As we recently saw with the @n attack, WordPress security isn’t just a big business concern. It’s everybody’s concern, and the only way to protect your WordPress website from potential attacks is to take the time and learn about website security.
With that in mind, let’s look at a few critical things you can do to protect yourself, and your website from attacks.
WordPress Security and Passwords
[caption id="attachment_36356" align="alignright" width="1024"] WordPress
security is one of the most important aspects of running a website
, it’s key to keeping you and your customers safe.[/caption]
I appreciate we’re all sick of hearing how important it is to have secure passwords but it really, really is. The main weakness a prospective hacker will exploit is to attempt to breach your security via a weak password. So, be sure that your password follows some simple rules:
- the longer the better, aim for at least 10 characters;
- include a variety of character types (UPPERCASE, lowercase, numeric, and special characters such as !@#$);
- avoid common words, and meaningful phrases (ie birthdays);
If you want to check how strong your password really is, you can use the Microsoft Password Checker.
Keep in mind that you’ll have to remember your password too, so don’t make it too complex or you’ll forget! A great trick I like to use is to use a passphrase that will only make sense to me but is easy to remember.
[caption id="attachment_36357" align="alignright" width="1024"] WordPress
Security and Passwords are vital for you and your clients.[/caption]
For years my Facebook password was forgetthepubletsgettacos. It’s a long phrase at 24 characters but is remarkably easy to type on a standard keyboard and easy for me to remember.
Every website will eventually need to transfer files, and the method you choose to connect to your website can be brutally exploited. A standard FTP transfer protocol (how you put files onto your website) transfers your awesome new password across dozens of Internet computers in plain text.
Yes, in plain text.
That means that no matter how complex your password is, every time you connect to your website, you’re exposing it to potential hackers. The solution is to connect to your website using an SFTP (Secure File Transfer Protocol) instead. Most good hosts including WP Engine and Bluehost offer SFTP connections for free.
Adding Security to your WordPress Administration
Once you’ve taken the basic steps of ensuring your password is both hard to guess and hard to steal, the second most important step of securing your WordPress website is to make sure your administration area is hard to break into.
There are a handful of plugins I highly recommend for protecting your WP Admin area:
Google Authenticator – a handy plugin that will make users include a unique (and ever-changing) series of numbers from Google.
The code rotates every minute or so and is visible only on a synced smartphone.
Better WP Security – the number one security plugin for WordPress is a powerhouse of security upgrades and checks for WordPress.
I really can’t praise this plugin enough, and couldn’t imagine running a website without it.
This is just a quick tip on how to make WordPress more secure if you’re looking for a comprehensive guide to helping you improve the security of your website visits the Hardening WordPress article on the official WordPress Codex.