In this article, we will tell you about WordPress security, how to secure your WordPress site and techniques to keep your WordPress site secure.
Why Website Security is Important?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.
In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.
How to Secure your site
Following are some steps that help to keep your site secure.
Set Strong Passwords and User Permissions
The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your professional email address.
The top reason why beginners don’t like using strong passwords is that they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.
Another way to reduce the risk is to not give any one access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user and authors to your WordPress site.
Install a WordPress Backup Solution
Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.
Backups allow you to quickly restore your WordPress site in case something bad was to happen.
There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).
We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.
Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.
Thankfully this can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).
Using WordPress Security Plugin
After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.
This includes file integrity monitoring, failed login attempts, malware scanning, etc.
Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.
You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.
Upon activation, you need to go to the Sucuri menu in your WordPress admin.
The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features
The next thing, you need to do is to click on the Hardening tab from the Sucuri Menu. Go through every option and click on the “Harden” button.
These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.
We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.
After the hardening part, most default settings of this plugin are good and doesn’t need changing. The only thing we recommend customizing is the Email Alerts.
The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings > Alerts.
Set Limit Login Attempts
By default, WordPress allows users to try to log in as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to log in with different combinations.
This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.
However, if you don’t have the firewall setup, then proceed with the steps below.
First, you need to install and activate the Login LockDown plugin.
Upon activation, visit Settings > Login LockDown page to setup the plugin.
Disable XML-RPC in WordPress
XML-RPC was enabled by default in WordPress 3.5 because it helps to connect your WordPress site with the web and mobile apps.
However, because of its powerful nature, XML-RPC can significantly amplify the brute-force attacks.
For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.
But with XML-RPC, a hacker can use the system.multicell function to try thousands of password with say 20 or 50 requests.
This is why if you’re not using XML-RPC, we recommend that you disable it.
Tip: The .htaccess method is the best one because it’s the least resource intensive.
If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.
Add Security Questions to WordPress Login Screen
Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.
You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.
security of your WordPress site is crucial for good rankings. You don’t want all your hard work on SEO to go to waste if your site is compromised by a hacker.
Set Automatically log out Idle Users in WordPress
Logged in users can sometimes wander away from the screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.
This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.
You will need to install and activate the Idle User Logout plugin. Upon activation, visit Settings >Idle User Logout page to configure plugin settings.
Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can easily do this by adding the following code in your wp-config.php file.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.
The easiest thing you can do to keep your site secure is installing a plugin such as iThemes Security. Security plugins such as iThemes Security can take care of a lot of the practical matters, and save you a lot of headaches.
4 Best Security Practices
Following are four best practices to keep your site secure.
1. Keep It Current
One of the biggest security vulnerabilities in WordPress is old software. WordPress is updated fairly often and whenever there’s a new security issue they roll out an update immediately. But that doesn’t do you any good if you’re not keeping your installation up to date. You also need to keep your themes and plugins up to date—they can have security issues as well. Sometimes people put off updates for fear of breaking their site, but you’d rather break your site with an update than risk a break-in. Also, just because a plugin is deactivated doesn’t mean it’s not a threat. You need to delete the plugin entirely.
2. Strong Passwords
Your security is only as good as your password. If you’ve got a simple password, you’ve got a simple site to hack. You need to use strong passwords. Your password should have numbers, capitals, special characters (@, #, *, etc.) and be long and unique. Your WordPress password can even include spaces and be a passphrase. Don’t use the same password in multiple places. Yes, remembering different passwords for different sites is tough, but a hacked site is worse.
3. Manage Users
Your own strong password is useless if another admin has a weak one. You need to manage your users. Not everybody needs admin access. The more people with admin access, the more chances to hack your site. Make sure you’re only giving admin access to the people who truly need it. And make sure those few admins are following good security practices. Remember to update or remove users when you have staff transitions.
4. Back It Up
If anything ever goes wrong with your site, you want to be able to get it back up quickly. That means you need a backup plan. In order for backup to work, it needs to be complete and automatic. Backing up your database isn’t enough. That will save your content, but you’ll still have to rebuild your entire site, including theme tweaks and plugin settings. And if your backup isn’t automatic, you’ll forget about it.
We are sure this article helped you to learn WordPress security best techniques and practices as well as discover the best WordPress security plugins for your website.
