About WordPress Security

Today I woke up ready to talk a little bit about WordPress security. Let’s say you just got a beautiful website designed for you by a very skilled freelancer. Let’s say you instructed your freelancer to set up a woo-commerce store so you can sell your products or services to your customers. This implies taking customer data: names, emails, shipping addresses, etc, everything is stored in one place: your website server.

See how this might go wrong? Everything is stored in the same website your clients use to access your store, the only gate to your kingdom is your admin password. Somebody that knows you personally and wants to do you badly might try to steal your password, OK you might say I will be just very secretive and careful with my passwords! Fair enough, that might work: locally. But what about your typical offshore hacker who is running a bot to brute force passwords, and tries just about any websites that run on WordPress, are you protected from those? What if I told you that every single minute there are multiple attempts at most WordPress sites to access their default wp-admin and use the default admin user. No person is doing the hacking, the hacking is done automatically by bots that jump from website to website hoping to find the easiest target to get.

Figure 1. Monthly summary of attacks of one of the low traffic websites(ingenieriamw.com) I’m currently mantaining is getting.

So you might ask, damn! How do I protect myself from those? Well, the simple answer is everything is hackable, but if you protect yourself to a certain level, the attacker will just give up and continue its search onto another easier target.

The goal when protecting your WordPress site is to put barriers, many layers of security that will prevent the system to be compromised.

Just like my other project with the natural barriers and how you use many layers of protection to obfuscate erosion causes, in this case, we have to obfuscate security vulnerabilities. In this post, I will mention the common ones you should always use to make your site alittle bit more secure when your budget is limited:

So let’s start, the first one is, please use a secure password and by secure I mean use a minimum of 8 characters in length, use symbols, and never use common words or words associated with your business or persona.

The next thing you want to do is to use cloud flare, cloud flare is free and offers you many layers of extra protection against dos attacks and hides your true IP.

Hide the default wp-admin

Install a security/firewall plugin and employ their recommended best security practices.

This is just a quick, dirty, very brief introduction to the world of WordPress security. If you want to make sure your site is secure: “try to hack it” and see how you can improve the security of everything you find; a backdoor, or an exploit that one of your plugins might have.