18. November 2016
Do you run a WordPress site? If you do, you have cause for concern about the security of your website. WordPress is the most popular content management system in the world currently deployed on over 60 million websites. Due to its ease of use, the learning curve to administer a WordPress site is smooth. As a result, there are millions of site administrators who don't know much about web security. This has led to a situation where WordPress has attracted the unwanted attention of cyber criminals who take advantage of this gap in web security skills to hack sites and steal information.
As at March 2016, Google had flagged 50 million sites for phishing or trying to install malicious software. This was a massive growth over 2015; the number of sites in 2015 was 17 million. These are all sites that have been hacked without the knowledge of the owners and the problem is clearly getting worse. Google is currently blacklisting 20,000 websites weekly for malware and another 50,000 for phishing.
So, how do you keep your WordPress site secure from a malicious attacker? The following are four essential tips to WordPress security.
The first thing is to secure your site. There are number of basic things that can be done immediately to make an attack more difficult, they include:
The second tip is to monitor the site to watch for any suspicious behavior. There are a number of security plugins that can "keep an eye" on a site and log all activity. Reviewing such a log can help identify suspicious behavior as well as for forensic purposes. In the event an attacker gains access, an analysis of the log can reveal the weak link. Other logs that should be examined regularly include database server logs, PHP error logs, and web server logs. These files contain useful information that can be used to troubleshoot both security and non-security issues.
Once you have beefed up your defenses and have monitoring tools in place, it's time to perform some penetration testing. For this, you need a penetration testingprofessional. Don't do the test yourself because you may not have the perspective of an attacker. A penetration tester will use the same tools hackers use to test your site for vulnerability.
If the site fails the penetration test, implement any recommendations from the security professional. Also, new exploits come up every day, so you must stay apprised of security developments. You can do this by following the RSS feed of WordPress security bloggers and experts. Keep your WordPress core, themes and plugins up to date. Your computer should also be secured because it can be a weak point through which an attacker can gain access to your site.
Finally, some of the tips in this article require some level of technical expertise. If you feel that this isn't your cup of tea, ring up a professional to help you improve the security of your WordPress site.