Why Website Security is Important?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.
In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.
How to Secure your site
Following are some steps that help to keep your site secure.
Set Strong Passwords and User Permissions
The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your professional email address.
The top reason why beginners don’t like using strong passwords is that they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.
Another way to reduce the risk is to not give any one access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user and authors to your WordPress site.
Install a WordPress Backup Solution
Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.
Backups allow you to quickly restore your WordPress site in case something bad was to happen.
There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).
We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.
Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.
Thankfully this can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).
Using WordPress Security Plugin
After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.
This includes file integrity monitoring, failed login attempts, malware scanning, etc.
Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.
You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.
Upon activation, you need to go to the Sucuri menu in your WordPress admin.
The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features
The next thing, you need to do is to click on the Hardening tab from the Sucuri Menu. Go through every option and click on the “Harden” button.
These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.
We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.
After the hardening part, most default settings of this plugin are good and doesn’t need changing. The only thing we recommend customizing is the Email Alerts.
The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings > Alerts.
Set Limit Login Attempts
By default, WordPress allows users to try to log in as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to log in with different combinations.
This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.
However, if you don’t have the firewall setup, then proceed with the steps below.
First, you need to install and activate the Login LockDown plugin.
Upon activation, visit Settings > Login LockDown page to setup the plugin.
Disable XML-RPC in WordPress
XML-RPC was enabled by default in WordPress 3.5 because it helps to connect your WordPress site with the web and mobile apps.
However, because of its powerful nature, XML-RPC can significantly amplify the brute-force attacks.
For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.
But with XML-RPC, a hacker can use the system.multicell function to try thousands of password with say 20 or 50 requests.
This is why if you’re not using XML-RPC, we recommend that you disable it.
Tip: The .htaccess method is the best one because it’s the least resource intensive.
If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.
Add Security Questions to WordPress Login Screen
Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.
You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.
security of your WordPress site is crucial for good rankings. You don’t want all your hard work on SEO to go to waste if your site is compromised by a hacker.
Set Automatically log out Idle Users in WordPress
Logged in users can sometimes wander away from the screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.
This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.
You will need to install and activate the Idle User Logout plugin. Upon activation, visit Settings >Idle User Logout page to configure plugin settings.
Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can easily do this by adding the following code in your wp-config.php file.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.
The easiest thing you can do to keep your site secure is installing a plugin such as iThemes Security. Security plugins such as iThemes Security can take care of a lot of the practical matters, and save you a lot of headaches.
4 Best Security Practices
Following are four best practices to keep your site secure.
1. Keep It Current
One of the biggest security vulnerabilities in WordPress is old software. WordPress is updated fairly often and whenever there’s a new security issue they roll out an update immediately. But that doesn’t do you any good if you’re not keeping your installation up to date. You also need to keep your themes and plugins up to date—they can have security issues as well. Sometimes people put off updates for fear of breaking their site, but you’d rather break your site with an update than risk a break-in. Also, just because a plugin is deactivated doesn’t mean it’s not a threat. You need to delete the plugin entirely.
2. Strong Passwords
Your security is only as good as your password. If you’ve got a simple password, you’ve got a simple site to hack. You need to use strong passwords. Your password should have numbers, capitals, special characters (@, #, *, etc.) and be long and unique. Your WordPress password can even include spaces and be a passphrase. Don’t use the same password in multiple places. Yes, remembering different passwords for different sites is tough, but a hacked site is worse.
3. Manage Users
Your own strong password is useless if another admin has a weak one. You need to manage your users. Not everybody needs admin access. The more people with admin access, the more chances to hack your site. Make sure you’re only giving admin access to the people who truly need it. And make sure those few admins are following good security practices. Remember to update or remove users when you have staff transitions.
4. Back It Up
If anything ever goes wrong with your site, you want to be able to get it back up quickly. That means you need a backup plan. In order for backup to work, it needs to be complete and automatic. Backing up your database isn’t enough. That will save your content, but you’ll still have to rebuild your entire site, including theme tweaks and plugin settings. And if your backup isn’t automatic, you’ll forget about it.
We are sure this article helped you to learn WordPress security best techniques and practices as well as discover the best WordPress security plugins for your website.
0 Comments