If you or your company have WordPress sites, there are two things to consider. First is to avoid having your own site hijacked, and second is to avoid becoming part of a larger problem.
Hackers are not gaining entry to up-to-date WordPress sites because of software exploits, but instead by attacking easily defensible weaknesses! Fortunately, there are simple recommendations that can lower the likelihood of catastrophe to almost zero!
- : Please take a few minutes to check out the security requirements recommended by WordPress. Computers are getting faster all the time, and just because we feel like a password is strong does not mean that it is. Hackers go after users that do not take the time to switch from default (weak) login information, because they are easy targets.
A secure password is at least 12 characters (a number that will only increase as computing power grows), and makes use of upper and lowercase letters, numbers, and special characters (^%$#@*?!). Consider using a lengthy passphrase, or better yet, download a password manager to enable you to keep long and secure passwords for all digital logins.
Important: a 25+ character passphrase with only lower case letters and spaces is exceedingly more secure than a 12 character password that uses many different character types, due to computation time exponentially increasing with each added character. Additionally, the 25+ character passphrase will likely be far easier to remember!
Example: "j!bBeR!$h?!@" (12 characters), or "pigeons swiftly exceed housecat landspeed" (41 characters)? The password with 41 characters is safer, and easier to remember! Switch to passphrases today!
- : If you have a WordPress.com account, take advantage of two-factor-authentication (2FA) which ensures that you are an authorized human logging in, not a bot. With 2FA, an individual in possession of your username and password will not be able to gain entry without your authenticator.
- : Many hackers exploit outdated versions of WordPress and WP plugins. Keep your installations up to date, and you have good odds of avoiding trouble. However, updated software is a less immediate threat than exceedingly weak login credentials.
WordPress founder Matt Mullenweg advises that if you do these first four steps, then you will be ahead of 99% of sites out there and will probably never have an issue.
- Consider WordPress Security Plugins: WordPress does a decent job of handling most threats against their platform, but it is never a bad idea to take some extra steps to ensure that you are extra secure in a way that does not interfere with usability. Check out these WP security plugin suggestions, posted by Pavitra Shankdhar of infosecinstitute.com in February 2018, to decide if you have needs that can be met by any of these services.