Of the 400 million websites that are active today, it’s estimated that 33,000 are hacked every day, taking on average from 1 day and 1 week for site owners to recover them. The costs of cleaning a hacked site vary widely depending on the type of site you’re running and whether you need to help to get it back online but that’s not where the costs end. Google will often impose a SEO ranking penalty on sites that it perceives to be mailicious thereby effecting your bottom line on a sometimes permanent basis. In this article I’ll take a look at some steps to secure your wordpress site and prevent hackers from getting in.
WordPress has improved it’s security since it’s foundation in 2003 in response to hacks of one form or another over the years. This is much like Microsoft or Android and their operating system patches and upgrades after a vulnerability has been identified. WordPress let’s users take control of their security with a bevy of plugins like Wordfence, WP security, ReCaptcha, Simple SSL and others to enhance security. But like any web facing system, it’s only as strong as how the user configures it to be. Inexperienced users will often set a password for the default admin account and never change it or monitor it’s use, a clear recipe for problems ahead.
In this article, I’ll show you a couple of steps for beginners and the more advanced to bring your site security up to a reasonable standard.
So, How do I Secure my WordPress Login?
It’s important not to use default login credentials on WordPress and choose a strong password and ideally enable 2FA (or two factor authentication). This means dont choose ‘admin’ as the default administrator name, select and an alphanumeric password with a special character e.g. [email protected]* and enable 2FA by installing WordFence as a plugin. Wordfence is a bit of a swiss army knife when it comes to security and with login security it comes up trumps. Using two factor authentication has a huge impact on deterring hackers from trying to break into your site by guessing passwords or brute force attempts.
How does 2FA Work?
In security one of the guiding principles in login security is “something you know” and “something you have”. So in this case a password is something you know and a code is something you have. The code can be generated by an app on your phone like Google Authenticator which adds an extra layer of security when you login. This is not too dissimilar from many corporate remote user setups where you might use a keyfob, codecard or soft token on your phone to login to work. Wordfence adds a nice recovery code feature in case you find yourself locked out by providing the option to create 5 recovery codes. If your a security newbie, it’s important to read the instructions carefully or ask for help.
What’s a Web Application Firewall and How do I Enable it?
A Web Application Firewall (WAF) is basically security software that’s good at stopping common hacker attacks on applications such as cross site scripting (XSS), SQL injections, Remote File Inclusion and others. In the case of WordPress, the database it runs on (MySQL) is always in the crosshairs of attackers along with default theme files and common applications that wordpress runs.
It would be easy to go off in a tangent and discuss technical details of this section but suffice to say that it’s a really good idea to enable the web application firewall .
Wordfence recommends enabling “Learning Mode” for 1 week before turning on “Enabled and Protecting” which is essentially automatic mode.
There are a few other interesting options for firewall blocking including country blocking and real time blocking which are premium options running at about $100 per license. These options are commonly seen in enterprise grade firewalls and are a good investment if you’re risk profile warrants it.
What About Patching?
No-one will argue the impotance of patching and fortunately since WordPress relase 5.5 in 2020 t just got alot easier. This is because of the introduction of auto-updates which are user controlled.
Users can select all or some of their plugins and choose a bulk action of clicking enable auto-updates and fuggedaboutit!. Of course there maybe some updates that don’t play nice that may have licensing issues or want you to manually backup your site before an update. In this case you’ll have to always keep an eye on these. On the subject of backups, its really important to have a backup strategy which we’ll discuss in the next section. Under the three tenets of security Confidentiality, Integrity and Availability (CIA), backups fall under availability and are in-scope for this discussion.
WordPress Enable Auto-Updates
What About Backups?
You can never be paranoid enough in my opinion about backups. It may sound obvious to back things up but the reality is over 50% of the time it’s not done right. Common errors include not backing up the database and site data, only backing up locally on the site and only creating one or two backup copies that are a day or two old.
Every time, I would opt for a hosting provider or 3rd party solution. Admittedly, there’s a cost and there’s configuration work such as opening firewall ports, entering database credentials and setting rules but believe me it’s worth it and particularly so if you’re running mutiple sites.
On the backup rules front, I would choose three backup copies, 1 for the previous day, 1 for the previous week and 1 for the previous month. The rationale being, that if your site was hacked and you didn’t notice or you were on holiday for two weeks, you could still recover. It’s also common to run backups after midnight of your target market’s timezone to avoid site slowness.
