A survey conducted by Wordfence asked the question:
If you know how your site was compromised please describe how the attackers gained access.
Over 60% of site owners did not know. For the site owners that did work out how access was gained this is what the breakdown looks like:
The survey results above clearly show that Plugins are the biggest risk. However Plugins play a big part in making WordPress popular and there are over 40,000 plugins available.
So here are some tips on how to secure your site to ensure your information remains safe:
Keep your WordPress site up to date WordPress is updated regularly, and updates address any vulnerabilities discovered. This makes older versions easier to attack so make sure you always click on new updates.
Keep plugins up to date and delete any you’re not using As above always click on any new updates, and delete any plugins that are no longer in use.
Use strong usernames and passwords (and change your password regularly) Many potential vulnerabilities can be avoided with good security habits. A strong username and password (never use ‘admin’) are an important aspect of this, as is regularly updating your password.
Add two step authentication Logging in with a password is single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. This adds an extra layer of security to your log in.
Store passwords securely Do not store them in plaintext in a document online that may be compromised. You can use a product like LastPass which provides an encrypted ‘vault’ to store your passwords in. The benefits of LastPass are enormous, look out for a blog post specific to this coming soon.
Only download from reputable sites If you are going to download plugins somewhere other than the official WordPress repository, make sure the website is reputable
Limit the number of logins Lock out users after a defined number of log in attempts. This means an attempt to repeatedly hit your server with multiple username and password combinations will not work.
Backup your site regularly A sound back up strategy could include keeping a set of regularly timed snapshots of your entire WordPress installation in a trusted location.
Note that Showcase limit login attempts, never use ‘admin’ as a username and adhere to all the suggestions we outline in this post. Contact us if you want to know more about how Showcase Web Development can help improve your website security.