Three Little Pigs and WordPress Security

Three Little Pigs and WordPress Security

Once upon a time there were three little pigs and the time came for them to leave home and seek their fortunes.

Before they left, their mother told them “Whatever you do, do it the best that you can because that’s the way to get along in the world.” 

The first little pig built his house out of straw because it was the easiest thing to do.

The second little pig built his house out of sticks. This was a little bit stronger than a straw house.

The third little pig built his house out of bricks.

House of Straw

One night the big bad wolf, who dearly loved to eat fat little piggies, came along and saw the first little pig in his house of straw. He said “Let me in, Let me in, little pig or I’ll huff and I’ll puff and I’ll blow your house in!”

“Not by the hair of my chinny chin chin”, said the little pig.

And the big bad wolf huff and puff and blew down the straw house and ate the first little pig.

When we first installed WordPress, what we have is very basic security, easily exploited by hackers who usually employ programs or bots to scan the web for vulnerabilities.  Once detected, they will exploit any loopholes available to gain unwelcome access.

House of Sticks

Next, the big bad wolf proceeded to the second little pig in his house of sticks. He said “Let me in, Let me in, little pig or I’ll huff and I’ll puff and I’ll blow your house in!”

“Not by the hair of my chinny chin chin”, said the little pig.

The big bad wolf took a little more effort and with one final big huff and puff, he blew down the stick house and ate the second little pig.

So, how can we improve WordPress security then?

Well, you can adopt the following measures:

  1. Keeping all WordPress, themes and plugins up-to-date
    1. Updates are provided for enhancements, fix bugs and / or plug security loopholes.  So, once we receive notifications of any updates, access our WordPress site and download the updates.
  2. Use strong passwords
    1. Weak password makes life easy for us as there are already tons of passwords we need to remember.  But this also made the job of any potential hacker relatively comfy.  With some bots, it won’t be long for the hacker to know your password.
    2. A strong password usually entails a combination of alpha-numeric and symbols.
    3. To reduce the burden of us remembering all passwords, we can consider Password Manager tools – for example, using Lastpass (www.lastpass.com), 1Password (https://agilebits.com/onepassword) or similar tools.
  3. Delete the default ‘Admin’ account for access to WordPress site
    1. The default username for access to WordPress admin area is ‘Admin’.  If we don’t change this, then, half the battle is lost as any potential hacker would just need to guess the password.  And if your password is weak, life is a bed of roses for the potential hacker.
    2. However, before you happily and hastily delete the Admin username, you must first create another username that has the same rights as Admin.  Then log out of WordPress and access again using the new username.
    3. Now, you can delete the Admin username but not before transferring all existing posts of Admin to the new username.
    4. Please ensure that the new username is not the same as the name shown in the posts.  Otherwise, this will drop hints of your login username.
  4. Ensuring your laptops / desktops are virus and malware free
    1. Make sure the anti-virus programs on your laptops / desktops are up-to-date and regular virus scans are scheduled.  A hacker could potentially insert a malware on your laptop / desktop which could log all your logins credentials.

House of Bricks

Three_little_pigs_-_third_pig_builds_a_house_-_Project_Gutenberg_eText_15661

Next, the big bad wolf proceeded to the last little pig in his house of bricks. He said “Let me in, Let me in, little pig or I’ll huff and I’ll puff and I’ll blow your house in!”

“Not by the hair of my chinny chin chin”, said the little pig.

The big bad wolf made many big huffs and puffs but he still could not blow the brick house down, he then made his way to the chimney and climbed his way down, not realising there is a big pot of hot water waiting for him……

Let’s be realistic, our WordPress sites or for the matter, any other sites on other platforms, will never be 100% foolproof against hacking.  So, after adopting the above measures, how can we further improve the security of our WordPress site?

Well, you can adopt the following for better WordPress security:

  1. Backups
    1. Ensure that you are making and keeping a back-up of your WordPress site.  This will come in handy should your site becomes a victim of a hack.  The latest back-up copy could be used to restore the contents and configurations of the site.
    2. The back-up copy is also very useful when you accidentally make a mess of your site (e.g. hitting the wrong buttons).
  2. Security Plugins
    1. We can install security plugins within our WordPress sites.  These plugins generally provide protection against brute force attacks; scan your website for vulnerabilities, etc.
    2. 2 plugins that are notable in this area are Wordfence Security and WP Better Security.  Both are free but of course, they have the premium or paid versions which offer more features.
    3. There is only a paid service from Sucuri Security for malware detection, alert and clean-up.
  3. Change wp_database
    1. The default prefix for WordPress database begins with wp.  So, if prefixes are not amended, then, a hacker will know exactly which files to attack.
    2. A word of caution though!  Amending wp_database is not for the faint hearted as any errors will make a mess of your website.  If you do the change on the onset of an installation, then the risk might not be that high.  But if you already have lots of contents, any wrong changes will have a big impact and might bring down the site.
  4. Two factor authentication
    1. We can impose a two factor authentication to further protect our WordPress site.  This means that other than accessing our WordPress site through wp-admin, we can add another layer by protecting our directories and this can be done through the cpanel whereby we choose the directories we want to further protect, create the user and password.  After this, for subsequent logins, other than logging in through wp-admin, we will also need to input the username and password for the directories.
    2. Alternatively, you can try out Google Authenticator by installing the plugin in your website.  After installation, subsequent logins will require you to input a code provided by Google Authenticator, sent to you on your mobile phone.  This will greater enhance login security.
  5. Limit login attempts
    1. We can install limit login attempts plugin in our WordPress site.  The purpose of limiting logins is to prevent unlimited tries to guess the username and password to access the site.
    2. If we set the login attempts to 5 tries and lockout period of 12 hours, this means that a potential hacker could only make 5 attempts to try to access the website and after the 5th unsuccessful input, he / she will be lockout for 12 hours.  This means in one day, the potential hacker could only make 10 tries to gain unauthorized access.

The above are some measures we can take to make our WordPress site a little less vulnerable.  When we have a website, we have the responsibility and accountability to our users and the web community.  Balancing between costs and usability, we can never have 100% protection against potential hacking.  What we can do is not to be complacent, not to take things for granted and employ some measures to make our WordPress site a little safer.

So, how do you have better WordPress security?

If you need any assistance, please feel free to contact us.