How Secure is Your WordPress Website?

How many individual online accounts do you have? 10, 20,100? The large majority of your online accounts are secured with a combination of two pieces of information: a username, email, or account number alongside a password. Pretty secure, right? After all, only you know them.

Unfortunately, hackers are getting better and better at breaking into accounts, and with WordPress powering the majority of the World Wide Web, they are naturally at risk. As technology evolves, hackers find new ways to get to your details and unlock what’s behind them. Not-so-fun fact: around 30,000 websites are hacked every day. It’s scary, but it’s the reality we live in. 

But hey, don’t panic! 

There are simple, pain-free steps you can take to prevent the bad guys from getting ahold of your personal info and into your website. To protect yourself against a cyber attack, one of the most important things is to ensure your password is rock solid. Let’s chat about how hackers do what they do and what a genuinely strong password looks like.

How can my WordPress site be hacked if only I know the login credentials?

At its default, without added protections, WordPress sites (and others like them) could be described as an unlocked door. Malicious bots find it fairly easy to infiltrate your site and discover your username, which is 50% of a hacker’s job already complete. Yikes. For some hackers, they won’t even need those bots. Why? Because too many WordPress users stick to the default username of ‘admin’. First easy step: never keep the default!

If your password is bog standard, then the remaining 50% of the hacker’s job is much easier and faster to get done. Many users have weak passwords created while gazing at desk items or out of the window – lamp123 isn’t fooling anyone, John.

However random the word you quickly chose may seem to you, that word can be found in the dictionary. Any dictionary word is incredibly easy for hackers to uncover via a brute-force attack. Using basic tools that are, alarmingly, legally available online, it is possible to crack a dictionary password in minutes, some even taking just seconds to reveal. 

How else can hackers get into my site?

Old, out-of-date website code can break. Think of website code as the bricks of a building – the older they get, the more likely they are to crumble if they’re not getting any maintenance. Bricks that are already falling apart are easy to knock down, letting anyone gain access to the building. Hackers will kick through that outdated or broken code like old bricks if given half the chance. This is why regular site health checks are so important (which we do as part of our maintenance package… just sayin’).

Hackers also prey on weak, out of date, overstuffed servers. Servers are virtual (and physical) spaces where your websites live – think of the server as a neighbourhood and your website as a building within it. Buildings in dangerous neighbourhoods are more prone to break-ins, and it’s the same with servers. If the server your site sits on is ill-protected or crammed so full of websites that who knows what else is in there, your site is automatically more vulnerable. With Nu Image hosting, you don’t need to worry about that – we’ll explain later.

Brute force attacks

Though there are other methods of snatching your passwords, brute force attacks are the kind that prevail against weak passwords. A brute force attack is when the hacker tries one sequence of characters after another (usually with a bit of kit). There are several types of brute force attacks:

• Standard brute force – The hacker tries the most basic passwords, like Password0000.
• Dictionary brute force – The hacker tries words found in the dictionary, including replacing some letters with numbers, e.g. hou$e.
• Reverse brute force – The hacker tries the same password with lots of usernames. This is what typically happens when a whole list of emails or usernames gets leaked.

Though it might sound like these methods would take a bloody age, the truth is it can be done in an instant, and that was true even before AI was on the scene. Those tools we mentioned that hackers can purchase online? They’re capable of trying thousands of password variations in minutes. So, if your password is a dictionary word, even if you’ve replaced a letter or two with a number or symbol, these tools can get it faster than you can type it.

How would your password hold up under attack?

Ever wondered how quickly a hacker could crack your password with the right equipment?

Passwords only containing 0-9

4-11 characters = instant

12 characters = 1 second

15 characters = 9 minutes

18 characters = 6 days

Passwords only containing a-z

4-8 characters = instant

10 characters = 1 minute

12 characters = 14 hours

15 characters = 27 years

18 characters = 481k years

Passwords containing a-z and A-Z

4-6 characters = instant

8 characters = 28 seconds

12 characters = 6 years

15 characters = 898k years

18 characters = 126bn years

Passwords containing a-z, A-Z and 0-9

4-6 characters = instant

8 characters = 2 minutes

12 characters = 53 years

15 characters = 12m years

18 characters = 2tn years

Passwords containing a-z, A-Z, 0-9 and £%&

4-6 characters = instant

8 characters = 5 minutes

12 characters = 226 years

15 characters = 77m years

18 characters = 26tn

As you can see from this list, the longer and/or more complex, the better!

