Keeping Your WordPress Website Secure

Historically WordPress websites gained some bad press for being insecure as they attracted hackers and spammers whose actions often rendered WP websites unusable.

Here are three simple steps you can take to help stop the actions of hackers and spammers having an impact on your website.

Database Security

One of the reasons hackers have enjoyed success in hacking WordPress databases is the naming convention of WP tables. The WP database is made up of around 20 tables each with a default prefix of wp_

Eg there is:

Hackers use this knowledge to gain access to the tables to insert malicious code.

When you install WP you will see the Table Prefix field defaults to wp_ but you can edit this and make it 8 or 10 characters prefixed with a mixture of upper and lower case letters and numbers eg Yh83Hx3g2_

Therefore any hacker trying to access your tables will have no idea what the table prefix is.

Google Recaptcha

This is the big tick box you may well have seen when logging into a website. It is used to prevent what is called brute force hacking. This is where a hacker uses code to repeatedly input usernames and passwords into a logon box which requires a username and password.

When you click the box next to “I’m not a Robot” a wheel spins for a few seconds. If you click the Submit button before a green tick appears, then you are a “robot”. The idea is anyone using robot software to try to hack your website can’t see the box and has no idea when the tick appears.

The Google Recaptcha can be also deployed on any or all of the following:

Registration form
Registration form
Login form
Reset password form
Comments form
Contact Form

SSL Certificate

SSL stands for Secure Socket layer and is a means of encrypting data between a user’s browser and the web server on which the website is hosted.

If an SSL certificate is applied to a website then the websites’ name is prefixed with https:// as opposed to simply http://. The “s” stands for secure.

So once SSL is applied, data being transferred across the internet to and from the website cannot be intercepted and read. Pretty much since the inception of the internet websites enabling financial transactions have been https eg banks or payment gateways such as PayPal.

Back in 2017 Google adopted a policy of favouring websites which are https. This can be seen in two very obvious ways. Most browsers now flag a website as being insecure if it is not https, Chrome in particular (which of course is owned by Google). Also Google now use https as a search engine ranking factor, albeit one small factor of many.

So installing an SSL certificate on your website will not only improve security it will also help with your SEO ranking too.

So to summaries:

  1. Secure your database
  2. Use Google Recaptcha on login and submission pages
  3. Install an SSL Certificate on your website

The cost in time alone of putting right the damage done by a hacker can be huge compared with the time to take these simple actions.

Please note – No website can be made 100% hack-proof. In the past determined hackers have breached servers at the Pentagon in the USA for instance, however you can make it far more difficult for hackers to ply their “trade”.

Share this Blog post