Changing the default WordPress user name is one step to improve online security. Photo credit: Ben Binary Moon

WordPress is the most popular blogging platform for small businesses — and for good reason. It’s search engine friendly and offers flexibility, an abundance of possible themes, and the ability to easily extend functionality through plug-ins, or software applications. Its strengths, unfortunately, create its largest weakness: security vulnerability. Its open source code, popularity and multiple plug-ins turn WordPress sites into an inviting hacking target. 

Some experts predict WordPress sites will become even more vulnerable this year, as increasingly sophisticated hackers target them. Last month, hackers exploited outdated plug-ins to compromise over 100,000 sites. Websites that had not updated to the last version of the RevSlider plug-in were infected with malware and blacklisted by search engines. Anyone trying to visit the websites saw the ominous message: “The site ahead contains malware.”

WordPress Security Precautions

The good news is WordPress site managers can substantially improve their site’s security through relatively simple precautions.

Keep WordPress updated. Updating to the latest WordPress version protects your site from vulnerabilities in older versions, as new releases fix known security weaknesses.

Update your plug-ins. It’s also advisable to update your plug-ins to the most recent versions, as the recent RevSlider attack shows. Delete any plug-ins you have installed, but are not using.

User names and passwords

Change your user name and password. Don’t use the default “admin” username. Delete it after you create a new one with admin privileges.  In what’s known as the brute force attack, hackers often target this default username because most people don’t bother to change it.

Use a complex password. Don’t use a password found in a dictionary in any language and don’t use your name, company name, or website address. Strong passwords contain eight to 10 characters and numbers, letters and special characters. One trick in developing a strong password: Write out a nine to twelve-word sentence you’ll easily remember and use the first letter of each word as your password.  Then include a special character. Don’t use the same passwords for financial accounts that you use for other purposes like subscriptions.

Install a security plug-in. Security plug-ins will protect your website for free. At least a few free security plug-ins are available. In an article for Social Media Today, John D. Saunders, digital marketing strategist at 5Four Digital Marketing, recommends iThemes Security, Wordfence, and Ultimate Security Checker. A security plug-in, among other functions, can block hackers from logging into the site after too many failed login attempts. That prevents brute-force attacks that can involve repeated login attempts until the password is found.

Check your site. That’s especially critical in light of the recent mammoth WordPress breach. Saunders suggests installing the Sucuri SiteCheck Scanner plug-in that checks websites for known malware, blacklisting status, website errors, and out-of-date software.

What if you are hacked?

If you find any issues, fix them immediately. Several websites, forums and online security firms can help guide you in identifying and fixing a malware infestation.

If you have a clean backup of your site’s contents, re-upload all of the site’s files to replace the malicious content.

Keep backups and periodically check the state of your WordPress installation. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster.

Trusted sources

Obtain themes from trusted sources, either through WordPress.org or well-known companies.

If you think you have found a security flaw, report it to WordPress.org. Also report any bugs you find to WordPress.org. You might have uncovered a vulnerability, or a bug that could lead to a security problem.

Don’t use a client network that you can’t trust. That includes Internet cafes or other public access sites like hotels or cruise ships where you are sending passwords over an unencrypted connection, wireless or otherwise.

Hackers target WordPress sites by scanning the web for the “wp” in URLs.  By removing the common directory naming convention, you can avoid being hacking victim. That’s a more technical change if you’re not a developer, but it could be worth it.

Bottom Line: Security vulnerability is a major disadvantage of WordPress. Taking relatively simple measures can improve its security – and prevent major problems within your website.

Final word:  Back up all contents of your blog and your website onto a separate hard drive or a cloud storage service so that you can readily reinstall all files in the event of a hacker attack.

Glean.info grants permission to republish this article provided that the republished version contains a link to the original article on the Glean.info Blog.

William Comcowich

William J. Comcowich founded and served as CEO of CyberAlert LLC, the predecessor of Glean.info. He is currently serving as Interim CEO and member of the Board of Directors. Glean.info provides customized media monitoring, media measurement and analytics solutions across all types of traditional and social media.