As 2019 comes to a close, one of the most important topics in the WordPress community is Security. Since WordPress powers around 25-30% of the active websites today, it presents a big target for hackers and bots looking to exploit security vulnerabilities. This article will explain the steps I take to secure my WordPress websites.
Whenever we create a website, the first step we take is to create an SSL certificate for the website. The SSL certificate will encrypt your data until it reaches the visitors’ browser, securing any information that is transferred in between, like comments, contact forms, and credit card numbers. If you need any help installing an SSL certificate, you can read more here.
One of the easiest ways for hackers to get in your WordPress site is through the use of weak passwords. While it is a huge hassle to have to remember long, complex, and random passwords, there are some tools that can help you have a very secure password.
So for example, if we were to use one of the passwords listed in the 25 Most Common Insecure Passwords of 2017 list: welcome
Tip 1: Using the random word generator to create phrases out of random words. For example, when I go to the site and click on 5 random words, I get the following:
If you add some symbols and numbers and you get:
Both of these are extremely strong passwords that minimize the chance of getting hacked.
Tip 2: Use Password Managers. For the second tip, I would recommend using along with the first tip. I have used Lastpass and 1Password and they work great. They offer extensions for all major browsers and apps for Android and iOS. The passwords are completely encrypted in the cloud and you can pull them up on demand from the extension or the app whenever logging in to websites. They allow you to use your devices biometric unlocking to make password managing easier.
Out of all the security measures, this is probably the most critical one. Any WordPress developer knows that even with all the most advanced security features in place, WordPress, its plugin and theme ecosystem and server security have too many moving parts to monitor everything perfectly. We work by the mentality that tomorrow we WILL BE HACKED.
However, due to our redundant backup solutions to S3 and S3 Glacier, we can quickly see the points of failure, correct those security holes and restore a recent backup of the website quickly and safely.
We scan all websites daily for malware and other malicious code that may have been injected, either accidentally or maliciously. If any issues arise, we can quickly move to fix the issue before it propagates to other parts of the website and gets flagged by Google as unsafe.
While this may be out of scope of most WordPress users, we take pride in setting up our servers with the latest server security practices. Some of the steps we take include:
We remove the most common points of attack for WordPress sites, including:
Many malicious crawlers disguise themselves as legitimate search engine crawlers but instead sniff around your site looking for vulnerabilities. We detect these and block them at the server level.
We run a tool that performs a regular Database cleaning to keep your WordPress site in optimal condition and performance.
We make sure that the latest version of each update, theme, and core. These updates contain the latest security updates, so it’s important to have the most up-to-date version. We also scan the code on your website against the code in the official repository to make sure it is original and untampered.
This may seem trivial, but it is extremely important to make sure that the file ownership and permissions are properly set for the Website.
As an additional layer of security, we implement 2FA for our websites, which means that in addition to your password, you also need a code that is generated by an Authentication App like Google Authenticator or input a code sent via SMS (text message).
We scan our websites to make sure that our websites are not redirecting or linking to broken pages or malicious content. If your pages are not redirecting correctly, we edit the links to make sure that they are pointing to the correct URL.
WordPress security is all about layers of security to protect your site from the most common forms of attack, including bots, SQL injections, brute-force, and plugin and theme vulnerabilities. However, no one method of protection can truly stop an entity that is determined to hack your website. For this reason, we have backups in place that we can use to quickly restore your site in a brand new, clean server or container instance.
