Launched in 2003, WordPress had a humble start as a small bit of code meant to improve typography. Since then, it has grown into a robust, easy to use blogging system with the flexibility to be crafted into nearly any type of personal or professional site.
But since WordPress is so popular and so widely used, wouldn’t that make it an obvious target for hackers? While WordPress is open-source, meaning everyone can see what’s going on under the hood. By the time you read about the latest WordPress vulnerability in the news, there’s already a security patch for it – released and, since WordPress updates itself automatically, already on your site.
WordPress is as secure as it can be when you start with a fresh install. But hackers are not the only network threat you must consider, particularly if yours is a business website. Breaks-ins and data loss are also issues that need to be addressed when it comes to small business cybersecurity.
Update WordPress, Plugins, and Themes
While this is the easiest thing you can do to keep your WordPress site safe, it’s often overlooked. Or worse, these updates are deliberately ignored because the user believes the updates will break their site.
When updates are received for WordPress itself or for the themes and plugins used, they should be executed right away. You should always be running the latest version of WordPress and any themes and plugins. Any plugins not activated and in use should be deleted.
While you’re in your dashboard, you may see a bright number next to updates in the menu to your left. You’ll also see a bright number next to plugin and/or themes depending on what updates are required. Always update these by clicking on those pages as prompted.
Some are reluctant to update plugins and themes because, on rare occasion, they do break your site. Realize that this isn’t WordPress itself and likely some bad code within the plugin or theme you just updated. The easy fix is to deactivate and delete the offending plugin or theme. If you can’t access the dashboard, this can still be done from the file manager in the hosting account or via FTP.
Admin User and Passwords
During the installation of WordPress on your site, you were prompted to create a username for yourself as administrator and it’s set to ‘admin’ by default. Since that’s the default username, it’s the first thing hackers will try when attempting to break in your site. If you left your administration username set to admin, change it immediately.
Content Delivery Networks (CDN)
A content delivery network (CDN) is a geographically distributed group of servers, working together to send out internet content quickly. Cloudflare is one such caching service or CDN. It caches your site and places it between the site and traffic, meaning users aren’t getting content from your server, but from Cloudflare’s. That takes some of the load off your website during heavy traffic.
On top of that, Cloudflare offers a free option and is easy to set up. That it also block malicious attacks is a bonus because if a certain computer or block of computers comes at your site, Cloudflare can shift that traffic away. It helps prevent your site from being taken down during the attack.
Backing up your site on a regular basis, or having a service that does this for you, is a crucial component of small business cybersecurity. If your web host’s server goes down, your content could be lost. Many users claim to keep backups of your site. But often those backups can be two weeks old or more.
There are plugins like WordPress Backup to Dropbox you can use to handle backups yourself, and many are free. If your site is large, you may have to pay to store the files on Dropbox. But you do have the option of scheduling backups and having the content downloaded to your own computer or to another repository.
VaultPress, like WordPress, is owned by Automatic and is a wonderful service that not only backs up your site on a regular basis but offers an entire suite of protection features. It’s not free, but when you factor in the cost of a lost website, the price is reasonable.
VaultPress recently formed a partnership with Jetpack to offer services at very affordable rates.
It’s important to protect your site against brute force attacks. This is where someone uses old-fashioned trial and error to get user information or passwords to access your site. There are plugins like Limit Login Attempts that can limit how many attempts are given to access your site.
There is also a plugin called Jetpack which not only does this but offers a variety of other features like blacklisting IPs. In its free version, it keeps track of your site’s downtime, monitors your plugins, and keeps track of suspicious activity.