How to Secure your WordPress Website
By Raeleen| 3 February 2022
WordPress is one of the most popular Content Management Systems out there. Its popularity however is also the reason why WordPress websites are commonly a target for cyber attacks.
If you are a WordPress site owner, you should make security your top priority. Here’s the ultimate guide to securing your WordPress website.
Six Reasons Why You Should Prioritise WordPress Security
What are the common WordPress security Issues?
All things considered, the WordPress core software is secure. It is audited regularly by hundreds of developers. That said, just like any CMS, it can be vulnerable to cyber-attacks. But most of these attacks happen because of not following the basic security best practices for WordPress sites.
Here are some of the most common security issues that WordPress owners encounter.
Unauthorised Access to your Website
Unauthorised access is one of the most common website security issues. One way of gaining unauthorised access is by brute force wherein hackers try to guess the username and password combination with the help of an automated tool.
Another way of gaining unauthorised access is through tricking website administrators into giving their credentials through phishing attacks. They may receive an email purportedly from WordPress asking them to enter their login credentials to update their database. Or they could receive an email from a supposed irate customer asking for a refund but the latter inserts a link in the email that leads to malware that harvests login credentials.
Once someone has access to your website, they can do many things like put in malicious codes, steal user information, change the content of your website and many more.
Distributed Denial of Service Attacks
This happens when a network of compromised computers flood your website with internet traffic in a short period causing your site to crash.
Some DDoS attacks could be politically motivated. For example, some people don’t like the content that you put out on your website so they crash it to prevent other people from accessing it. Some attacks can also be business-related. For example, a competitor wants to ruin your business by hiring people to launch attacks on your website.
Malware or malicious software is a code or software that tries to control your website. Many types of malware exist. Here are some of the common ones.
Ransomware is a type of malware that aims to block the owner’s access to their website (or computer) until a ransom is paid. Some ransomware attacks not only locks the owners out of the system but also encrypts the entire data which is even harder to restore.
Spyware is malware that collects information about a user without their knowledge and consent.
Conditional redirects happen when the visitor of your website is redirected to another website which is usually set up for phishing or other malicious activities.
Trojans masquerade themselves as a legitimate program or code but can inflict harmful actions on your data or network such as stealing information, downloading more malware and more.
Injection attacks pertain to the method by which cybercriminals inject malicious code to execute commands that can modify a database, change data on a website or perform any malicious activity.
Most websites have an input field where users can enter data. It may be a contact form, a search bar, or a comment section. Some websites allow users to upload a photo or document.
If these input forms are not properly configured, hackers may enter a malicious code into any of these fields and execute unwanted actions like the appearance of pop-ups and ads redirecting to another malicious site, installing of keyloggers, deleting data, and more.
The two most common types of injection attacks are SQL injection and Cross-Site Scripting.
SQL (Structured Query Language) is the standard language for storing, retrieving, and manipulating data in a database. In an SQL injection attack, the hacker inputs an SQL statement instead of the usual answer in the input field.
A hacker can use SQL injection to look up usernames and passwords in the database or delete its contents.
XXS can be used to hijack an account, steal valuable data, deface the website, and do many more malicious activities.
Protect your business from potentially crippling cyber-attacks
You can’t afford to lose customers to a cyber attack. Find out how to protect your site with our Complete Guide to Website Security in 2022.
12 Proven Ways to Secure Your WordPress Site
Update WordPress Core
WordPress updates roll out around every three months. Most updates are done to address critical security issues that the developers have discovered. Keeping the WordPress core up to date can protect your website from attacks from known vulnerabilities.
WordPress automatically installs minor updates, but you must update it manually for major releases.
Audit and Update WordPress Themes and Plugins
Plugins and themes are great because they allow you to customise your website. However, some plugins and themes can have vulnerabilities that can be exploited by hackers.
Theme and plugin developers usually release updates to improve functionality and security. For example, if they discover that their plugin has XXS vulnerability, they would fix it right away.
Once a security patch is released for any plugin or extension, the vulnerability is also announced. That’s how hackers know about vulnerabilities (if they didn’t discover them themselves).
That’s why it is of utmost importance to update the plugins that you use once a security update is available.
Also, some developers may have stopped working on their projects and don’t release updates anymore. Hackers may find vulnerabilities in those plugins too.
