);
- avoid common words, and meaningful phrases (ie birthdays);
If you want to check how strong your password really is, you can use the Microsoft Password Checker.
Every website will eventually need to transfer files, and the method you choose to connect to your website can be brutally exploited. A standard FTP transfer protocol (how you put files onto your website) transfers your awesome new password across dozens of Internet computers in plain text.
Yes, in plain text.
That means that no matter how complex your password is, every time you connect to your website, you’re exposing it to potential hackers. The solution is to connect to your website using an SFTP (Secure File Transfer Protocol) instead. Most good hosts including WP Engine and Bluehost offer SFTP connections for free.
Adding Security to your WordPress Administration
Once you’ve taken the basic steps of ensuring your password is both hard to guess and hard to steal, the second most important step of securing your WordPress website is to make sure your administration area is hard to break into.
There are a handful of plugins I highly recommend for protecting your WP Admin area:
Google Authenticator – a handy plugin that will make users include a unique (and ever-changing) series of numbers from Google.
The code rotates every minute or so, and is visible only on a synced smart phone.
Better WP Security – the number one security plugin for WordPress is a powerhouse of security upgrades and checks for WordPress. I really can’t praise this plugin enough, and couldn’t imagine running a website without it.
This is just a quick tip on how to make WordPress more secure, if you’re looking for a comprehensive guide to helping you improve the security of your website visit the Hardening WordPress article on the official WordPress Codex.