Today, I’m here to discuss one of the most important—and commonly overlooked aspects of your WordPress website… Security.
Whether you already have a website or are just starting out and ready to stand one up—your website will be a fundamental and critical part of your business. It provides the first line of communication to your customers and audience. It’s “always-on” working for you 24/7/365 (except for any downtime or maintenance). Basically, it’s your hardest working and consistent employee. It’s also a major investment of your time and resources—at least at first. It hosts important business or project information, provides your customers with a way of contacting you, and catalogues your products, services, and/or descriptions of what you’re passionate about.
Ensuring that your website is secure is too often overlooked or neglected. Security is also often one of the last things that is accomplished on websites. In many cases, security only becomes a concern once a company website is infected or taken offline. By that time it’s too late. But website security doesn’t have to be prohibitively expensive or time consuming.
In this blog, we’ll equip you with some of the most effective ways to protect your website from hackers, malware, and automated bots that work around the clock to compromise sites en masse. Don’t fret, most of these steps can be accomplished without major development and in minutes. I recommend the All In One WP Security & Firewall Plugin which can accomplish most of the below recommended security steps.
You can download the AIOWPS Plugin here: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
Before diving into these security best practices—it would be prudent to remind you that before you make any major changes to your WordPress instance, you should make sure to have a safe and healthy backup of your website.
Alright. Let’s get started.
Protect Your WordPress Website Against Login Attacks and Brute Force Attacks
Login attacks and brute force attacks are happening online continuously. It costs very little for hackers to deploy bots and automated processes to check unprotected websites for misconfigurations and weak username/password combinations. Here are the steps you should take to protect yourself:
1. Change (rename) the URL “slug” for your WordPress login page
By default, wordpress uses the /wp-login.php slug for authentication and logging into your wp-admin section. When hackers and bad actors online wish to find sites and attempt a “brute force” attack—the sites using the default login page are at a major disadvantage. The hacker already knows the exact URL to try and can set their bots at work to attempt known username/password combinations. (Hopefully your site doesn’t use commonly used poor passwords like admin, password, 123467, etc.)
By changing your login page “slug”, only someone who knows the exact URL will be able to access it. Yep, AIOWPS has a built-in feature that helps you to change the login page. Be careful though, if not handled appropriately, the feature can lock you out of your website. You may also need to contact your hosting provider to ensure that your login page is not cached.
2. Implement a website lockdown feature to ban users and IPs
Another strong method for limiting brute force attacks is a lockdown feature to ban unknown usernames and/or IPs automatically when incorrect login credentials are provided. The number of attempts and duration of the lockout can be set to your preferences. You can also make sure that you’re notified whenever an event occurs—so that you can recognize habits, trends, or potential dangers.
3. Require Two-Factor or MultiFactor Authentication
Leveraging a form of two-factor authentication (2FA) will significantly increase your security stance. In this situation, the website owner (“you”) requires two (or more) forms of authentication, such as a secret question, code, or a more secure option like the Google Authenticator plugin (Multifactor, MFA). Combined with the Google Authenticator app, users logging in will be required to share a six-number verification code that is time-sensitive and tied to information on their recognized smart device.
4. Require email to login (not usernames)
Plain and simple, usernames are not as secure as email addresses. They are easier to guess/predict—as well as made publicly by many of the built-in WordPress functions (like links and author archives)—and therefore much less secure than emails. There are a number of WordPress security plugins that allow you to require login with email only.
5. Require strong passwords. Use a password manager.
Longer is stronger. If your password is “unintelliglbe” and made up of random numbers, letters (capitalized and lower case), and special characters it will keep you safer. For these, you’ll need to find a password manager. Often, our clients are concerned this will be difficult to retrain themselves to use. But they’re actually incredibly easy. Especially with recent security technology advancements like facial recognition and fingerprint sensors on mobile devices and computers.
Password managers require that you remember one, strong, “master password”. Every other password is stored in a vault and encrypted based on your “master password”. It can also be tied to biometric security measures (like face and fingerprints) so that you only have to remember the one password—and most of the time use the biometric authentication. These password managers also sync with all of your devices using the same login email/password. Laptop, second laptop, desktop tower, phone, tablet, easy.
I recommend LastPass. The last password you’ll ever need. https://www.lastpass.com/
6. Automatically log idle users out of your site
Any of your admin users that leave themselves logged into your website pose a security risk. Anyone who has access to their computer or browser would be able to gain sustained access to your website and sensitive information. It may take you months or longer to even know there is a security vulnerability—at which point, you have a bigger remediation problem on your hands.
The best way to tackle this is to automatically log out idle users after a determined period of time. The shorter the period, the safer you are, but often 60 to 180 minutes of idle time is sufficient so that you’re better protected and it doesn’t interfere or cause inconvenience when users are working on the website. Combined with security-minded processes implemented out in the “real world” (i.e. Keep computers in safe places, ensure all computers are guarded with a password or shut off when not in use, etc.) you will significantly improve your security stance.
