Securing anything in the digital world is an annoying task. Websites being defaced and servers being rooted (root is the most privileged account in an OS based on a Linux kernel) no one can promise anything being completely secure. Though we can’t completely secure anything, we sure can minimize the possibility of an intruder breaking in. And here we are with an agenda of making your WordPress blogs and websites more secure.
Securing WordPress ? Why?
WordPress is a free and open source blogging tool and a content management system (CMS) based on PHP and MySQL. It’s the most popular blogging tool over the internet and is preferred by many users for content management of their websites as well. This clearly attracts many black hat and grey hat hackers. Now that we know why we need to secure our WordPress blogs let’s move to how do we secure it.
How do I go about it?
We are all well aware that strong passwords(.i.e combination of special characters and alphanumeric characters) help us keeping intruders away. And we also how much we actually use them. In this article we won’t explain what kinda strong passwords to use, rather why to use them. Hackers usually try brute forcing their way into systems and websites. Brute forcing is a password cracking method that tries each keyboard combination possible against the username and password.To avoid these attacks you can try limiting the number of login attempts. After doing this you might say that you are secure enough but you are not. This is because it’s not just you who can get hacked, it can be the websites servers as well. In which case a strong password comes in the play.Usernames and Passwords are stored in form of hashes on servers, using a one way encryption.Hence hackers need to brute force these hashes to acquire the actually credentials. Practically using a brute force attack requires a lot of processing and time as well. So hackers download or make their own password lists that are used. Now the only way you can dodge these attacks is by having a very strong password
The screenshot above is the sign-up page for WordPress. One of the most common mistakes which normal users do is keeping the same username as the name of their blog or their email or having something common as admin, which is a bad practice. Always choose a username which is unknown to others. Also generating a strong password is a good habit provided you remember the password and don’t write it down somewhere.
A lot of hackers lurk around the files with a motive of gaining sensitive information. Also to find directories that might not be write protected, in which case a malicious script might be uploaded to your blog or website. Hence important directories must be writeable only by the user such as the root directory, /wp-includes/, /wp-content/ and /wp-includes/ .
Update ! Update ! Update !
This is one of the most important aspects in terms of digital security. Most users are impatient and find updating tedious. However most updates are security patches that ensure the integrity of your applications and systems. From version 2.7+ automatic update feature has been added, which decreases loads of efforts for users. For more info on Automatic updates you can check the link below:
It’s not just about WordPress, you also need to update your themes and Plugins.Older versions of plugins and themes are major a reason of websites being compromised. So make it a habit to update all of them. It would be even better if you delete the plugins you don’t use.
A regular Backup is a handy way to ensure availability of your blogs and websites. Regular Backup is not only important when your websites or blogs gets compromised but also helps you when an update or stupid little mistake has messed up everything. The most important aspect of a back up is its regularity.Having a back up that was taken ages ago is as good as not having it. Remember, by back up we mean back up each and everything including your database.
Securing your database
A database holds sensitive data that should not be accessed by others. But that doesn’t stop intruders from doing so. Some good practises are having uncommon names for tables. Also make sure you disable all the unneeded features like accepting remote TCP connections. Using uncommon usernames and passwords add one more layer of protection.
A lot of plugins provide security to your WordPress powered blogs and websites. Some to save you from popular attacks, some scan for security bugs,some monitor blog security and some that act as a firewall. We have listed them below with a little description to help you out.
1. Better WP Security (Link: http://wordpress.org/extend/plugins/better-wp-security/)
Better WP Security is monitoring plugin which is easy and effective. A one click way to secure WordPress
2. BulletProof Security(Link: http://wordpress.org/extend/plugins/bulletproof-security)
BulletProof Security protects your sites and blogs from the most popular attacks such SQL injection,code injection,XSS and several others.It also secures your database from bugs.
3. Total Security(Link: http://wordpress.org/extend/plugins/total-security)
Total Security is a highly effective security plugin. It provides you the detailed reporting on discovered vulnerabilities if they are found and tells you exactly on how to fix them.
4. WP Security Scan(Link: http://wordpress.org/extend/plugins/wp-security-scan)
WP Security Scan as the name suggests scans and tell you the vulnerabilities in your blogs and websites. It’s effective and easy to use.
5. WordPress Firewall (Link: http://www.seoegghead.com/software/wordpress-firewall.seo)
WordPress Firewall uses some WordPress-tuned pre-configured rules along with a white list to screen out attacks.
People often neglect security for better usability and functionality. They prefer systems to be without software firewalls and antivirus and anti-malware. These things put the user to a great risk. Not having an Updated Anti-Virus is as good as telling hackers all your usernames and passwords. If you do not implement basic security need for your system then securing your blogs and websites may serve no purpose. Most users are affected due to use of older versions of applications or rather the new ones which are downloaded illegally. The cracks for this kind of software are clearly detected as Trojans and Viruses but users use them anyway. These might not only compromise your WordPress powered blogs and websites but also your bank accounts and email accounts. Using an antivirus, anti- malware and a firewall is a must in the digital world.
An avid tech enthusiast and a someone really into hacking, he’s the newest flavour in our team! You could follow him on Twitter at @dhiraj_08
Any more questions on hacking/ securing and everything in between, drop us a comment right in this section below! :D