Webmasters and website owners are responsible for the security of their websites. We’re working hard to develop, optimize and put them online, so it makes sense to protect what we’re working at.
If you were not familiar with how to secure a WordPress site in the past, it’s time to fill in the gaps now. The more you know and aware of, the more you can prevent so that your website could stay live 24/7.
At Dizzain, we have been working with WordPress for over 10 years now, and as you can imagine, we’re frequently asked about how to secure a WordPress site from hackers. We have always been happy to answer your questions, so today’s post will also be our response to your request:
In fact, it is impossible to make your website absolutely invulnerable as it is unreal to fully secure your house from any burglar or thief. It doesn’t mean that you cannot protect yourself, it means that you need to pay some attention to the issue. You can make your website tough to crack’n’hack and we’ll help you to do that.
Why websites are being hacked.
1. Most Hacking Attacks Are Automated
If you think someone typed your website address into an address bar and had a good snoop around till they found something, you’re most likely mistaken. This type of approach would be completely uneconomic from a hacker’s point of view.
Instead, just like search engines, hackers use bots to crawl the net. However, instead of indexing content, their bots search for known vulnerabilities. Automated process allows hackers to attack many sites at once and increase their odds of success.
So, if your site gets hacked, it’s probably because it popped up on the radar of an automated script, not because someone decided to target you.
2. Bad Plugins
You don’t need to be a great software developer, you don’t even need to pay any attention to the OWASP top ten web application security risks; anybody with any level of coding expertise and skill can write a plugin. So there are thousands of pre-written plugins to choose from, to give your WordPress powered site the extra functionality or feature that you crave – what could possibly go wrong?
Your new plugin may contain:
- Malicious code
- SQL injection vulnerabilities (giving attackers full access to your database)
- XSS (cross-site scripting) vulnerabilities
- CSRF (cross-site request forgery)
- Inefficient coding that seriously damages website performance or server stability
3. Not Updated Plugins
Hackers and other malicious parties watch the release notes. As soon as they learn of a vulnerability, they start exploiting it. So, you need to update as soon as possible to reduce the time that your site is vulnerable.
4. Insecure Hosting
Some providers use outdated servers and have poor maintenance while others don’t. Hosting security is extremely important. Just think of the following situation: you invest a lot of money into your website, and it goes down when the number of simultaneous guests starts growing. You need a secure hosting package to make sure viruses don’t get into your system. These days, there are plenty of unethical systems and companies eager to use your emails for spamming and your website for their ads.
Dizzain would suggest you to use WPengine hosting company services – they’re updating WordPress core by themselves, their system won’t allow you to install insecure plugins and they also frequently update their servers (none of our clients’ websites hosted at WPengine was hacked).
5. Hackers Want Users’ Passwords
Cybercriminals are always on the hunt for users and corporate credentials (usernames and passwords). If you have someone’s credentials, you can log in to their systems, access valuable data and perform fraudulent transactions on their behalf.
How to improve your website security?
1. Change admin/admin
The first thing you need to do is to change both your password and login to something more complicated than that. If you use “admin” as your username and your password isn’t strong enough, then your site is very vulnerable.
2. Make a Strong Password
The traditional advice on that is simple:
- More than 12 characters. The longer – the better.
- Numbers, Symbols, Lower-cases, Capital letters included.
- Not a word from a dictionary. Make your password unique and hard to hack, not obvious to guess.
- Don’t use the same password everywhere. It’s hard to memorize several passwords, but there are ways to handle the issue. Read this article if you want to dive a little deeper into the details.
3. Lock Down WordPress Admin Access with .htaccess
Utilizing a WordPress brute force plugin for this type of attack is not very efficient, and in some cases can actually lead to your site becoming unavailable due to a large amount of processing power used to attempt to challenge each and every malicious login attempt.
Setup a secondary level password to prevent unauthorized WordPress wp-admin and wp-login.php attempts.
Or you can rely on the information we have on limiting WordPress admin access with .htaccess.
4. Use Security Plugins:
Brute Force Login Protection
If a hacker(bot) is attempting to crack your password with a brute-force attack, it can be useful to limit the number of login attempts from a single IP address.
When you’ve changed your standard login from “admin” to a complicated one and if your password is strong, then with this plugin any brute-force attack against you is pointless.
Two Factor Authentication Plugin
Two-factor authentication, or 2FA as it’s commonly abbreviated, adds an extra step to your basic login procedure. Without 2FA, you enter your username and password, and then you’re done. The second factor makes your account more secure.
Monitor all security-related events within your WordPress site. Keep an eye on the various changes occurring within the environment. Who is logging in? What changes are being made?
WP Antivirus Site Protection
Deep scans of all website files to secure WordPress. Detects backdoors, rootkits, trojan horses, worms, fraud tools, adware, spyware, hidden links, and removes them. The virus database is updated daily.
This plugin connects your site to the VaultPress servers, backs it up and performs security scans, automatically restores a backup to your site through FTP or SSH.
5. Scan Website for Hacks, Check Google Safe Browsing
If your WordPress site had been successfully compromised, a clear indication will usually be found either by a surface security scan of the website, or it will also get reported to Google’s Safe Browsing.
Scan your website with an online malware scanner like sitecheck.sucuri.net/scanner
Check Google’s safe browsing for your domain at google.com/safebrowsing/diagnostic?site=dizzain.com
6. Do Not Use Too Many Plugins
Our advice on that – Simple is Better. Every plugin you use (even trusted and secure one) is a potential backdoor to your website. Use only the ones you really need.
Also be wary of free themes and plugins that are not in the WordPress repository.
7. Get Rid of Unused Themes and Plugins
Delete themes and plugins that are not in use, they’re still accessible from the outside. Clean your website like you clean your kitchen.
8. Protect Yourself From Bad Plugins
Make sure that the plugin you’re going to install comes from a trusted developer, is currently updated and offers good support. In addition, the number of times a specific WordPress plugin has been downloaded also says quite a lot about how functional or good that plugin may be. To keep your site safe from any kind of potential damages due to plugins, you should always ensure that you back it up regularly.
9. Back Up Your Website
Data loss can happen in many ways, the most common causes are dropped coffee mugs, accidental errors, theft or disasters like fire and flood (not only a hacker’s attack)! It is common for data to be stored in multiple places, so have your back covered.
10. Update WordPress, Its Plugins and Themes
Keep an eye on the latest releases, make sure that your site is up-to-date. WordPress team creates patches and fixes security holes on a regular basis. Follow their blog to stay tuned.
11. Update Your OS, Browsers and Antivirus Software
- Keep your system free of malware and viruses. Workstation security is even more essential when you have a website, because all you need is a keylogger to hack even the most defended website. It will read all your usernames and passwords and send them to hackers.
- Also we’d recommend you to harden your browser with Noscrypt Security, HTTPS everywhere or something similar.
12. Guard Your Network
- There’s always someone listening out there on the WWW. Using FTP is like screaming info out of the window, so always connect through SFTP or SSH. If your hosting company doesn’t do that, then get yourself another one.
- Use HTTPS and SSL on your website. You do not need a fancy and expensive certificate from Comodo or Network Solutions if you’re running a small business, just any will do.
- Do not ever email logins and passwords. Encrypt that data anyhow.
We’re pretty much sure that most of your security issues will be solved after you successfully go through the aforementioned steps, move your website to WPengine hosting and install at least Ithemes Security and Sucuri plugins to protect your website. In case you need some additional help – feel free to contact us, we’ll be glad to help!