Teiss guest blogger and WordPress guru Alex Grant from BestVPN, shares his expertise on keeping blogs and website that use WordPress secure.
Did you know that 60% of small and medium-sized businesses are at risk of going out if business as a result of a cyber attack? An average SME or solo blogger may not be able to get over the devastating monetary or reputation consequences of a hack.
WordPress powers the majority of small business websites and blogs. If you are reading this, it might be powering your website. The security of your content management system must not be an afterthought.
Having a rational security strategy, rather than patching things haphazardly when disaster strikes, is essential.
This strategy needs to be comprehensive and should encompass everything: from fundamentals such as securing your WordPress installation; through less apparent but important tweaks like disabling WordPress API and XML-RPC; to drafting a disaster preparedness and recovery plan.
Here are some of the essentials for keeping your WordPress site safe.
Also of interest: 13 things to keep cyber secure
Secure your WordPress back-end
Patch your software
Begin by keeping your WordPress core and third-party plugins and themes up-to-date. Updates aren’t just for improved functionality but also for security. They bring patches and fixes for faults that have been discovered in the code.
Delete unnecessary software
Delete, don't just disable, everything you’re not using. Avoid accumulating a clog of unused and outdated plugins and themes. As long as they are installed, hackers can exploit vulnerabilities in them.
Harden the back-end
Consider the following measures to harden your WordPress back-end:
- Change your admin username: don’t facilitate brute-force hacking. Go to your dashboard and click on Users; then select Add New; fill out user information and assign the role of Administrator; finally Add New User and then delete the old admin username.
- Add two-factor authentication with Google Authenticator, MiniOrange 2FA or Sucuri plugin.
- Install CAPTCHA to prevent bots from overtaxing your site, and breaking your security perimeter; Captcha by BestWebSoft is a simple yet effective plugin.
- Install spam protection. Spam is more than just an annoying thing: it can get your blog in trouble with Google if spam comments contain malicious links. The Akismet plugin is free and straightforward, but you can also do it through Sucuri and the official WordPress Security plugin.
- Hide your WordPress version number because it tells hackers what vulnerabilities they can exploit in your installation, especially if you don’t update for some reason. To filter out your WordPress version number and hide it from public view, do this: backup your site; then go to Appearance/ Editor; now click Theme Functions file and type: add_filter('the_generator',''); next hit Update File.
- Disable WordPress REST API (designed to let developers integrate custom-built programs into WordPress) and XML-RPC (enables remote access and posting). Both can be used by malicious actors to bypass WordPress two-factor authentication. So, if you’re not building custom apps for WordPress or posting remotely, disable them both. The Disable REST API and Disable XML-RPC plugins will do the job: no need to tweak the code manually.
- Lock out multiple sign-on attempts with WP Limit Login plugin to prevent brute-forcing scripts and bots from breaching your authentication protection. It lets you put a cap on the number of login attempts one can try within a set time, as well as customize the lock-down time, and enable captcha.
- Consider adding an internal monitoring system like Wordfence or Sucuri to take care of the security micro-management tasks for you. Both solutions have paid and free plans, so you can cover your basic security needs and top them with an SSL certificate.
- Restrict user permissions: allow only the minimum privileges a user requires to do their job. Consider installing the Force Strong Passwords plugin to ensure your users have strong passwords. If you have the latest WordPress version, you don’t need a third-party plugin since WordPress is taking care of that.
- Logout idle users to protect your blog from unauthorized access by someone who might compromise or steal your contributor’s smartphone or laptop. Thankfully, there’s a plugin for that: Idle User Logout.
Also of interest: Bruteforce attacks on WordPress
Secure your hosting
The right hosting provider
Securing your hosting begins with choosing the right hosting provider in the first place. Look for a provider that caters to WordPress specifically, and consider dedicated server as opposed to shared one, if possible. Pay attention to their security features and inquire if they offer SSL certificate-bundled, or as a standalone product.
SSL and HTTPS
Install SSL certificate and HTTPS to encrypt the data between your readers’ browsers and your server. This will prevent hackers from intercepting unencrypted traffic and allow your website to have a better reputation with Google. While many hosting providers offer SSL certificates, you can also get one for free from Let’s Encrypt or Sucuri, in which case ask your hosting provider if they can help you install it.
Update file permissions
Update file permissions to remove the default 777 permissions, which is often exploited by hackers. Change your WordPress directories permissions from 777 to 750 or 755 via FTP, and for your wp-config.php, change 600 to 640 or 644. You’ll still be able to access and edit them, but no one without additional permissions would be able to delete or modify them.
Disable PHP Error reporting
Disable PHP Error reporting because it exposes full server paths every time your server sends you a report. To do this, you need to access your wp-config.php file and put the following piece below the first line: error_reporting(0); @ini_set('display_errors',0); You can always enable it back on when you need to troubleshoot PHP errors.
Have a disaster preparedness plan
Do backups the right way. Backups should be automatic, incremental, redundant and stored in several locations. Don’t rely on manual backups. And always have monthly, weekly, and daily backups stored in several different locations, such as in the cloud, with your web host, and locally on your hard drive or external drive.
Prepare a temporary page that will inform your readers that your website is down and that you’re working on a fix.
Prepare a plan for how you can re-deploy your blog and account for a possibility to redirect your traffic somewhere while your blog is down.
Secure endpoint devices and email accounts: each device you use to access your site is an integral part of your WordPress security. So, introduce complex passwords, PINs, and two-factor authentication on your smartphones, laptops, and administrative emails. Don’t blog while connected to insecure public Wi-Fi, unless you’re using a trusted VPN.
As you can see, most of the WordPress security tweaks do not require very advanced tech skills (although it's true that many users will need help with these instructions). If you’ve come as far as to set up your WordPress blog, you can spare another 30 minutes to make sure it is secure.
At the end of the day, better security translates into higher ranking and a solid reputation among your readers. Trust me!