Web Site Security, How Safe is your Web Site?
Web site security is an issue that some web site owners do not think about or take seriously enough. There are many ways in which you can leave your web site open to attack and some of these you may not realise that you are doing. Your website is an asset and you do not want it broken in to, do you? The more security measures that you have in place the less vulnerable your site will be.
Just by letting everybody who visits your site know that it is a WordPress web site is one security risk, because of the popularity of WordPress, a would-be hacker would probably be able to work out what the live link is to your admin area, all he would need to know is your domain name and then type in the words ‘admin’ or ‘login’ to the end of it in his browsers address bar, and he would have found the door to your office. He would then be able to try and guess your user name and passkey, this is known as a brute force attack.
Not changing the admin name from the default when you set up WordPress is another security risk because any would-be hacker would know what it is, and since he just found your live login link he is halfway to breaking in to your site, as he would already know that the default login for WordPress and indeed many other websites is ‘admin’. All that has to do then is to try and guess your passkey, and he would do this with software that would try popular passkeys to gain entry to your site.
The top ten most used passwords are as follows;
If you are using or have used any of the above passwords or similar on any website that you own or anywhere else on the internet then you are leaving yourself wide open to attack, and you are risking your sensitive data to cybercriminals, and your WordPress site may be broken into.
Create Strong User Names.
So you should create a strong user name for your WordPress site when you are setting up WordPress, as user names cannot be changed, or so it says in the user profile page in the back office, but anyone that has used WordPress for a while and has had time to get to know the technical side of it would know different. You should also create a secure passkey and only use it on one site, read my post on passkeys, and make a note of it or invest in a password manager.
The live login link that is installed by default in the footer of WordPress and in the meta widget on a newly installed site are other ways that a hacker could find your login link, so these should be removed from your site. It is much better to bookmark the login to your site so you don’t forget it
Even if you have changed your user name there is still a way for anyone to find out this information and this can be done by visiting one of your articles or posts and hovering the mouse cursor over the authors name at the top of the article and this will reveal a link in the bottom left-hand corner of the browser window, showing your username, even if you have selected a different name as your display name, your user name will show. (see screenshot below).
If you have access to your ‘MyPHP’ admin you can change this by
Create a Custom WP-Admin URL.
To make your site more secure you might want to change the admin URL to something that only you know and you can do this in two ways, one is to change the core files within WordPress, I have read that this is extremely difficult and unless you know what you are doing, I would advise against it. The other way is with one of the many plugins that are available, one that I have come across is a free plugin known as WP Hide Login.
As well as carrying out all of the above, other measures that you can do are keeping your WP installation and all of the plugins that you have within it up to date. Removing any deactivated plugins and ones that you do not use any more is good practice in keeping your web site secure.
I read only recently that the owner of a plugin that I was using, had sold it and the new owner had injected it with malicious code, that would have attacked all the sites that it was installed on and harmed any computers that were logged in to the servers, you can read more about this by clicking here.
If you were to follow all of the things that I have written about here and remove all the login links from your front page, customise your login URL so that it cannot be found, only by you and other users of your site, create strong user names and passwords and change your user friendly name within your database and keep updating your site, you will be able to sleep at night knowing that your piece of virtual real estate will still be here in the morning.
That is all for now, please if you have any questions or would like to leave a comment please do so in the box below.