Here at RDHQ we’re big fans of WordPress. In fact this website is created with it. For a start, it’s free, and a great deal of the basic plugins and themes that you can combine to create exciting and attractive websites are free too.
However, here’s the issue with free software – you’re responsible for your own security. While most theme and plugin developers are careful and responsible, they are also often writing software for nothing, and don’t have the time or resources to keep everything absolutely up to date. That combines with a a certain carelessness about creating really strong passwords recently led to our site being hacked. No idea who they were, or why they hacked our site (possibly just for fun), but the first thing we’ve done on the relaunched site is beef up the security.
With that in mind, here are a couple of tips on how to avoid the pain!
1: Strong passwords – yes, it’s a pain to remember passwords full of punctucation and that aren’t memorable. Yes, it’s easier to use your wife’s name, or your football team. Or ‘Passw0rd’, as a Firefox Security Engineer was memorably discovered to be using in 2015. A memorable password is usually a simple and/or logical password, and a simple/logical password is one that automated or brute force password guessing can and will work out. If your password is strong (and therefore complicated) even the most sophisticated software can take years to hack it.
2: Backup – with a bit of practice it’s remarkably easy to backup and restore a WordPress website. You need an ftp client (we use Filezilla, it’s free and works brilliantly) to backup the files, and access to your database. Normally you can access this via your hosting provider, we use phpMyAdmin to get to ours, and from there it’s a simple matter of exporting a copy of your database, downloading it and keeping it safe. That way after a hack you can be back up and running in hours rather than days – we learned this the hard way!
3: Harden your website – Sucuri is a great plugin for this, it can protect your various directories from various uploads and also notifies you of unauthorised attempts to log in to your site. If you’re getting a lot (50 an hour or more) you’re being subjected to a brute force password guessing attack, but that’s fine because you’ve read (1) and set a strong password. Haven’t you?
4: If the worst happens, ask the WordPress community for help. The best thing about open source software (even better than it being free) is the wide range of free support – this was our starting point, and as a result we’re back better than ever!