Security of WordPress blog and protection against hacking is not the first thing what you are worried about, when you start a blog in WordPress. If it is a bog or a website to promote your business in both cases you should protect your customer details.
What the hack?
Apparently somebody else want to make money with your resources. The hacker can use for example your email account to send spam mail. The hacker can use your webpage to install any malware. The hacker can attack your data (MySQL) for the customers details, like email addresses, passwords and credit cards details.
Hacked, how do you know?
Your browser will probably tell you that something is wrong with your website. Also programs as Google webmaster will inform you. The Google video on this subject is self explaining
Google Webmaster provide you with an page on how to solve your hacked website.
Design against a hack attack
WordPress, themes and a lot of plugins are free of charge and open source. All code are open and can be checked on vulnerability by anybody. Most common attacks are the outdated websites.
WordPress itself even has sometimes an security update. More common however are the plugins, which causes security problems. First of all, you have to figure out if you thrust a plugin before you download it. This is probably a small risk if there are already one million downloads, it is 5 star rated and the designer has a website with his designs, backgrounds etc.
More plugins means more security risk. Do you need 5 , 10 or even 50 plugins? If the site is a hobby for you, a lot of plugins can be fun. If the site is there to generate some income, a good designed theme becomes important, which reduces the amount of uncontrolled plugins to ‘zero’.
Besides the security issue, every plugin will slow down the speed of your website. And speed is an SEO issue. Whatever you do update, update and update whatever you have installed and if you don’t dare to click the update button, the deactivate / uninstall button is also available.
Three of my plugins are a security plugin. I am using Wordfence free version and till now I am very happy with all the emails it sends to me. From the email I learned that it send an email when somebody logged in with administration rights ( till now, this was luckily me).
Most the attackers are using admin as a username, so get rid of this username ‘admin’. This can be changed at the direct admin features of your host server. Another way is just use ‘Users’ section to add a new administrator and delete the old administrator.
The third lesson is that I get most attacks where my WordPress is installed as root or index. Meaning that your log-in page is directly after your domain name. This should be fixed also by giving the log-in page another name. I am using the second security plugin for this, named All in One WP Security & Firewall. This plugin has many more features to secure your page, and can also be used for IP black list.
Lets assume the hacker found your log-in page and guessed the correct user name (which is not anymore “admin”). Then the almost last defense is your password. And everybody knows that this should be a strong password and should not be used for all your activities and it should be changed on a regular basis.
The verification in two steps is upcoming in 2014 and will probably have a bigger impact in 2015. So consider this feature for persons with administration rights. Google Gmail accounts, Drop box and probably more companies offer this log-in feature already and it is worth to try out.
The third security plugin which I use is the free version of WP security. I started to use this one and it addresses the file access levels.
Htaccess deny IP
In the htaccess file you can enter the IP’s which should be blocked. Ok.., it is useless to block every IP which is attacking you, because an IP changes when you switch off your router for 5 – 10 minutes…..
The AllinOneSecurity plugin writes all this for you in the htaccess file, which is more easy then going to your server and do it by hand. Also blocking of complete countries is possible.
If your website is like most professional websites only focused at one country, you can block the rest of the world. The change for an attack will decrease enormously.
Spam at your comment section
I think that everybody knows that you should enable some kind of spam filter. I uses the combination of Azkimet and the second security plugin. The IP’s of the spammers of the last few weeks are now in my deny list and it becomes very quite in the spam section.
The comment box can be switched off in the WordPress section, or you can switch it of after a few weeks. One of the security updates of WordPress in October 2014 was about this comment box. Yoast even wrote at his website, that too much of comments can influence the SEO.
Http versus Https
Till now the difference was simple: do you have a store where the customer can pay with a credit card, are you a bank or government. If so, you need the https version.
The https version has extra features like: secure / encryption of data when transporting, especially needed for passwords and payment codes / certificate should be present
Nowadays Google will start using this as a ranking factor and for your SEO this can make a difference in the near future. Websites with https are more trustful and therefore will be ranked higher.
Your data is stored in a data bank. Nowadays, most of the times this is called MySQL. Here all your and your customer data is stored. The table prefix for the data can be changed by 2 of the mentioned security plugins. Want to learn more? Here’s a extensive blogpost: ‘The blogger’s guide to WordPress Security ‘
And remember, whatever you do: make sometimes back-ups from your data, just in case.