Protect Your WordPress Dashboard and Admin/User Accounts
For hackers and bad actors, one of the most enticing aspects of your website is the admin dashboard. It contains easy aspects to all of your information and if compromised can cause you serious headaches.
7. Protect your wp-admin directory
A great way to add further protection to your wp-admin dashboard is to add a separate password protection element. This will keep your dashboard safe even when accounts are compromised—and even ask for the password periodically to ensure it’s up to date.
To add a password to your wp-admin dashboard, you can use cPanels Password protect the directory function on your wp-admin folder. For more information, check out this blog: https://themeisle.com/blog/tighten-wordpress-security/?amp#wp-admin
8. Install an SSL certificate to encrypt data
Implementing an SSL (Secure Socket Layer) certificate will encrypt all of the data transferred between user browsers and the hosting server. This ensures that any information provided—whether that be credit card information, login information, or comments, are protected as they are passed back and forth. As an added benefit, sites that use SSL certificates that protect traffic receive better scores and higher ranks on Google and Bing search engines. SSL certificates require some configuration but aren’t expensive, thanks to public efforts like Let’s Encrypt.
NOTE: If you’re going to host your website with a Managed WordPress Provider like WPEngine—they’ll NOT ONLY provide the SSL at no cost—rather than upsell you, they’ll also include the setup and configuration at no cost. That extra cost every month comes with benefits beyond saved time and peace of mind.
9. Restrict access and permissions to your admin dashboard
Be very careful when creating accounts and providing access to your website. It’s best practice to provide the bare minimum of functionality necessary to fulfill a role when you allow you admin’s into your website. Anyone who isn’t an admin, author, or helps contributes or moderate comments can still have an account—but you should only provide them access as a “member” or “customer” (WooCommerce default). You should also perform an audit at least once a year to ensure every user has the proper permissions.
10. Change the admin user name
This recommendation goes along with using strong password. Strong username/password combinations and tips like changing your login URL will ensure that brute force attacks are ineffective against your website. However, one of the usernames that is often left AS IS after a WordPress website’s initial setup is the “admin” user. I recommend you change the username or transfer website ownership or add another administrator and remove the “admin” account altogether. This will ensure that any hacker doesn’t have 50 percent of the access equation from the start.
Protect Your WordPress Database & System
Your WordPress database and core codebase are also prime targets for bad actors online.
11. Change your WordPress database tables prefix
If you’ve ever set up WordPress on your own from scratch, you are well aware of the standard wp- table prefix that the WordPress database uses. Using the default database prefix can make your website vulnerability to SQL injection attacks. If you change the database prefix—we can close that hole easily. AIOWPS offers a feature that will change your database prefixes for you. Be careful when using this, if not, you could break your database connection. Just makes ure you have a backup or previous site snapshot before you attempt to change the prefix so that you can revert if anything goes wrong.
12. Set strong passwords for your database
Additionally, you can ensure that your database has a strong, unguessable password. Your WordPress database is no exception to this rule. Don’t reuse passwords either. You can read more about strong passwords above, in item #5.
13. Disallow file editing
For admins on your site, they have access to edit any files that are part of your WordPress installation, including plugin and theme files. You can disallow file editing and remove the ability for anyone to modify files. This can hinder you as well if you want to adjust files, but leaving it on as a general practice significantly improves your security. Our recommendation is to disallow file editing, and when you want to make adjustments, toggle it off, then toggle it back on when the work is completed.
To disallow file edting, add the following code to the very end of your wp-config.php file:
// Disallow File Editing define (‘DISALLOW_FILE_EDIT’, true);
14. Set directory permissions
This will change the read/write permissions on critical WordPress directories to prevent changes. This is particularly important on shared hosting environments (which most sites use).
AIOWPS offers an easy one-click setting “per directory” to lock down and protect key directories.
15. Protect your website traffic against DDoS
DDoS, or Distributed Denial of Service, is a tactic used to block access to a website. The bad news is, it’s easier than ever for bad actors to perform these attacks and all but shutdown small businesses. The good news is that you can set up your web traffic and DNS to route through a provider like Cloudflare and significantly improve your protection against DDoS attacks.
16. Disable WordPress Core Version
If a hacker knows the exact WordPress Core version your site is running on, they can hand-select and tailor compromises to use against you. Unfortunately, by default WordPress publishes the core version in a number of places. But don’t worry—we can turn that off.
Once AIOWPS is installed, go to Settings > WP Version Info > and select the checkbox to “Remove WP Generator Meta Info”. This will stop WordPress from posting that information for easy finding.
17. Monitor your audit logs
You can periodically reveiw and edit your audit logs to identify trends or potential compromises. In most cases, you’ll probably find minor errors or wrong passwords entered by your authors—but this can be a good practice to spot problems early.
