WordPress is arguably the most well-known and popular CMS on the internet, powering an astounding 26 percent of all known websites. According to data from WordPress, roughly 65 million new posts are generated by WordPress users each month, on WordPress.com. That translates into almost 23 billion pages of monthly content.
Because of its popularity and open source origins, however, WordPress sites are susceptible to hackers and security breaches. According to a report by a WordPress tutorials website, most sites get hacked through gaps in their hosting platform. Other points of entry include vulnerable plugins, insecure themes and weak passwords.
Recently I presented a webinar with Imperva Incapsula. We talked about security issues and how WooCommerce, the leading e-commerce plugin for WordPress, can be secured against vulnerabilities.
Securing your WordPress instance
Since WordPress is immensely popular with users, it is crucial that ops teams are vigilant when it comes to security issues. Security is a mindset and everything you do on the web should revolve around security. After all, having no security breaches is better than having to fix even one.
Here are my top security tips that will keep your WordPress site secure:
- Make sure your default username is anything other than the word “admin.” Instead, pick a username you use online, or a word or phrase to identify yourself.
- Have your WordPress admin directory accessible within a specific IP address range. Or, alternatively, move it entirely into a private directory on your server.
- By default, WordPress uses “wp_” as its database table prefix. It is highly recommended that you change this to something unique.
- Adjust the keys and salts in “wp-config.php” to be unique and lengthy. For further assistance, WordPress offers a secret-key service for generating these strings. If you’re setting up your own WordPress site for the first time, it is really important to make sure all your settings are 100 percent correct.
- Make it a point to regularly review your plugins list. You’ll want to delete anything that you’re not using or isn’t relevant any longer, and ensure what you are using is fully up to date.
- Don’t discount the advantage of having a long and strong password. If you need to confirm the durability of your password, WordPress provides a handy built-in password strength checker.
- It’s always a good idea to limit login attempts. I recommend using the Jetpack plugin to prevent brute force login attempts.
7 WooCommerce security tips
Many online vendors using WordPress depend on WooCommerce to sell products and services. Specifically built to integrate with WordPress, WooCommerce has been around since 2011 and is a free open source plugin that helps customize your e-commerce application interface.
WooCommerce is a flexible e-commerce platform and powers nearly 39 percent of all online stores.
Here are a few additional e-commerce security tips that’ll harden your website security if you are using WooCommerce.
- First, pick a trusted web host. WordPress is a great choice but there are others available, such as Bluehost and Pressable.
- When selecting WooCommerce extensions, be sure to use the ones offered on the WooCommerce website, as they are from a trusted source, and are coded using the best possible WordPress and WooCommerce coding and security standards.
- If you do decide to use extensions from another source, make sure you thoroughly research it. Things to look for include number of installations, the star rating and when the extension was last updated.
- Invest in an SSL certificate. These certificates are used to create secure server connections on the internet. Your host site should offer SSL, but if not you can purchase one at Namecheap.
- Always remember that there is a high risk in storing a user’s private information, such as credit card details, or a credit card authorization token. A good way to do this is by using an off-site payment gateway.
- If you decide to share information with an external service, be sure to double-check the permissions this service requires. And don’t be shy about reaching out to them if you feel the service is requesting too many permissions.
- Test your checkout process regularly. There’s always a risk that the checkout flow is compromised so you need to stay on top of it.
Note: be sure to open your web browser’s “Network” tab when doing these tests. This will ensure no intel is being leaked.
For more details about WordPress, WooCommerce, and how to protect your company’s website, check out the webinar video “WordPress & WooCommerce: Security Best Practices.”