WordPress is popular and so it’s beloved by hackers and business owners alike. That’s why every day, businesses of all shapes and sizes wake up to discover that their carefully designed, carefully marketed website is offline, or riddled with dodgy code, or has been suspended from their hosting company or Google search results.
Today, we thought it might be fun to check your WordPress security in a quiz form! So here we go…
Give yourself one point each time you answer “Yes”.
1) Is your website using most recently released, secure version of WordPress?
From time to time, WordPress releases updates – at the time of writing, we’re on WordPress 4.8.2. Sometimes, these updates contain new features – a smarter editor, some fancy widgets, a new shortcode or two. WordPress is pretty stable, though, and that means that the majority of updates that are released exist to fix bugs and security issues. If you haven’t updated your WordPress core software in a while, you may be laying out the welcome mat for hackers!
2) Are you using trusted third-party plugins and themes?
There are thousands of WordPress themes available to make your website look good.
And there are even more plugins out there that exist to extend the functionality of your WordPress website.
The question is this: how safe are the plugins and themes that you are using? Many developers code and share plugins for free, but they may be new to coding and unintentionally leave loopholes that will allow hackers into your site. Some developers create a wonderful plugin or theme, and then go onto another project, never updating their plugin again, which means that they may be vulnerable to attacks that WordPress later discovers.
It never hurts to check your plugins and theme from time to time. Make sure that you’re using the latest versions, and check to make sure that the plugins and theme are updated regularly by the theme developers.
3) Have you changed the default settings in WordPress?
Sticking with the default WordPress settings is easy – you press a button and your website is up! Default settings in WordPress might include:
- the login url, for example
- Or the login user, admin.
- Or the MYSQL table prefix of wp_
- which files are visible to the world
- which files are writable by people other than you – like hackers!
There are many more. Default settings can create vulnerabilities, which you want to avoid. The fewer default settings you use, the more difficult it is for hackers to “break in”.
4) Are there users who have access to your site who shouldn’t?
Let’s pretend that you hire a contractor to help you with something in your WordPress website. You give them your admin login details for your website. You also give them your hosting and database login details. After the project, you pay them, never speak to them again and then… you forget to change your passwords or don’t bother to remove them as a user from your WordPress user list… It might not even be a contractor – it could be a former employee, too!
This leaves you vulnerable. The more people who have access to all your confidential information that sits behind your website, the more at-risk you are.
5) Does your website URL start with HTTPS?
If your website URL starts with HTTPS, it means that website data moving between users and your Web server is encrypted or secure. This protects login information to your server from a person’s browser from being intercepted in “man in the middle” cyberattacks. Google loves secure websites and apparently prioritises them in search results, and the HTTPS protocol, (i.e. a “secure socket layer” or SSL Certificate) is on its way to becoming the standard for all websites, not just for ecommerce sites. It helps with security and SEO – what’s not to love?
6) Are you using a WAF (Web application firewall)?
A Web application firewall works between your website and malicious visitors to protect against cyberattacks such as intrusion attempts, SQL injection, and cross site scripting. In some cases, it can mitigate DDOS attacks. WAF brands include Cloudflare, MaxCDN, and Encapsula. Or your hosting or cloud services provider may have a WAF offering. Features vary, so check exactly what each provides.
7) Do you monitor your server for malware?
You may only discover your website has malware on it when your best customer tells you he sees a big red warning in his browser that your site is unsafe. This is where a monitoring service such as Sucuri, Sitelock, McAfee Secure, or Acunetix adds value. Tools like these can give you advance warnings of problems and some services even clean up hacked websites. Of course, if you’re with a good hosting company like A2 Hosting, they monitor their servers and warn you of possible risks well in advance.
8) Do you use SFTP instead of FTP to upload files to your website?
FTP stands for “file transfer protocol” and is a common method used to upload files from a desktop computer to a Web server. Always use a secure version of FTP, such as SFTP. It encrypts and protects your login credentials during the upload process. The 3-minute video in this blog post explains more.
9) Do you take regular backups of your website?
You might assume that if something goes wrong, your host will have a backup. That’s the wrong assumption. Sure, some do, but others charge for this service, or expect you to set it up yourself. It’s wise to take regular backups of your website and store them somewhere safe in case you need to use the backup to recover your site. If you work on your site daily, consider daily backups, Otherwise, weekly or monthly backups might be fine.
10) Do you use a different, difficult password for all your logins?
Are you one of those people who has a complex and unique password for every login profile that you use online? If not, you’re not alone. It’s tough to remember a million passwords. However, if you use the same password for everything – child’s name + year of birth + !, for example, you’re leaving yourself open to being hacked. And that means you personally, as well as your WordPress website! Make it harder for hackers to get into your site and into your personal inforamtion. Passwords should all have a mix of numbers, letters, upper- and lowercase, and special characters, and should only be used for one login.
Give yourself one point for each “yes” answer. If you got a perfect 10, congratulations! But if you answered “no” or aren’t sure anywhere, you’ve got some work to do. Either start investigating solutions, or get in touch with us for a chat about how to make your WordPress website more secure.