If you are using a theme or plugin that hasn’t been updated for a long time, it is time to replace it with a more secure alternative. If there is any plugin that you don’t need anymore, remove it from your website.
Also, get only plugins and themes from trusted sources.
Strengthen your login procedures
Use a strong password
Cybercriminals use sophisticated software that can run thousands of password combinations in a few minutes. The shorter the password, the easier it is to crack. Number-only or letter-only passwords are also easy to crack.
Using a password that is not less than 10 characters long and using a combination of alphanumeric characters, uppercase and lowercase letters, and symbols can increase the strength of your password.
Don’t use “admin” as a username
“Admin” will be the first user name that cybercriminals use in their brute force login attempts. Make their lives harder by using a different username.
Enable two-factor authentication
Two-factor authentication is another layer of security for your account –providing another means to prove you are who you say you are.
The first factor is something you know, like your password, pin, keystroke, or answer to a secret question.
The second factor could be something you have (your smartphone or another device that you have) or something you are (your fingerprint, iris scan, or face).
For WordPress, enabling two-factor authentication means that you will not only be required to enter a password but also a one-time generated code sent to your verified device (your phone) via SMS or through an authenticator app before you will be granted access to your account.
Limit log-in attempts
Limiting the number of times a user can enter wrong credentials is another way to block brute force login attempts.
Enable auto log-out
Auto log out prevents strangers from snooping into your account if you forget to log out.
Define user roles
WordPress allows you to create different user roles such as Administrator, Editor, Author, and Contributor. If using WooCommerce, you’ll have additional roles such as shop manager and customer.
Ensure that not everyone involved in your website is given administrator privileges. Give each user the level of access they need to perform their work.
Defining user roles will help you secure your WordPress Site. No one can make unapproved changes or delete content by accident. It can also limit the damage done by hackers in case one of the user accounts is compromised so long as it is not the admin account.
Use secure WordPress Hosting
A cheap, shared hosting plan is not the best choice, security-wise because your website shares resources with other websites. If one website in the shared hosting is compromised, others can be compromised too.
The best option is to get a managed dedicated hosting service from a reputable hosting provider. A good WordPress hosting provider will take extra steps to secure their servers from common threats. They monitor their network for any suspicious activity and keep all their software and technologies up to date.
Install a WordPress Security Plugin for your Website
WordPress Security plugins monitor will do much hard work for your security including monitoring for failed login attempts, monitoring blacklists, security scans, and more.
Examples of security plugins include Sucuri, WordPress Security, WordFence, MalCare, JetPack, and others.
Enable Web Application Firewall
A Web Application Firewall (WAF) keeps malicious activities out of your website. It monitors and filters traffic between a web application and the Internet. It can protect against many types of attacks such as cross-site scripting, SQL injection, among others.
A WAF can operate on an allow list model, allowing only known good application traffic to come through; or a blocklist model, blocking traffic that matches known attacks.
Some WordPress security plugins mentioned above also have a WAF feature. For WordFence, the WAF feature is already included in the free version. For Sucuri and others, you have to get a higher plan to enable the WAF for your WordPress site. Cloudflare also offers WAF among its services.
Backup your Website
Sometimes, no matter what you do, some hackers would still be able to outwit you. When that happens, you should have a backup of all your data so that you can restore your website immediately as soon as you have cleaned your website of malware and performed a thorough security checkup.
Backing up is a must not only because of WordPress security issues. Backups are a lifesaver when you encounter errors during upgrades, or when human errors cause your website to crash.
Most web hosting companies provide free, automatic backups along with their business-grade hosting plans. If you have lower-tier plans, you can pay a little extra to get that additional service.
So if your host already takes care of your backups, you’re good, right? Not quite. Having alternative backups is always a good idea.
Your alternative backup should not be in the same location as your server so they won’t be affected if anything goes wrong.
Blogvault, UpDraft, Sucuri, and Backup Guard are just a few of the companies that are offering backup services for websites.
Get SSL/TLS certificates
Secure Sockets Layer (SSL) encrypts the connection between your website and your visitors’ browsers to ensure that no third party tries to steal information between you and your visitors. Its more recent and better version is the TLS which stands for Transport Layer Security.
When you hear the word SSL nowadays, it usually refers to TLS. The old name just stuck so it is still the one in use today.
