For a minimum level of basic website security, I would suggest having a password manager. To manage your passwords I would strongly suggest using Master Password but another password manager will work well. Master password is an excellent password manager that randomly generate usernames and passwords when you enter a combination of details using cryptography. We have created a guide to Master Password as it is one of our favourite tools, I would highly recommend that you use it to improve your security. The average website is under continuous attacks from hackers and bots who are attempting to gain access to your website. They will try usernames and password combinations over and over again until they find one that works. Using a strong password of around 20 characters is recommended and also not matching your login username to your display name greatly reduces the chance of them gaining access.
Further security measures can be undertaken and are also highly recommended. If you purchase one of our website maintenance packages your website security is upgraded for free.
WordPress as a platform is generally quite secure, it is one of the most popular website content management systems on the internet, owning about 54% of the websites using a content management system. Due to it being so popular websites built using this platform will often come under repeated hacking attempts from groups and bots. The attempts to gain access are often directed at the /wp-admin login page due to the predictable location of the page.
Whilst WordPress is a secure platform there is always more to be done to prevent a more determined and dedicated hacking attempt.
In order to increase the security of your website you should make sure the following are followed and secured:
- Ensure all users who have backend access to the site have strong passwords
- Enable two-factor authentication
- Change the URL of the login page
- Block users, IPs and hosts who repeatedly enter incorrect details
- Instantly block any login attempts using the username “admin”
- Block users scanning for Error 404 pages as they are often looking for pages to exploit
- Set an away mode option so that the login page can only be accessed at certain times of the day – during office opening hours for example
- Regular backups of the site and database
- Enable file change detection
- Secure all the necessary file permissions to stop unauthorised changes
- Limit the length of URLs that can be used on the site
- Disable PHP execution in Themes, Plugins and Uploads
- Refresh and update the Salts of the WordPress passwords on your site
- Disable file editing, spam comments and XML-RPC
- Ensure logins are using reCaptcha from Google
- Keep track of login attempts and blocked IPs through a dashboard widget
- Disable Author lookups to stop people harvesting the usernames for login attempts
This is not an exhaustive list but if you are serious about your website security these should be followed and enabled.
Whilst maintaining good password disipline is important it may not be enough to stop a dedicated attacker. The steps above will help to slow progress and close extra holes and weaknesses but a website can never be completely secure as long as humans are involved in the process.