How can you secure your password?

To create a truly secure password, follow the following rules:

1. Use a word that can’t be found in any dictionary (this includes words in languages you do not speak), such as a phrase without spaces or a random string of characters. E.g. il0v3MYd*gAr1o! – this would take 77 million years to crack.
2. Use a mixture of uppercase letters, lowercase letters, numbers and special characters.
3. Ensure the password is long – for passwords using a mix of characters and cases, stick to at least 12 characters.
4. Use a different password for every account.

That last point is crucial. Hackers use a technique called ‘credential stuffing’, which uses the username and password combination they’ve already cracked on multiple other popular websites. If your password is the same across multiple accounts and they crack your email, the next thing you know, they’ll be in your social media accounts, bank accounts, and website operating system.

What we can learn from the data above is that if you use a mix of 14-18 characters and cases, no hacker is getting into your WordPress account by cracking your password.

How does Nu Image protect your WordPress site?

So, what do we do to help prevent hackers from getting through the door to your website? 

When we build your website, you get the following as standard:

• We use impossible-to-crack passwords – we’re not just writing this blog post for the fun of it! We take those stats above very seriously, so the passwords we use for your WordPress websites are the most complex possible. It’ll take 26 trillion years for a hacker to get into your site through the password, and we reckon they’ll probably have kicked the bucket by that point.

• During the creation of your site, it’ll be hosted on our Virtual Private Servers (VPS). You might think of a server as a big old machine, which is true, but that’s the physical server. We don’t have those here (think of the storage space!) so we have specially designated virtual server space assigned for Nu Image clients only, locked to our studio’s IP address. These servers never hold more than 8 Nu Image sites for safety and security. Some servers out there host 100,000s of websites, making every single one of them incredibly vulnerable. 

• As we build your site, we’ll also create a dummy site, also known as a staging site. This means that we can make all of our developments and changes on the dummy site, letting you see exactly what’s going to happen and agree to it before we actually do it.

If you choose to host with us, your security gets elevated further:

• As mentioned above, hosting with us means a super secure server space for your site. If you choose our Managed Hosting Package, we’re able to ensure your website sits somewhere safe, uncrowded and private. 

• By trusting us to host your website, you’ll also get TSL encryption (a security protocol you can learn more about in our TSL post), daily automated site backups, and pings that notify us immediately if your site experiences any downtime, letting us get fixing quickly.

If you’re on our WordPress and Plugin Maintenance Package, we go even further:

• We keep WordPress up to date – this includes the WordPress core, the plugins, and the themes. By doing so, we ensure that there are no hairline fractures in the code for hackers to turn into gaping cracks and slip through. Fully updated code, plugins and themes create a super strong wall that hackers will have a very hard time exploiting.

• We perform quarterly in-depth maintenance checks – nothing gets missed. If we spot anything that doesn’t look right, we fix it straight away, or reach out to someone who can, like the plugin creator. Thorough and regular checks mean we’re always one step ahead.

• We perform any critical security updates as and when required, without fail. 

Trust us to keep your site safe

We’ll keep your WordPress site safe from hackers through complex passwords and secure hosting, but for the full knight in shining armour deal, you need to consider our Hosting Management and WordPress Maintenance Packages. As mentioned before, these include safe and private hosting, routine maintenance in the form of extensive checks, and ensuring every element of your website is up to date, including plugins. With these packages, we can do the absolute most to protect your site from the bad guys. Kapow!

Call us on 01603 859007 for a chat about WordPress websites and our maintenance package. We’ll even manage WordPress websites that we didn’t build! Get in touch and let’s talk security.