The short, brutal answer is no, but let me qualify that statement. NO website is perfectly safe from being hacked. The unfortunate truth about internet security is that the security companies are always trying to play catch-up with the hacker community.
The game then, is not to make your website invulnerable, but to make it as difficult as possible to hack. The more roadblocks you can throw up in front of potential hackers, the less likely they are to get through them all.
Any web designer worth their salt will set up security for your site. Many of these are technical things, like blocking suspicious queries and non-english characters, 404 detection, and banning IP addresses with multiple login failures.
However, there are some easy things you can do that will help shore up your defenses.
1. Use a unique username. The default username after installing WordPress, is “admin”. Change your username to something that is not obvious to would-be hackers. Ideally your web designer should set your security to automatically ban anyone trying to log in with the username “admin”.
2. Use a strong password. 123456 is the most common password used, followed by “password”, and they’re the first ones that hackers try. Your password should be as long as possible, and it’s best if it includes both upper and lower case letters, numbers, and special characters. I know, I know. You already have too many things to remember as it is. The best way to have strong passwords but not have to worry about forgetting them is to use a password manager. Dashlane, 1Password, or LastPass (what we use) are just a few examples. With a password manager all your passwords are stored securely, and many of them allow you to retrieve your passwords on any device. You only need to remember one master password to log into the app.
3. Use 2-factor authentication. With 2-factor authentication an extra step is added before anyone can log into your site. For example, once you enter your username and password, it might send you a text with a code you need to enter on the login page before you’re allowed in. That means that unless someone physically has your phone, they won’t get the text with the necessary code. There are numerous options available to choose from. Our favorite is Clef, which has added a unique spin on 2-factor authentication. (Update: we are extremely sorry to say Clef was bought by another company and closed down)
4. Use a reputable host. Unfortunately, some hosting companies fall short when it comes to security. You might have the strongest security possible on your website, but if your hosting company’s security measures aren’t up to snuff, it leaves you open to attack. Hopefully your web designer can recommend a host who they trust and have worked with before. (I recommend you NOT use any company owned by EIG. You can read about why here, and see an updated list here).
5. Keep your website updated. I can’t possibly stress this enough! According to Sucuri, the vast majority of successful hacks are due to websites having outdated software running. If a hacker sees that your website is out of date, they will know what the vulnerabilities are for your older version. From there it’s a snap for them to bypass your security because you’ve left a gaping hole for them to walk right through. A good maintenance program will keep your website updated, make regular backups, and scan your site for possible infections.
If you have a WordPress website and you’re unsure of whether you have adequate security setup and/or whether it’s properly up to date, we’d love to talk with you.