As 2019 comes to a close, one of the most important topics in the WordPress community is Security. Since WordPress powers around 25-30% of the active websites today, it presents a big target for hackers and bots looking to exploit security vulnerabilities. This article will explain the steps I take to secure my WordPress websites.
Whenever we create a website, the first step we take is to create an SSL certificate for the website. The SSL certificate will encrypt your data until it reaches the visitors’ browser, securing any information that is transferred in between, like comments, contact forms, and credit card numbers. If you need any help installing an SSL certificate, you can read more here.
Forcing Secure Passwords
One of the easiest ways for hackers to get in your WordPress site is through the use of weak passwords. While it is a huge hassle to have to remember long, complex, and random passwords, there are some tools that can help you have a very secure password.
So for example, if we were to use one of the passwords listed in the 25 Most Common Insecure Passwords of 2017 list: welcome
Tip 1: Using the random word generator to create phrases out of random words. For example, when I go to the site and click on 5 random words, I get the following:
If you add some symbols and numbers and you get:
Both of these are extremely strong passwords that minimize the chance of getting hacked.
Tip 2: Use Password Managers. For the second tip, I would recommend using along with the first tip. I have used Lastpass and 1Password and they work great. They offer extensions for all major browsers and apps for Android and iOS. The passwords are completely encrypted in the cloud and you can pull them up on demand from the extension or the app whenever logging in to websites. They allow you to use your devices biometric unlocking to make password managing easier.
Daily Offsite Backups
Out of all the security measures, this is probably the most critical one. Any WordPress developer knows that even with all the most advanced security features in place, WordPress, its plugin and theme ecosystem and server security have too many moving parts to monitor everything perfectly. We work by the mentality that tomorrow we WILL BE HACKED.
However, due to our redundant backup solutions to S3 and S3 Glacier, we can quickly see the points of failure, correct those security holes and restore a recent backup of the website quickly and safely.
Daily Malware Scans
We scan all websites daily for malware and other malicious code that may have been injected, either accidentally or maliciously. If any issues arise, we can quickly move to fix the issue before it propagates to other parts of the website and gets flagged by Google as unsafe.
While this may be out of scope of most WordPress users, we take pride in setting up our servers with the latest server security practices. Some of the steps we take include:
- Make sure the latest Linux packages and dependencies are properly installed on the server. Use autoremove command and check for updates daily
- Make sure no accounts have empty passwords.
- Set very high password rules.
- Verify that all passwords are secure using John the Ripper tool.
- Configure IP tables to block common attacks.
- Use Tier 1 Infrastructure like AWS to provide an additional layer of security and detailed logging.
- Configure firewall to only allow traffic through pre-designated ports.
- Do not allow root login.
- Only allow users with SSH keys.
- Disable Telnet. It is an outdated tool that offers no security measures.
- Lockout IP addresses using Fail2Ban
Protect Against Brute Force Attacks
We remove the most common points of attack for WordPress sites, including:
- Forcing Strong Passwords
- Changing the Login URL (never wp-admin)
- Use software blocking to permanently block attempted logins with incorrect usernames.
Other Critical Steps we take to safeguard WordPress Sites
Block Fake Crawlers
Many malicious crawlers disguise themselves as legitimate search engine crawlers but instead sniff around your site looking for vulnerabilities. We detect these and block them at the server level.
Daily Database Optimization
We run a tool that performs a regular Database cleaning to keep your WordPress site in optimal condition and performance.
Daily Plugin, Theme, and Core Updates and Scan
We make sure that the latest version of each update, theme, and core. These updates contain the latest security updates, so it’s important to have the most up-to-date version. We also scan the code on your website against the code in the official repository to make sure it is original and untampered.
Set Correct File Permissions
This may seem trivial, but it is extremely important to make sure that the file ownership and permissions are properly set for the Website.
Two-Factor Authentication (2FA)
As an additional layer of security, we implement 2FA for our websites, which means that in addition to your password, you also need a code that is generated by an Authentication App like Google Authenticator or input a code sent via SMS (text message).
Daily Link Scanning
We scan our websites to make sure that our websites are not redirecting or linking to broken pages or malicious content. If your pages are not redirecting correctly, we edit the links to make sure that they are pointing to the correct URL.
WordPress security is all about layers of security to protect your site from the most common forms of attack, including bots, SQL injections, brute-force, and plugin and theme vulnerabilities. However, no one method of protection can truly stop an entity that is determined to hack your website. For this reason, we have backups in place that we can use to quickly restore your site in a brand new, clean server or container instance.