or those of us who work and wander in the online business world, the value of maintaining a privately owned website cannot be overstated. Our websites are our offices, shopfronts, even second homes. In the bustling metropolis that is the world wide web, we carve out a presence and identity. Our websites provide the foundation for professional credibility, branding and transaction.
The criminal element of the online community applies itself relentlessly to the task of finding and exploiting vulnerabilities in online property. Invaders dig for private data, plant malicious code and hijack sites for their own purposes. Make no mistake: your digital assets are as much a target as the vehicle in your driveway!
We lock our vehicles for good reason. No one expects to have their car stolen, but neither is anyone immune to the possibility. Countless websites have been stolen or otherwise compromised even in the past year; in April alone, a large-scale assault on WordPress sites resulted in hundreds of successful invasions – maybe more. Most of these losses could have been prevented entirely.
All you really need to do is lock the doors.
Of course, when it comes to website security, the locks we use can be a little more complicated. Some of these measures are within reach for anyone, with some patience, and we will be exploring them in this series of articles. Today, we’ll take a look at five essential actions you can take to secure your web property.
(1) Stay current.
Although it’s great to keep up to speed on the latest security trends, we’re talking about something much simpler – and easier to overlook! Maintaining an up-to-date build of WordPress, and the plugins you use with it, may well be the most proportionally effective habit you can form. Exploits of the system are being developed on an ongoing basis, but they’re typically identified quite quickly. Your WordPress installation, and any plugins worth their salt, include the latest security measures with their regular updates. WordPress is capable of managing a lot of this for you, but you’ll still need to confirm the updates yourself.
(2) Rename your administrative account.
In the situation linked to above, the vast majority of compromised sites were being operated by administrators with the default username of “admin”. Because that word is the initial setting on a WordPress account, it may not be immediately apparent that it needs to be changed. You didn’t choose it in the first place, after all. With some FTP juggling, or by means of a plugin you trust, this simple oversight can be set right.
(3) Re-think your password.
Believe it or not, the most commonly used passwords today are still topped by “password” – and it doesn’t get any better from there. We’re talking gems such as “123456″ and “abc123″, as well as the more colorful “monkey” and “letmein”. There are a few different approaches to crafting strong passwords, and our own policy reaches for a balance between them. You’ll need something that you can remember, but ideally, it should also be very difficult for someone else to guess. A combination of letters, numbers, cases and symbols can come in handy here.
(4) Back it up.
The virtual world is no more immune to disaster than the world we walk in. In spite of your best efforts, you may well experience the upset of being hacked. Servers are fallible; sometimes, breakdowns in the system take place. The most reliable safeguard you can put in place with recovery in mind lies simply in maintaining a backup copy of your website. Plugins exist that will back up your site within its existing server, but that won’t help you in the case of a widespread compromise. Keeping a copy offline, stored locally on your system, may be the best measure you can take; cloud storage is also worthy of consideration.
(5) Be street smart.
You never know who you’ll meet out on the information highway. Many of your online peers will be pleasant folks, cruising the web for the same reasons you are. Some, of course, are driven by less praiseworthy motives. Some of the most common violations of online security occur as the result of human deception; today, we call it phishing. In a nutshell, it’s nothing more than the effort of a potential invader to trick you into handing over sensitive data. A basic rule, and a good one, could save you much grief: don’t ever share your passwords or other secure data without total confidence in the integrity of the recipient. Better still, don’t share them at all!
There’s a lot to the process of building WordPress security. It takes attention to detail and ongoing alertness, but it’s well worth the gain in peace of mind. Somewhere between awareness of real threats and a willingness to learn from error, online security is achievable for every WordPress user.
We at Loebig Ink and The Parrington Review recognise, however, that not everyone has the leisure to turn themselves into a security professional. Each of us has our own goals and priorities, after all. With that in mind, we’ve developed a comprehensive security service for WordPress; flexibility is key, and we’ve been dreaming up a variety of tailored solutions for every need. If you think this service could be valuable for you, we’re always ready to talk.