Although TALK TALK probably don’t use WordPress, if they did, one can safely say that it probably wouldn’t be the most secure wordpress installation in the world!
WordPress in itself (in the year 2016) is actually very secure – it’s the plugins that cause the potential security flaws and laying down the red carpet for the likes of esoteric hackers. That’s why specialised wordpress hosting companies like wpengine don’t allow the use of all plugins.
So why does WordPress get hacked a lot? Well lets get this straight! The wordpress platform is a lot more secure than it used to be back in 2009, when it took a few dents from some security vectors that were exploited. I spent a lot of time then fixing and restoring wordpress sites back to normal operation. Since then, the core wordpress code base has been well nurtured with regular security patches, and is about as secure as Julian Assange in the Ecuadorian embassy.
So what is the problem with WordPress? Well nothing – the vulnerabilities are in the main, from customers and wordpress web masters not keeping the wordpress core files, plugins and themes up to date. Not using strong passwords for wordpress and database users is also a problem – if secured correctly, this can prevent brute force attacks on your website.
How to Make WordPress as Secure as Fort Knox?
- Now a days, wordpress updates itself automatically unless you manually turn it off in the wp-config file. Make sure wordpress core is updated regularly.
- Update your plugins all the time or better set them to update automatically.
- If possible, keep your themes up to date. If you are concerned about losing some of your wordpress settings and styling, then ensure you take a backup and use child themes to hold custom CSS styles and modified page templates. Ask you web developer and get qualified advice from a wordpress professional.
- Remove unwanted themes
- Removed unused plugins
- Add a firewall to your server.
- Rename the ‘admin’ username. Most automated brute force software will target the admin username – if it doesn’t exist then it is unlikely to get hacked as they have to guess the username as well as the password.
- Enable auto updates to wordpress
- Disable PHP Error Reporting
- Protect your .htaccess file
- Remove the wordpress version.
- Delete sensitive files
- Create secret keys in wp-config file.
- Change the wordpress admin dashboard url to say www.mysite.com/dash/
- Enable strong password enforcement
- Protect common wordpress files
- Disable Directory Browsing
- Filter Request Methods
- Filter Suspicious Query Strings in the URL
- Filter Non-English Characters
- Filter Long URL Strings
- Disable PHP in Uploads
- Disable XML-RPC
- Replace jQuery With a Safe Version
- Enable Ban Users
- Ensure wordpress file permissions are correct and not open to all.
- Enable a 2 step verification login process. There are a number of plugins available like mini orange that allow mobile phone or email authentication.
- Add a SSL certificate and make your whole site secure – there are SEO benefits in securing all your websites pages.
- Finally, always monitor activity and review your security settings on a regular basis.
Many of the above changes can be implemented using the iThemes security plugin. If you want your wordpress installation to be even more secure, then there are other measures that can be taken in securing the database environment and your apache web server.
Get in touch if you need any assistance are are worried about how secure your wordpress site is.