Make sure you get a hosting plan that has bundled free SSL certificates to save you the trouble of getting one separately.
In case you already have a hosting plan but it doesn’t include an SSL certificate, you can get it from other places too such as ZeroSSL and LetsEncrypt.org.
Secure your computers
Whether you’re running your online business from home or an office, you must secure all the computers you are using. Your devices can be a gateway for malware to jump to your website through text editors and FTP clients.
Ensure that you are running the latest version of your operating system. Install reliable antivirus software on your computer. Check all the browser extensions that you have and remove any suspicious extensions. Better yet, remove all the extensions that don’t serve you any purpose.
Get DDoS Protection Service
Change Default Configurations in your CMS and Server
You can beef up your WordPress site’s security further by changing some of the default configurations in your WordPress CMS.
The fewer hackers know about your website, the better it is for your security. Changing some of the configurations will obscure the information about your website making it harder for hackers to get in. Also, limiting what can be changed through the WordPress admin dashboard will help minimise the damage hackers can do if they do get in.
That said, the measures mentioned here serve to complement other security measures previously mentioned. Obscurity alone, will not stop hackers from doing their thing. It will only make things harder for them. Hopefully, these will help deter them and they’ll move on to the next easy target.
The following will involve a bit of coding. Some plugins can help you do some of the following so that you don’t have to touch the code yourself. If you work with a developer, ask them to do these measures for you, if they haven’t already.
Change the default login URL
The default login URL is nameofyoursite.com/wp-admin. A hacker could then just go into your login site and then try to brute force his way into your website. You can change your login URL into anything you want by using a plugin like WPS Hide Login.
Disable file editing in WordPress dashboard
By default, Administrators can edit the code of their files via the code editor. If ever your admin account is compromised, hackers can easily change your files.
You can disable this feature by tweaking some code. You need to access the wp-config.php file and open it using a text editor. Then add the following line to the end of the file:
Secure your wp-config.php file
Wp-config.php file is one of the most important files in your WordPress installation because it contains the configuration parameters of your website.
You need to protect your wp-config.php file because hackers will try to access this file.
To protect your wp-config.php file, you need to go to your .htaccess file via your cPanel or through an FTP client and add the following code, right at the top:
order allow, deny
deny from all
Change your database file prefix
By default, your database file names begin with the prefix “wp_”. Hackers know this and that’s how they know to locate your database file. If you change the database prefix, hackers will have a harder time finding your database.
You can change the prefix to something else when you are having a fresh install of WordPress.
However, if your site is already up, it is still possible to change the prefix name although it requires more steps and is more complicated. If you are not comfortable with changing this setting, you can use a plugin to do it for you.
Be sure to backup your database before making any changes so in case something goes wrong, you will be able to restore your data.
Disable directory indexing and browsing
Directory browsing can be used to look into your files, copy images, learn about your directory structure and more. If this is enabled, hackers can then use the information to find out if there are any files with known vulnerabilities and try to exploit that.
To disable directory browsing you need to connect to your website via Secure File Transfer Protocol or through cPanel.
If using an SFTP client, look for the file named .htaccess in your site’s root directory. Edit the file by downloading it to your computer and opening it using Notepad. Add this line at the very bottom of the file (after the #End WordPress):
Save the file and reupload it to your website using your FTP client.
If using cPanel, login to your cPanel interface. Click on the indexes folder which you will find in the Advanced category. Click on the directory icon, then choose no indexing from the options and then hit save.
Do a Penetration Test
A penetration test (pen test) is a simulated cyberattack against your security infrastructure to check for exploitable vulnerabilities in your website or network.
The pen testers will try to breach the website or system within the parameters set by the testers and the website owner/company.
The process can be costly and time-consuming but it can help prevent security breaches.
Many cybercriminals are getting more creative in their ways so business owners should also be one step ahead in protecting their websites.
While no Content Management System is 100% secure, WordPress is a secure platform overall. Most WordPress websites attacks happen when basic security measures are not in place. This should be the responsibility of the website owner and/or webmaster.
Following basic WordPress security best practices such as always updating the WordPress core and plugins, choosing reliable WordPress hosting, installing Web Application Firewall and security plugins among others can help thwart cyberattacks and protect your website, business, and customers.
Where to from here?
We love working with like minded business people who like to get stuff done. Let’s get on a call and talk about your business.