WordPress is very user friendly and easy to learn content management system (CMS) for creating websites. However the ease of creating a website you would assume security is just as easliy taken care of in the background which sadly is not the case. Over my years I have seen lots of different malicious activity undertaken against WordPress sites and in this article, we’ll go over some of the basics which would prevent a large portion of these attacks.
Again WordPress is very user friendly and easy to learn, and at the start your vulnerabilities are around your login safety and choice of hosting provider but as your website and the content and cmplexity grows, so does the number of vulnerabilities you are exposded to. Hackers only need to be successful once where as you protecting your website have to be successful every time.
Let’s go over some of the things you can do to protect your WordPress site.
1. Set Plugins and WordPress to auto update
This has been the number 1 way I have seen WordPress sites compromised over the past few years. Security flaws are frequently found in even the most popular plugins and are constantly exploited. If you have a plugin with a security vulnerability it is not a matter of if you will be exploited but when and by how many people.
Enabling auto updates is as simple as slecting the option on the right hand side of the plugin on the plugin page.
To enable auto updates for your WordPress version, click on the Dashboard menu item when logged into your WordPress site and under that you should see an Updates menu option where you can ensure wordpress version updates are enabled
2. Install a plugin to block excessive login attempts
Install a plugin that limits execessive login attempts so a malicious 3rd party doesnt send 100,000 or so login attempts at your defenceless website.
3. Delete inactive or disabled plugins and themes
Dont leave inactive themes on your website or plugins which are disabled. Keep your house tidy and delete anything that is not needed from your website. The cleaner your website is the eaiser to protect it.
4. Restrict Logins
if you have access and are able to limit the locations the people to login into your WordPress site, i.e. from your business or your if you have a static IP address at your home, then edit your .htaccess file in the root folder of your website and add in the IP addresses allowed to access the login page.
5. Pick a secure hosting provider
Pick a provider that gives evidence of using the latest versions of software such as PHP as well as regularly applying security patches to application and operating system.
Vendors ideally will give evidence of having anti malware software in place on the server your website will go on. This won’t detect every malicious file on your website but will give a higher chance of detecting if malicious files are uploaded.
Take your time choosing a hosting vendor and remember the cheaper hosting providers are usually cheap for a reason and be wary of hosting provider online reviews as many are posted by people who are subject to an affiliate deal with specific providers.
6. Install a SSL Certificate
Nowadays it is almost a requirement to have a SSL certificate on your website to encrypt traffic in transit. Some search providers will not index your website if it does not have a ceritifcate and others will surface it lower in rankings if it doesnt have a certificate. For security the main reason for a SSL certificate is to ensure no one attempts to intercept your traffic be it between you and your website or your users and your website.
This is another thing to be wary of with hosting providers as some offer a cheap initial hosting service but soon start racking up costs by charging extra for items such as installing a SSL certificate. For someone you can do for free, some hosting providers will try and charge you hundreds of dollars.
If you host your own website or have ssh access you should be easily able to install a letsencrypt certificate with a few simple commands for FREE!
7. Secure your BACKUPS!
Most importantly (I cannot stress how important this is) ensure your backups are:
- automatically set to run on a regular basis
- are regularly copied to an offsite location (anywhere thats not on your website server)
- are tested at least once a year so yo uknow you can restore
Throughout my career, backups have been very simple process …..but restores have been an horrendous torturous procedure when you suddenly discover all the failings in your backup process at the worst time possible.
No matter how hard you try and protect your website, a determined attacker, a zero day exploit of a plugin, a lapse of concentration will see your website riddled with backdoors so ensure your website can be recovered.
