Secure Your WordPress Website
In today’s website ecosystem, security should be the first thing to consider, not only for your website but also for the benefit of your visitors. Many websites are compromised today for many reasons, but one of the main causes is not routine maintenance. This often does not include updating server-side software such as PHP or Apache, as well as other elements such as the WordPress core, themes and plugins. Maintenance is not the only thing you need to secure your WordPress website. Below, I emphasize some other key areas to help keep your WordPress website safe and secure.
Start By Securing Your WordPress Login Page
The standard login URLs for WordPress make it easy for bots and people with bad intentions to be able to try a brute force style attack to try to log into a website. This allows large networks of malicious bots to easily scan your website for vulnerabilities and use known exploits that could allow them to access your website.
We recommend using a plugin like WPS Hide Login to change the login page URL to something that makes more sense for you and to avoid things like admin or login. It is best to choose a login page name that does not reflect anything someone might find on your website in order to guess this information as hard as possible.
To prevent a brute force attack, we also recommend using a plugin called Login Lockdown, which prohibits the IP addresses of people who do not log in correctly. This increases the overall security of the login page by preventing further attempts to log in to your website using the same IP address if previous login attempts have already failed.
Enable Two-factor Authentication
Several factors can be activated to provide a login service for your website. This is divided into a few simple categories.
- Something you know (username, password, pin number, etc.)
- Something you have (mobile device, key generator, etc)
- Something that you are (biometric information, such as your fingerprint or facial features)
Enabling a two-factor authentication service on your website is another great way to restrict the approved people who can log in to your website. Securing your WordPress website in this way would require that you not only know the username and password, but then confirm this information with something you have on you to verify your identity.
Google Authenticator is a good solution for this.
Username Or Email Address
Using an email address to log in instead of a username is best because users often display their username by default in their blog articles. Email addresses that are not used on the website itself are much better to use. For example, do not use the email address you posted on your website as your contact email as your login email.
If you prefer usernames, I would strongly recommend that you avoid terms like admin, administrator, or editor, as these may be just some of the same usernames that attackers will use to gain access to your website.
We recommend using a password manager like Lastpass or 1Password to generate secure passwords for all websites you use so that you can keep them safe. You can also use them to fill in these logins if necessary.
Avoiding weak or short passwords prevents both brute-force style attacks and dictionary attacks. Both of the above services also offer a two-factor authentication service to not only access your saved passwords that they store on an encrypted server, but also provide two-factor authentication for many other services that you log in to and that can generate codes for you.
As I mentioned earlier, maintenance is an important part of securing your WordPress website. However, another way of securing your WordPress website is by making sure that you are using and / or installing plugins that have been updated recently and have a decent number of reviews and installations. This indicates that a plugin is being actively updated and patched due to security problems.
- Make sure that you have only installed plugins that you are actively using. Just leave plugins that are not used temporarily around.
- I really cannot stress this enough. Do not use a file manager plugin on your website. These plugins are usually the first plugins targeted by attackers to drop malware onto a website. They provide direct access to your server’s file system and can be used to change important parts of your website’s files.
- Verify that the plugin has an active security notice by searching the WPScan vulnerability database.
SFTP / FTP Users
Control all users’ access to your website and monitor the user accounts that allow you to access your website so you don’t have old accounts that are just sitting around. Update these user passwords approximately every three to six months. It is preferred more often to not use the same password again. A password manager can generate a random password for you, which you can then use to update it.
Monitor Your WordPress Website
Keep an eye out for odd content changes on your website as this can be a great indicator that something needs further investigation. Most of the time this will occur due to an updated theme or plugin. One of the most common things is to make sure you update your plugins. Monitoring it for security updates of WordPress core for any issues will help you secure your wordpress website.
Most standard WordPress installations use a prefix of wp_ for their database tables and this should be one of the things you address to make sure you use a unique prefix. Many services such as FlyWheel and WP Engine generate a random prefix for you when you first set up a new website, but in many other cases this is not true. It is strongly recommended that you avoid using standard prefixes wherever possible.
Firewalls protect your website from DDOS (Distributed Denial Of Service) attacks and prevent known incorrect IP addresses from reaching your website. Services like CloudFlare can be used free of charge and have this integrated functionality as well as a content delivery network (CDN) for your website, which you can use to increase the overall performance of your website.
There are many hosting providers out there, but when it comes to security, we recommend using the best hosting provider. This is to prevent the modification of core WordPress files so that attackers cannot add malicious code to the files.
Having a new daily backup of your website ready will make it easier to fix any issues that come from the website being hacked or accidentally breaking the website due to a recent update or deletion of this important file. Having a daily backup of your website as well as just before you change a topic or plugin files will help you in several ways. You should keep these fuses in a safe place and we recommend using the 3, 2, 1 backup method.
- 3 copies of your data (monthly, daily and in case of change)
- 2 copies on different storage media (on the website and on your computer)
- 1 copy externally (Google Drive, Dropbox or another service that is easily accessible)
Relying on the backup solution provided by your hosting is not the best idea as it is missing files or content that you recently added or in some cases have not been backed up at all. It is recommended to have an alternative backup solution. WPSuperhero can take care that for you.
How many of the elements have you currently implemented? Use the list below to check it off!
Take the worry out of maintenance and monitoring and join WPSuperhero today. We’ll secure your WordPress website, keep it up to date for you and full 24/7 proactive monitoring for any security issues so you can focus on the rest of your day with a calm mind. If your hosting provider doesn’t offer you the latest version of PHP and you’re looking for a great all-inclusive solution to your security efforts, you should check out our latest promotion and take advantage of our great hosting and maintenance package!