Blog Layout

How Vulnerable is your WordPress Website?

Doc Sheldon • October 3, 2023
WordPress security header image containing logos and icons of security elements.

Much of the security of any website is contingent upon the hosting service selected. Shared hosting vs. dedicated, the security measures implemented at the server level, and the strength of various aspects of server access all come into play. As such, they need to be considered when choosing a host for your website. 


Even if everything at the server level is well protected, however, there are still a great many things that can be addressed by the site’s webmaster to make a breach more difficult. 


Because of its massive popularity, WordPress is a favorite platform for hackers to target. Sometimes they hope to steal sensitive information, sometimes they simply want to use the site to reroute traffic or implant malware. Regardless of their end-goal, keeping them out is always to your advantage. 


There are many small steps that can make their task of breaching your site more difficult. And in reality, making it difficult is the best approach. No website can be made totally impenetrable, so the goal is to make it not worth their effort.


We have published a free 39-point WordPress security guide, which can help you achieve that goal. It’s broken down into 3 categories of measures – Basic, Intermediate, and Advanced, with clear instructions, allowing even site owners with limited technical expertise to enhance their website’s security.

 

Web Narwhal can also assess your website’s current vulnerability and make specific recommendations to mitigate existing risks. At that point, you can either implement the fixes yourself or ask us to do it for you. Depending upon the hosting service you’re using, you may even be able to have them make the necessary changes. But what you should not do is simply assume that since you’ve never been breached before, it will probably never happen to you. 


Some bare minimum steps you should take, this minute:


SSL/TLS


You’re probably already aware that HTTP addresses should be abandoned in favor of HTTPS. This allows for encryption of all data sent from the server to a user’s browser. In the past, SSL (secure socket layer) was employed to accomplish this, but today, TLS (transport layer security) is used for this, as well as such things as email, VOIP (voice over internet protocol), and instant messaging. If you haven’t already upgraded your hosting to SSL/TLS, do so today. 


Most hosting companies offer Let’s Encrypt free, right from their cPanel, which is a one-click installation process and provides you with secure TLS encryption. 


Strong Passwords


We’ve all seen prompts to create a password, using upper and lower case letters, numbers and special characters. At one time, such a password with 6 total characters was relatively safe. But today, that same password can be cracked instantly. Eight characters takes about 5 minutes, and 11-characters would take 3 years. Add one more character, and that 12-character password would take 226 years! As the use of AI increases, passwords will be cracked increasingly rapidly, so we suggest 14 or 16 characters (1-million years or 5-billion years at present). Personally, I use 18-character complex passwords, which by 2023 standards, would take 26-trillion years to crack.


It goes without saying that you should never use the same password twice. I use RoboForm to manage my passwords, which has an automatic password generator and stores the login URL, username, and password in encrypted format, and synchronizes to both my desktop and phone, with a 12-character random master password to access my RoboForm files. One double-click on the account I want to open and I’m there. There are others, as well, such as Bitwarden, Dashlane, and LastPass, among others. 


Finally, if others have access to your WordPress site, require strong passwords for everyone. It’s also a good idea to change passwords periodically – we recommend every 2-3 months.


2FA/MFA


Another thing you can do to keep invaders out of your site is require 2FA (2-factor authentication) or MFA (multi-factor authentication). That means that after submitting one’s username and password into the login block, the system will require another one (or 2) authentication steps. That may be an authentication code sent by email or SMS, a phone call, a hardware based key generator like Yubikey or SolidPass, or even a QR code. Such functions are easily added to your WordPress site with a plugin. 


I use iThemes Security Pro, but Wordfence Security or miniOrange’s Google Authenticator have a good reputation, as well.


You’ve only just begun! 


The three foregoing items are barely scratching the surface, so download our 39-point WordPress Security Checklist (it’s in the right-hand sidebar) and leave those would-be hackers grumbling and looking for an easier target!


Download the 2023 WordPress Security Checklist.
Website Development by Web Narwhal.
Download our website accessibility checklist to help you start designing websites for everyone.
By Steve Gerencser January 3, 2024
Download our website accessibility checklist to help you start designing websites for everyone. This short, 24 point checklist, is the starting point you need to be a better web designer for everyone.
Choosing a hosting company blog post - represented by the server room from Hackers the movie.
By Doc Sheldon December 22, 2023
Selecting the right hosting company for your website is nearly as important as how your website looks, and certainly affects how fast your website may be. Learn some of the things that you need to consider when choosing a web host.
WCAG 2.2 update is live as of October 5, 2023.
By Steve Gerencser October 9, 2023
WCAG has updated the accessibility guidelines to version 2.2 as of October 5, 2023. Learn how this affects you and your website's compliance.
More Posts
Share by: