Why Bother Securing Your WordPress Site?
There are some that regard WordPress as being liable to hacking attempts because it uses Open Source code. They say that by its very nature it is insecure and that you are better using another CMS or technology like .NET.
They are, however, wrong to say that the built-in security of WordPress is poor. In fact, installed and maintained correctly, WordPress is superior to many other content management systems. The real problem is that as there are so many WordPress sites in existence, they attract the hacker. This is a similar problem to the one that Microsoft faces. Their operating system is targeted more frequently than Apple’s IOS, not because it is insecure, but because there are simply more targets.
The figures tend to bear this out. In 2018 around 90 per cent of all the hacked content management systems-based sites investigated by Sucuri were WordPress sites. The reason is, in part, not because WordPress is flawed, but because it is used far more than the others.
The fact that WordPress offers more ‘targets’ is borne out by the figures. One report by W3Techs shows that WordPress powers 34% of ALL websites on the Internet and around 60% of all sites that are created and managed using a CMS. This and the fact that WordPress continues to grow in popularity are bound to increase the likelihood of any hacker selecting a WordPress site as their prey.
Why do hackers, hack?
One question you may well ask is why hackers attack in the first place. There are, it appears, three main reasons behind a hack.
- Financial Gain
- Personal Challenge (because it is there)
- Hacktivism (the hacker disagrees with the websites’ views, be it for religious, nationalism or other issues)
- Political interference
A common reason for an attack is to modify pages to include links back to the hackers’ online shops – like terms relating to pharmaceutical products, for example.
Hackers may deface a site with a view to extracting money to have the site put back as it was.
In other instances, hackers can use a website as part of a Denial of Service (DDoS) attack on yet another site.
The most worrying of all hacks, bearing in mind the possible penalties, are those which include the theft of personal data. Many major companies, such as British Airways, recently in the news are profitable targets.
Another type of attack is one that involves the installation of malware on a site. Visitors to the site can then contract a virus, further spreading the malicious code.
But What Could Be The Results Of A Hacking Attack?
Having your site hacked can be damaging in any number of ways, from lost sales revenue, customer confidence, damaged SEO, brand damage and hackers’ fees!
So How Can You Protect Your WordPress Website?
There are two approaches to keeping a website live and secure. One is to protect your website and the second is to have the means of restoring the site if an attack gets through the defences. Although bear in mind if the theft of personal data has occurred, this is really ‘locking the stable door after the horse has bolted’, the real damage having already been done.
Protecting Your WordPress Website
This too is broken down into two parts, Security and Maintenance. These two work hand in hand to protect a site, and properly done should stop the vast majority of successful attacks (There is no such thing as 100% security, hence the need for a backup plan).
Part One – Security – Securing Your Website
Yet again this comes in parts:
1. WordPress Configuration – The configuration aspect concerns things like protecting the login page from brute force attacks (where the hacker can use a database of usernames and passwords to break into your site). Here, rather than use the conventional login URL page/ wp-login.php or /wp-admin, you use another unique URL, something as obscure and hard to guess, like www.yousite.com/orange.
2. WordPress Plugins – Applying security Plug-ins, on the other hand, provide defence in a number of different ways. Reducing the number of login attempts, or by forcing users to log in using two-factor authentication (2FA) being two examples.
Some Other Examples For Protecting Your Site Through Configuration Changes
- Set up logins for users so that they have to use their email addresses, these being harder to predict.
- Protect the wp-admin directory. One way here to set up a separate password for the dashboard.
- Ensure the site is using SSL, this makes it harder for anyone to spoof your info.
- If you are operating a site that has many authors, force them to use strong passwords
- Never use ‘admin’ as the username for the main administrator
- Remove any admin accounts that aren’t being used
- Change the WordPress database table Prefix. This will stop SQL injection attacks (https://en.wikipedia.org/wiki/SQL_injection)
- Disallow file editing, this stopping anyone modifying the files
- Where possible, get the hosting company to change directory and file permissions to 755 and 644 respectively. See https://wordpress.org/support/article/changing-file-permissions/ for more info.
- Disable directory listings with .htaccess. Any directory that does not have a index.html file in it allows anyone to list the files in that directory, which could allow the hacker a way in. To stop this, add just one line of code to your .htaccess file – Option All -Indexes
- Remove the Worpress version number (this can be done manually or by using a plug in). Hiding this information makes it harder for the hacker to work out what methods to employ.
Security Through The Use Of Plugins
There are many Secure plugins to choose from, some having millions of active installations, others far less. Each has its own advocates and strengths, some of the very best being shown in here (in brief)
WebARX’s claim to fame is its advanced Web Application Firewall. This updates automatically to prevent plugin and theme vulnerabilities and is easily installed.
This plug blocks malicious bots and hacking attempts, prevents malware infections, secures against plugin vulnerabilities. It also stops brute-force attacks.
The heart of this plugin is its ability to offer layered protection, whilst also being able to find hidden and complex malware. This is an important factor, as it allows the website owner to remove the malware before it gets blacklisted by Google.
There is a pro version, this being more effective in cleaning and protecting your site. This one also covers updating plugins, themes, and WordPress core code.
Possibly the most popular security plugin for WordPress available at the moment. This being borne out by the fact that it has over 2 million active installs. It has many great features including real-time updates that show any hack attempts. It has blocking features that block attackers and is used by government militaries worldwide.
This company not only provides plugins, it will also sort out any site that has been hacked. The plugin is free (which is a bonus) and works well in complementing the other security measures set up on a site. Sucuri is one of the best free WordPress security plugins available with more than half a million installations.
All In One WP Security & Firewall
The All In One WP Security & Firewall plugin is known to be comprehensive, easy to use, stable, and has the bonus of being well-supported.
It offers a true ‘360-degree security solution’, and will take your WordPress security to a totally new level. Offering protection from brute force attacks, it will assist in keeping you free of the effect of the most common types of website attacks.
Just as a bulletproof jacket projects the body, this plugin defends and protects your website. It is a single-click solution and provides just covers all your WordPress security needs. It also protects your website against RFI, XSS, CRLF, SQL injection, and other code injection hacks. It also has the bonus of being very easy to use.
The plugin provides a firewall to your website, plus the ability to back up your data. There is a pro version which allows you to secure your ‘wp-admin’ folder and Root website folder.
This is a real favourite for some. To protect against attacks, this plugin has the ability to ban users who have attacked other sites from accessing your website. The pro version provides even more protection by enforcing Two-factor authentication.
This plugin provides a real-time backup and security scanning service and is considered to be one of the best security plugins for WordPress today. The plugin backs up every post, comment, media file, revision and all the settings on your site to a Vaultpress server.
VaultPress thus ensures that your website is protected against hackers, malware, damages, and outages. Offering a one-stop solution, this plugin creates scheduled backups and scans your website for malware and viruses which can be removed with one click of your mouse.
The plugin scans files on your website, such as all used by the theme and plugins, finding all the security loopholes in your WordPress website. It is easy to use whilst protecting your website from malware and viruses.
This tool prevents your WordPress website from malware, block bots, and suspicious IPs. It comes as a free plugin or you can download the pro version. This version provides weekly scans and reports back all suspicious activities on your website.
Developed by WPMU DEV, Defender is a very popular Plug-In. The plugin provides a website hardening with just one click, instantly adding layers to your WordPress website which protects it against a range of security threats.
Astra Web Security
The main advantage of this plug-in is its one-click malware removal feature. One-click and your site is free from malware! It has an easy to understand dashboard and scans uploads to prevent bad content from getting on to your website.
Part Two – Maintenance
Keeping to the theme, there are again two parts to maintaining your site. One is keeping the site up-to-date whilst the other covers backing up your data.
As you will no doubt be aware, the core WordPress Code, the Theme and the Plug-Ins are continually being updated to fix bugs and security issues. Out of date code is one of the favourite routes in for hackers and keeping core and plugin code UpToDate is an essential step before you do anything else. However, you have to be aware that updating any code could, perhaps, bring your website down, so before you update anything, it is really wise to back up the site.
The message here is twofold:-
One, always update the WordPress Code, the Theme and all Plugins, and two, make sure you have some good complete backups to recover your site if an update fails or you get hacked to such a degree that the only way is to ‘rollback’ the site to an earlier date, one before the hack occurred.