WordPress Website Security

Skull and Crossbones - WordPress website securityIf you have a website, sooner or later it’ll be attacked. That’s now a fact of life on the web.

The more website traffic you have, the more likely you are to be targeted.

Why Would Someone Attack your Website?

According to Wordfence, the most common attacks take a website offline or replace content, usually with political or terrorist propaganda.

Wordpress Website Security - To an attacker, your website is a treasure chest
To an attacker, your website is a treasure chest

Hackers may also:

  • Insert links to other websites, boosting their traffic. For example, I had a spate of attacks from garcinia cambogia vendors. For the vendors, more links means more sales.
  • Obtain credit card details.
  • Steal hidden content.
  • Obtain goods without purchasing them.
  • Display propaganda
  • Use your website or host as a launch pad for other attacks
  • Redirect a page on your website to their site, gaining more traffic.
  • Make a website unavailable to its intended users. The motive may be revenge, blackmail, activism, commercial gain…
  • Have set themselves a challenge to break into your site.

What are the Consequences of a Website Attack?

Wordpress website security - Example of a defaced website courtesy of opennet.net
Example of a defaced website courtesy of opennet.net

A successful attack may result in:

  • Terrorist, political or commercial content, images or links inserted into your website
  • A constant stream of new spam comments or spam users on your website.
  • Your website loading more slowly – or not at all
  • Theft from you or your customers
  • Blacklisting of you or your hosting company
  • Unavailability of your website to your users
  • Loss of business

Website Security Conundrum

Wordpress website security - Modern day pirates no longer need a ship to loot you.
Modern day pirates no longer need a ship to loot you.

As a website owner you’ll need to decide what security measures to use.

Security measures are on a continuum. On one end, your website is wide open. This gives both readers and attackers easy access. On the other end, your website is locked down. Each time a vulnerability is found, you close it. Attackers are denied entry but occasionally a genuine user is denied entry too.

Adding just a single click to the buying process on your website reduces sales. Security measures that require extra action from your readers may make your website appear less user-friendly.

For a small, simple website the consequences of a successful attack are likely to be relatively small. A few spam links are easily deleted from your web pages. Although it has to be said, deleting a steady stream of spam comments and spam emails chews up your time and energy.

Wordpress Website Security - Your reputation could go up in flames
Your reputation could go up in flames

Government systems have too much at stake to take risks. That’s why they can be so hard to login to, with codes sent by SMS and security questions.

I recommend that you assess the potential consequences of a successful attack on your own website, and apply security measures in line with that.

WordPress Security

Here are some ways to protect your WordPress website:

  • Use a web hosting company that takes security seriously. They’ll run a firewall and other security measures to protect the server on which your website sits.
  • Harden your website. Here’s what you do in WordPress – http://codex.wordpress.org/Hardening_WordPress
  • Update plugins and themes as soon as new versions are released (Webhive can do this for you.)
  • Use captchas (the image containing characters that you have to type into a box) on all web forms including contact forms, booking forms and login forms.
  • Turn off comments if you’re not using them. (You could use the Disable Comments plugin to do this.) Otherwise, use a plugin that filters spam comments (eg Akismet.).
  • Avoid publishing email addresses on websites in plain text. Embed them in an image or disguise them by inserting spaces either side of the ‘@’ symbol. Don’t link your email addresses (eg ‘mailto:[email protected]‘). Let your readers type them in manually.
  • Install a WordPress security plugin, eg Wordfence. (Use the free version, or Webhive can arrange and install a premium Wordfence licence for you.)
  • Use strong passwords – the longer the better
  • Be careful with usernames. Avoid using ‘admin’, your domain name or organisation name. They’re too predictable. Recent attacks have been looking up domain registrant names so consider avoiding using your own name too.