When it comes to WordPress, security is no joke.
Like any web software, WordPress can be vulnerable to many attacks. To help keep your site secure, you’ve probably instituted best practices, probably with the help of a plugin like iThemes Security.
However, when it comes to website security, the biggest weakness is really us—the users.
Just take a look at this story from Wired. Mat Honan, the article’s author, was hacked not through some technologically genius software. Instead, the hacker simply called up tech support numbers and was able to extract info from the support agent about Mat. The hacker then used this info to gain access to all of Mat’s accounts and wreck havoc.
With a website, you can have the most secure server, follow all best practices, but if someone gets your password, they will gain access to your site.
This year at WordCamp Miami, Chris Wiegman, creator of Better WP Security (which became iThemes Security), discussed ways in which many users are exposing themselves to security flaws that they aren’t even aware of.
Here are five important ways you should keep yourself secure.
1. Use A VPN When On Open Networks
Have you ever worked from a Starbucks or Hotel Wifi? You’re not the only user on that network. Others are actually able to listen in on your activity.
If you log in to your WordPress site, it’s possible that someone listening can actually pick up your password.
To prevent this, you should be using a VPN (Virtual Private Network).
I like Chris’s explanation of a VPN best. It’s like wrapping your connection to the web in a tunnel. So if anyone is listening in, they won’t be able to intercept your data.
2. Add An SSL Certificate To Your Site
So a VPN keeps your data secure when connecting to a website. However, if that website has an SSL certificate, there will already be a secure connection made.
SSL stands for Secure Sockets Layer (read What Is SSL (Secure Sockets Layer) and What Are SSL Certificates? for a more in-depth discussion of SSL).
SSL is a protocol that is used to encrypt all data that goes between your browser and a website. Even if you haven’t heard of SSL, you’ve probably used it on a website before. If you’ve made an online transaction, you may have noticed the lock symbol appear in your browser, which means a secure connection has been established.
You can purchase an SSL certificate directly from most hosting companies. They start at around $9 a year and go up from there.
You can use a WordPress plugin like WP Force SSL to require all traffic on your site to serve over the secure HTTPS (ie, https://www.yoursite.com).
To keep your passwords secure, be sure to log in to your WordPress site over HTTPS.
3. Use Unique Passwords
We live in a world where every site we visit on the web requires a password. It can be hard to remember all of them.
Many people use the same password on all of the sites they visit.
So if hackers get the password for one of their sites, they can access all of their sites. Instead, you’ll want to use a unique password for each of your sites.
How do you remember all of them, though? There is an app for that!
You can use software like 1Password to keep track of all your passwords securely.
4. Use Strong Passwords
In addition to using the same passwords, people will use weak passwords to easily remember them. But the easier they are to remember, you can bet that it is easier for a hacker to access.
Webroot.com has a great article called “How Do I Create Strong Passwords?” As the article says, many people will use a password that is a combo of a name and some numbers. Like Marshall1968.
Most hackers use computer software to try millions of combinations of passwords to access your site. And one like that can easily pop up.
But a password like Wt4e-79P-B13^qS is much more difficult for software to guess.
I like using password generators, such as Secure Password Generator, to create as random and secure a password as possible. I can then use 1Password to help remember that password.
And on WordPress, you can use a plugin like Force Strong Passwords to ensure all users are using strong passwords.
5. Use SFTP Rather Than FTP
The final tip: use SFTP instead of FTP when possible.
SFTP is similar to FTP, except that it establishes a secure connection between you and the server.
When using FTP, passwords and other information aren’t encrypted. Many hosts, including WP Engine, will only let you use SFTP. Other hosts allow you to use SFTP or FTP.
When you can, use SFTP to transfer files. Just ask your host how to use SFTP instead of FTP.
Indiana University has a great article that goes more in depth on SFTP called What is SFTP, and how do I use an SFTP client to transfer files?
Is Your Site Secure?
Are you implementing any of these tips? Do you have any more WordPress security tips?
Please share them in the comments below.