Other Habits & Best Practices to Protect Your Website
It’s not ALL about plugins and configurations—though that’s a large part of security. It’s also about the habits you form. And for good measure…
18. Change passwords on a regular basis
Strong passwords and multi-factor authentication provide a great starting point for security and make it increasingly difficult for your website accounts to be “hacked into”. That said, it’s a good practice to rotate out passwords after a time. The frequency of this event may vary based on your security stance and needs. Most businesses don’t even require this, but if you swap out passwords once or twice a year—combined with strong passwords, use of a password manager, and multi-factor authentication—you are way ahead of the curve. Hint: using a password manager to use long, hard-to-guess, “unintelligible” passwords (i.e. X7%ylj2!YR4_)
19. Select A Managed WordPress Host
If you’re not a web developer or designer yourself and want to spend the majority of your time working on your specialty or building your business—spending a little bit more every month on a Managed WordPress Hosting Provider is a “no-brainer”. Providers like WPEngine not only have dedicated support and development teams that take care of server maintenance, planned code updates, as well as providing support whenever you have a question or problem. The added peace of mind is that—in the event of a security event—they also continuously monitor and work to protect the health of their cloud environment. In most cases, they will monitor and close security gaps as they arise without you ever hearing about it. If something specific requires your attention—you’ll be notified.
20. Keep regular backups
This was mentioned at the very beginning of this post, but it’s so important—it stands to reiterate. Keeping regular, healthy backups in a safe place (not connected to your website, or your primary network and systems) will ensure that in the event of a catastrophic event—your website isn’t entirely lost.
I strongly recommend spending the extra money for a Managed WordPress provider who will take regular snapshots and enable you to back up your site on-demand as needed. By doing this, you will also have a dedicated team of WordPress experts to help remedy the problem if there is a major flaw, compromise, or problem with their cloud hosting environment. Alternatively, you can invest in physical hard drives—or better yet—offsite cloud storage like with Wasabi.com to keep regular backups of your website. You should also keep regular backups of your workstation—but I won’t get into that in this blog.
21. Keep plugins and themes up to date
Most compromises occur after security vulnerabilities are found in code libraries or versions. They are then “weaponized” against specific WordPress websites that are on a specific core version or a specific plugin version. WordPress Plugin developers work hard to maintain their plugin codebase—keeping it up to date and removing security loopholes/vulnerabilities when they are found by the security community.
Keeping your themes and plugins up to date generally only requires a bit of time every week or month and is a MUST in order to keep your site/investment protected and running. Every so often, plugin conflicts or PHP updates will require a higher level of technical knowledge and may require a developer—but most of the time, you can manage the month to month. If you’d rather have it taken care of for you—Contact Us! Cinder provids a reasonable low-cost WordPress Care & Maintenance service and we’ll take care of the regular updates so you can focus on your business and customers.
22. Disable XML-RPC (Unless you use Jetpack or WP iOS)
If you don’t use Jetpack or need to access the admin section of your website from the iOS app—disabling XML-RPC closes parts of the codebase that can be taken advantage of. As mentioned, if you’re not using Jetpack or the iOS app, this is an easy way to improve security and peace of mind.
23. Invest in spam prevention
If your website is popular and allows comments on blog posts, news, products, or other content types—you’ll probably receive a lot of spam. Much of it is facilitated by bots, who will submit a comment for review that includes links out to another website or other messaging. Typically, these practices are intended to take advantage of misconfigured wordpress sites and drive traffic for advertising revenue. But it’s possible that these tactics can be used to compromise your website or put your users at risk. Investing in an anti-spam service like Akismet is an affordable and easy solution that can reduce your spam by 99%.
24. Block trackbacks and pingbacks
This practice isn’t used as commonly today, but in the old days (even several years ago) WordPress sites and blogs used trackbacks and pingbacks as a way of notifying blog owners when another site referenced a page or resource on their site. I won’t get into the technical details, but vulnerabilities were found in the way this was performed. It also takes a small hit on the performance of your site. Turning this off is also easy with AIOWPS and improves your security.
25. Prevent Hotlinking
Hotlinking is the practice of other websites linking directly to images or assets that are hosted on your website. They may copy the link address of your logo or a picture—and rather than having to serve that image from their own paid site—they can steal your bandwidth. By preventing hotlinking, you can save yourself bandwidth and improve the overall performance of your own website.
In AIOWPS, go to Firewall > Prevent Hotlinks Tab > select the “Prevent Image Hotlinking” checkbox and click Save.
Final Words on Security Plugins and Settings to Protect Your WordPress Website.
That is probably more information than you can digest in a single session. Take your time, but these steps are critically important to provide reasonable protection against threats online.
You should also know that even if you implement all of these recommendations—you will never be 100% protected. The threat landscape online is continuously changing and new threats are being identified every day—even every hour. As mentioned above, keeping your WordPress theme and plugins up to date is one of the best ways you can ensure that your website is as protected as possible. Additionally, using strong passwords and employeeing the help of a Password Manager like LastPass (https://www.lastpass.com/), as well as carefully restricting who has access to your site will all help you maintain a high level of security.
I hope that this information has been helpful in your quest to protect your investment, your business, and your customer data (i.e. “your WordPress website”). If you have questions or recommendations regarding implementation—please don’t hesitate to contact us.Contact Us