2013 was a busy year for WordPress. The whole year was filled with activity of both positive and negative kinds. On the core upgrade side, we are now seeing WordPress getting frequent updates automatically. However, on the security front, it saw a tumultuous time as WordPress sites were regularly hacked.
Honestly speaking, the blame does not entirely lie on the development team of WordPress for such shortfalls. Many a time, it was noticed that bad security practices led to breaches and data losses.
Bad WordPress Security Practices
Before I move on to the security features that WordPress should introduce this year, let us look at the general bad practices that are prevalent in the industry.
Using an old version of WordPress
The general rule is: Newer versions are more secure. Nowadays, delaying an update is like asking for trouble. Many websites are compromised because their owners tend to be lazy when it comes to updating. Hackers only require an exploit to begin their activities and they prefer known exploits first. When people do not update, hackers make use of this opportunity.
Solution: First, upgrade to the latest WordPress has provided a solution by giving the option to auto-update. Use this feature to stay updated.
Being careless with plugins
The problem with plugins is that they usually lie in third-party territory, and having them prim and proper all the time is a difficult thing to attain. Recently, a website was being used for pharmacy scams because of a bad plugin. Last year, it was found that seven out of ten popular e-commerce plugins had security vulnerabilities in them.
Solution: Well, there is a solution for the problem discussed above. Sucuri has been in battle with malwares since 2008 and its Sucuri WordPress plugin helps you in keeping your site safe. Also, you may want to get your website tested. Cloudways provides one such facility where you can get your website analyzed for security loopholes. Check out our Full Security Analysis add-on for more details.
Using easy usernames and passwords
Everyone likes simple things, even hackers. These days, hackers are known to break into a website by using complex computing scripts. One such case was discovered last year in April when WordPress websites using username “admin” were hacked in huge numbers.
Solution: Complexity helps. You can use a random password generator for such purposes.
WordPress Security Features We Need In 2014
There are steps that WordPress can take to prevent such tragedies if its developers introduce certain features which are already available as plugins. These can help in combating brute force attacks.
Limited login attempts
Brute attacks are only successful when there are unlimited login trials. Hackers use complex scripts in order to find usernames and passwords. Given the fact that the number of login attempts is limitless in WordPress, they have a good chance in breaking in. This can be discouraged by limiting the number of tries to access a website’s back-end.
Solution: There is a plugin which can help you to limit the number of login attempts on your WordPress site. Limit Login Attempts plugin provides you with a highly customizable mechanism under which you can set the specific number of login attempts and a lock-out time.
Implement a human-input-based verification process
Another way to tackle brute attacks is by using a verification procedure where human input is required. For example, ask the user to type the code visible on the screen. As programs do not act like humans, any script run by a hacker comes to a halt.
Solution: It’s a good thing that WordPress has many plugins for this purpose. The Captcha plugin allows you to put human verification process on all pages (for e.g. login page, comments section, etc.) where human input is required. Are You A Human? plugin uses a unique game-based approach for the same task.
Apply two-factor authentication
Two-factor authentication is a magnificent solution that has seen great success in stopping hacking attempts. This kind of authentication process depends on two passwords rather than one. The second password is usually a variable one and it is delivered on the specified user’s email or phone (via SMS). Sometimes, instead of second variable password, a unique identity is given to a machine (or machines) and only these machines are then allowed access to WordPress administration area.
Solution: Rublon is an excellent two-factor authentication plugin. It allows you to set trusted machines and only those machines are enabled to access the WordPress administration area. Duo Two-Factor Authentication is also worth considering for this purpose.
Is Two-Factor Authentication On WordPress A Great Fix?
Well, many think WordPress should make two-factor authentication a default option, but there are some who share a different view. In one of our discussions, Joost Schuur, a moderator of Web Developers, Web Designers, Web Coding community on Google+, shared this view:
“Requiring [two-factor authentication] would scare off a large part of their user base. I use it, and perhaps, it could be better promoted for self-hosted blogs, but for less tech savvy users, the initial experience is one of slowing them down.”
We also believe that WordPress should provide choices in login access protection. For some, two-factor authentication would be perfect while others may like to have human-input-based verifications or limited login attempts. Perhaps, some would like to have two of these features.
Security Is A Priority At Cloudways
There is no doubt that using a Managed WordPress hosting service is the best way to host your website. At Cloudways, our security regime is based on analysis, prevention, and backup strategies. Click the button below to know more about our Managed WordPress services.