As hacks and security breaches become more of a concern for anyone running a WordPress website, it’s important to know you can drastically improve your security by using a few WordPress security best practices.
WordPress Security Best Practices
- 1. Use a strong password with the help of a password manager.
- 2. Two-Factor ALL THE THINGS.
- 3. Regularly change your WordPress salts.
- 4. Use secure file permissions.
- 5. Use sFTP whenever possible.
- 6. Use SSL on all of your WordPress sites.
- 7. Keep your WordPress site and everything on it up to date.
Understanding the Threat: What is a Hacker?
Unfortunately, there are people and systems actively working to hack websites. The word “hacker” may bring a few ideas to mind, including:
- The ever-elusive hooded teenager working in a dark basement
- Government agents infiltrating criminals or foreign governments
- Underground networks fighting for freedom, equality or to expose corruption
While all of these “hacker” scenarios do exist, they’re unlikely to target your personal WordPress website. You may be tempted to personify attacks, but the reality is, a “hacker” is more like a mindless robot.
By robots, we mean “bots,” or automated code that has a connection to the internet. Just like a robotic arm at a manufacturing plant is programmed to do specific tasks, these bots work every second of every day to perform their programmed tasks as often as they can, on as many sites as they can.
The logic of hacking bots can often be summarized as “find a site and launch this specific attack.” The goal of attacks is often to make the attacked site into yet another bot that can be given tasks. The tasks can range from attacking other sites to sending spam or phishing emails. In other words, these bots don’t know what your site is about nor do they care. To the creator of the bot, each compromised site gives them access to more resources to create a revenue stream in one way or another.
Why Would Someone Want to Hack My Website?
There are currently tens of millions of websites on the web. WordPress powers about 26% of them. Unfortunately, the sheer number of WordPress sites makes it a target.
Recently, Sucuri released a Hacked WordPress Report, with roughly 94% of the sites they worked on in the third quarter of 2019 were WordPress sites.
Charts like this can make users will worry that WordPress isn’t secure — it is. In the chart above, Sucuri found that in most instances, compromises had little or nothing to do with WordPress core. Instead, WordPress compromises had to do with improper deployment,
This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.