If you choose not to use the hosting provider package and stick to free plugins, just pay attention to the restore process and space issues with backup storage. When you store locally on your site or to dropbox/Google Drive, space can run out quickly and restoring can cost money when you thought it was free.
How Do I Block Spam?
Spam started life as a Monty Python Flying Circus sketch on the BBC in 1970 as a nod to Spam and it’s questionable salubrious properties.
Monty Pythons Take on SPAM circa 1970
The name stuck and became an early term for unwanted online solicitation in the 80’s. Today it’s the lifeblood of hackers and Spam has morphed into phishing, malware, click fraud and other threats as it often carries dangerous links in the email body.
From a WordPress perspective, your wordpress contact form is ground zero for atackers. My approach here is to turn on Google Recapcha on your forms and enable Akismet anti-spam. Both are quite effective (while not foolproof) at limiting spam.
How Do I Protect my Content?
Protecting your content, particular original images and text is likely important to you. Froma legal standpoint it can be difficult to discover and take action on copyright infringers particularly in different jurisdictions to the point that it might be cost prohibitive to even try.
Protecting Content on Your Site
Technically speaking there are countermeasures which are reasonably effective. WP Content Copy Protection & No Right Click is one plugin that may help you here. This plugin can effectively block content from being copy and pasted and visibly watermark images thereby protecting reuse. You can read more about it’s features by clcking on the link here. There are lots of granular features for roles, alerts and pages which can be included/excluded from protection, hence a good option if copyright is something you worry about.
Another approach is password protection for certain posts and pages using WordPress’s native visibility option when saving which is a bit blunt force as method of controlling access to content. It’s really designed for smaller installations where paid content is not a concern. If your looking for more acces controls with options for paid content access then a membership plugin like memberpress maybe a better option. There are lots of membership plugin options out there but memberpress ranks well.
Are There Other WordPress Security Steps?
Yes! Depending on your level of comfort, it’s a good idea to setup a CDN like Cloudflare which is primarily setup to speed up your site but includes security features such as DDOS / Botnet protection, SSL certificates, GEO Blocking, DNS Security, Site uptime monitoring and others. The advantage of Cloudflare is that many features are free and easy to roll-back on if they create unintended consequences.
SSL Certs are particulary important here, as they are now required for any kind of online purchasing on your site and to avoid “site insecure” messages in the site address bar when visitors land on your site. The choice of what type of SSL cert to get often comes up. If your looking for a green padlock symbol in the address at the purchase stages on you site then a paid Extended Validation (EV) cert is what you need. If you run a blog site or customer trust in your websites authenticity is not that important, then a free certificate from “Really simple SSL” would work.
It’s important to not that free certs generally have a 90 day vailidity period while paid certs are generally valid for 1-2 years, hence less maintenance.
Another area of security that might be of interest to you is domain privacy. This is usually an option at the domain name purchase / renewal stage where you can mask ownership information of your domain. A useful feature if you want to prevent spammers targeting you to get into your site.
Ensure that your Data Privacy and Cookie Compliance notices are published on your site. “GDPR/CCPA Complianz” is a free plugin that may help you here. Security compliance is important from a legal perspective but also from a customer trust level standpoint. If you hold data on EU citizens or California residents your site will be subject data privacy and cookie laws of some description.
Lastly security is an ongoing activity and needs constant supervision, which is why its important to monitor Wordfence on a weekly basis and configure alerts on Cloudflare or (other health monitoring service) for when your server goes down for example or a Denial of Service attack (DDOS) as another. It’s good practice to setup a dedicated email address such as [email protected] to capture the differents types of alerts as they come in so you or the support team can act. Alot of information to digest but prevention is the optimal solution in security, worst case scenario, customer data is compromised on your site and your subject to fines, loss of customer confidence, regulatory supervision and long term reputational damage. Better to act now and limit your risk as much as possible.
Do you need help securing your WordPress? Protect Your Invesment from Hackers, Spammers and Online Piracy
Free Zoom Consultation | Security Packages Starting from $99 / €89 | Managed Services Available
Are you looking for ideas for top privacy & security links to follow in 2021? Here are a few of my suggestions for practioners to stay on top of trends, reports & regulatory alerts based on personal research for articles I wrote in 2020