Here at 3B Data Security, a portion of what we do is Payment Card Industry Forensic Investigations (PFI) for eCommerce websites that have potentially been breached and we are seeing a high number of WordPress site recently.  It is common practice for the owners of these websites to outsource to a third-party website development company. A stance these owners regularly have is that they are unaware of the security of the website and how it works. Trying to blame the developer. As an owner of a company, the ultimate responsibility for your website and the data of your customers resides with you and it is important to ensure your developer is taking the security of your site as seriously as you do. Here are four simple ways to check up on your developer and your website’s security:

  • Change the admin portal’s default location – The default location for the admin portal on WordPress sites is located at ‘yoursite.com/wp-admin’. This is a prime target for brute-force attacks where an attacker tries to get the correct combination of username and password to access the site. To add a layer of security, the location of this page should be changed from its default address. An attacker cannot brute force what they can’t find! If this is not currently the case, ask your developer to change it. There is no reason why this page should be displayed from the default location.
  • Does your site have two-factor authentication enabled? – This is the requirement to have a further authentication method enabled such as a code sent to your phone as well as your password. If this has not been implemented, don’t be afraid to ask your developer to add this feature. It’s a good way to prevent unauthorised access to your website. Set it as a minimum requirement for them to access your website if you do not have access.
  • Limit Login Attempts – If multiple attempts to login fail then the account locks out until an administrator unlocks the account. This is a great method to combat against brute-force attacks and is easy to implement. Test your website and see if it has been implemented.
  • Scan your website with a security scanner – Out of date software makes your website a prime target for attackers. Exploits can easily be found online and using them does not require specialist knowledge.  Use a free WordPress security scanner like WPSec to check your website’s security status and make sure your website’s software is kept up to date. Ask your developer for a software update schedule and plan. Hold them to account to these.

These are just a few of many security measures you could implement to keep your website and customers data secure. For specialist advice, contact us at 3B Data Security.