Wordpress is one of the most widely used content management systems available today and accounts for almost a quarter of all websites. The open source platform is used for blogging, websites of all sizes, and even application development. WordPress makes it easy for almost anyone to create a great looking website or blog without a lot of coding or technical knowledge, but it’s also an extremely powerful tool if you do have skills. Regardless of your skill set WordPress can leave a few holes when it comes to security if you’re not careful.
Because WordPress is fairly easy to provision and use, those that aren’t savvy run a high risk of being hacked or threatened with a DDoS attack. Fortunately, it doesn’t take rocket science to put up a few safeguards. Here are several ways you can keep your WordPress website safe from DDoS attacks.
Using Strong Passwords
This is the easiest, and least technical way to protect yourself against a DDoS attack. Unfortunately, too many folks create simple, easy to remember, passwords that leave them vulnerable. Because of how WordPress is installed and set up, it can be fairly easy to find the login page and the username of a user for any WordPress website unless additional measures are taken. If you make a hacker’s job easier, they will find a way to exploit it. Creating a strong password can make a hacker’s job a little bit harder.
Luckily, newer versions of WordPress require a certain strength of password, and don’t allow you to create your own, but if you use an older version or have not changed your password for some time, it is a good idea to do so.
Change Your Login URL and Username
The primary username for a WordPress website is “admin”. This is true when you first install WordPress. However, you don’t have to keep it that way. At any time you can essentially ‘delete’ the admin username and create a new one that has all the same privileges. It is also recommended that you change the display name for your username, so a person browsing your website can’t easily detect it.
Another way to help deter attacks is by altering the login URL. For most WordPress websites you simply need the website URL followed by “/wp-admin”. This makes it easy to find the login page for users, but also for attackers. By changing the login URL either via the htaccess file or using a plugin you makes things a little bit more difficult on a potential attacker.
Two Factor Authentication
This is one of the stronger and more technical ways to protect your website. If you set up two factor or dual authentication you will require another username and encrypted password to even get to the login page. This will make it virtually impossible for anyone to get to your login page without the first username and password being authenticated.
Whitelisting IP Addresses
A tried and true method to deter DDoS attacks is with IP whitelisting. This means only allowing certain IP addresses to access your WordPress login page. This could be an IP address at your office, or only a few IP addresses of telecommuters etc.
Update Plugins
Wordpress can use a number of plugins to expand functionality quickly and easily. However, many of these plugins have security vulnerabilities. First you should research any plugins you wish to install, then make sure you keep them up to date when new versions come out. Furthermore, you should delete completely any plugins you don’t have activated or wish to use in the near future.
Use A Security Plugin
If you’re not technically savvy or don’t have the technical knowledge to be able to implement some of the above techniques there are many security plugins out there that will do the job for you. Some are free and some are paid. There are several free plugins such as All In One WP Security that do a great job, however, if you really want to secure your site to the fullest it’s recommended you seek out a paid solution.
At the end of the day WordPress does do a lot to help keep itself secure, but it can’t be the protector for all. The user, meaning you, must do your part to help keep your website secure and free of DDoS attacks as much as possible. You don’t want to lose the work you’ve put in or risk any of your user’s, customer’s, or subscriber’s information getting stolen. Using some or all of these techniques will put you on a path to security success.