fbpx
Call or Text 484-956-7986

Security And WordPress, Part I: What To Watch Out For


LD Staff Writer

WordPress, at its core, is a base of code that makes running a multi-page website infinitely easier than writing the code out yourself. Whether you want to get deep into the CSS and HTML, or you just want to post and write and never touch the code, WordPress is an incredible tool. Estimates point to WordPress being the base for over a quarter of websites on the internet.  

WordPress doesn’t include everything, though. It’s made to accept all sorts of plugins – things that can change anything from your comments section, social media interaction, advertisements, contact forms, shopping sections, logins for paid or protected content and so much more. You can build an incredible website with shopping and commenting and every bell and whistle you can find but it’s no good if someone can break through the front door and steal all your info or wreak havoc with your customers.

This post is going to break down some of the security points to start with.  

What does security for your website mean in real life?  Let’s talk about some things before we delve into plugins. (These may be a great starting point but things change quickly. Always check the most current reviews you can find before changing your security setup.)

http:// vs. https://

Modern web browsers don’t bother showing the https://www part of websites now. Instead, they’ll just show you if they consider traffic back and forth to be encrypted/secure, or not.

Think of this part like a conversation: imagine two people having a conversation in front of you. If there’s no encryption, it’s like they’re speaking out loud – you can hear everything they say. It may be a boring chat about dinner recipes, or they may be exchanging banking information, passwords, etc. Unencrypted traffic can be seen forward and backward – you have no secrets.

Partly secured would be like watching this conversation but you can’t understand most of it. You might hear that they’re talking about one thing or another, you might see them exchange money, but you can’t get the whole conversation – the details that could cause them trouble aren’t for your ears.

Fully secured means you don’t have any clue what’s going on. You can’t read their lips, you can’t hear them, you can’t see them – you have no clues to their chatting. Fully end to end encrypted traffic can be intercepted, and it’s only as strong as the encryption they’re using, but it’s one of the first places to start. Also, Chrome/Edge/Firefox/Safari point out your site’s insecurity to users, which isn’t a good way to start.

Secure Login

If you look at a house or a building, it’s pretty obvious where the doors and windows are. What if you walked up to a building, and there were no doors and no windows – how would you get in? Even better for the owner, how would you break in if everything looked like a brick wall?

By default, WordPress shows off its “Login” section. Hey! Look at our building, all brick walls except for this huge door. Here is where you get in.

This is the website for an author. A good author. He’s written over 40 novels, a few of them New York Times bestsellers. Can you see where the door to get in is?

Even if you have contributors to your site, that isn’t a good reason to point out your login page. At the very least, don’t broadcast your login page, and make it only accessible if you know the link. If you want to take it another step, you can further obscure the link, and move it from the default www.yourwebsite.com/wp-admin to something no one is going to look for, like www.yoursite.com/myfavoritesportsteam/isbetterthan/yours/login.

Next, how secure is your door? If you’ve got a single screen door, it’s not too tough to break through it. If you’ve got a giant metal door with chains and deadbolts and a security scanner directly behind it… well, you get the idea.

Login pages like these can be susceptible to “brute force hacking,” (a.k.a. try repeatedly until you get it right). WordPress doesn’t have built-in options for this, so we turn to plugins. Stay tuned for some great ways to build this up.

Bots / Crawlers / DDoS / DNS Spoofing / More

Once the major things are out of the way and secured, there are all sorts of other ways to break websites, but they get a lot more convoluted and a lot more difficult. Jim’s Pizza Blog isn’t likely to get any serious hacking attempts but once you start looking into shopping sites and customer information, people are going to try some crazy ways to break in. We won’t dig too far into those here – but a few of the plugins we’ll talk about in Part 2 will cover some advanced ground.

Want to learn more?