At Gympie Hosting, we love WordPress. It is one of the most popular and easy to use Content Management Systems (CMS) available. Unfortunately, this popularity also makes it a target for hackers. Therefore, it is important to understand some basic Worpdress security issues to minimise the risk of having your wbsite hacked or compromised.
Over the years, we have seen a few sites compromised and our investigations of these security breaches indicate that hackers obtain access passwords and compromises due to vulnerabilities in outdated WordPress versions and plugins representing the majority of site intrusions. Hackers can obtain passwords (Cpanel and Worpdress) through:
- “bruteforce” software attacks that generate random password combinations until the password is found
- virus/malware installed on users computers that send the stored passwords to hackers
In order to minimise the risk associated with passwords, we always manually create our Cpanel accounts and manually install Wordpress to be able to use our own very secure passwords. While this doesn’t mitigate passords being hacked by malware on a site owners computer, it virually eliminates the ability of “rogue software guessing” passwords.
We also use the Genesis framework, Beaver Builder and Astra Themes for our Worpdress installations (we never use free themes as they can be poorly coded and also contain code backdoors). We have been Genesis pro developers since Brian Gardners Revolution Pro themes days and have access to all themes in the Studiopress Pro Plus Package. Genesis is one of our preferred solutions for WordPress security and optimisation. It is:
- very clean and secure code
- SEO optimized “out of the box”
- allows limitless design customisation with child themes
- easy to configure with lots of widgets and plugins
- very flexible and compatible with major browsers
Our WordPress Security tips include:
- Change your Cpanel password to be more secure (we use a random generator with a minimum of 14 characters, upper and lowercase letters, numbers and punctuation marks)
- manually create your database using a very secure password
- manually install wordpress instead of using Fantastico or other installers
- change the database table prefix used by the Worpress install from “wp” to anything else eg “MYwp”
- do not use “admin” for your WordPress admin login username or user ID 1
- use a very secure password for your WordPress login
- install the Genesis framework (remove unused themes)
- install a good Worpdress Security Plugin e.g. IThemes Security and Wordfence
- minimise the number of plugins in your plugins folder (remove inactive plugins)
- keep WordPress and installed plugins up to date
- it is always good policy to have a backup plan to be able to recover and restore your website. We offer a WordPress Care and Maintenance service for our clients which includes regular WordPress updates and backups
- Ensure your PC is protected against virus and malware attacks
- install and regularly run an antimalare program e.g. Antimalware (free) from www.malwarebytes.org
- as an extra safeguard, run an online virus scan on your PC e.g. Housecall from Trendmicro (http://free.antivirus.com/)
- Never give your Cpanel or WordPress password to anyone unless you know and trust them – you will never be contacted by your host or an employee claiming to be from “Microsoft” asking for your password.
Remember, we provide all this for our WordPress Premium Hosting clients.