In recent years, there have been multiple reports of large-scale website data breaches in the news. Many of these breaches happened at large companies and government institutions whose security budgets alone far exceed the website hosting budgets of most small businesses. People are beginning to wonder, “if they aren’t secure, how can we possibly be secure?” The truth is that security is an ever-moving target that can’t just be achieved by applying the “right settings” to the web site. Here are some things you can do to improve security to your existing WordPress site and reduce the effectiveness of the most common types of attacks.
- Install a reliable backup solution and schedule regular offsite backups
- Strong passwords, Password Managers, 2Factor Authentication, and the principle of least privileges for all user accounts
- Keep plugins, themes, and core updated/Remove unused plugins/themes
- Security/Monitoring plugin/WAF
- Update to the latest stable PHP version, connect over HTTPS/SSL, use a VPN service in that coffee shop!
1. Install a reliable backup solution and schedule regular offsite backups
I know what you’re thinking. How does a backup solution prevent hackers from getting into my web site? The answer is simple. It doesn’t do a single thing to prevent them from getting into the site. It does, however, give you the option of quickly restoring your site and minimizing data loss if a hacker does get into the site.
Most reputable hosting companies will provide an automated basic backup of your site in daily, weekly, or monthly increments. How often you back up should be based on how often site content changes. I recommend a minimum of a daily backup for most sites. If your hosting provider doesn’t provide backups, stores the backups directly on the webserver, or doesn’t back up as often as you need; you should install a backup plugin that can automate backups on a schedule that works for you. Any backup plugin you choose should be able to do a full site backup and store it remotely in an offsite location. Backups stored on the server can be corrupted by a hacker, which means you’re putting their files on the server with each site restore.
Here are some backup solutions:
2. Strong passwords, Password Managers, 2Factor Authentication, and the principle of least privileges for all user accounts
Strong passwords and password managers
If you can remember your password, it’s probably not a good one. One of the most common attack methods is through brute force login attempts. This is when a hacker attempts to log into your site using a possible username and a huge list of possible passwords in rapid succession. Usernames are easy to discover on most CMS driven sites like WordPress, and a hacker that’s found a valid username already has half the information they need to gain access. They use publicized password lists from previous data breaches, which increases their likelihood of success.
So what can you do about it? Don’t let your brain generate your passwords anymore and never reuse a password on another website. You should be using a minimum of 50 characters in passwords for your WordPress sites, especially if your account has admin privileges. Remembering all these giant passwords is not going to be an option for anyone without a photographic memory, but that’s where password managers come in.
There are many free options, but even the premium options are fairly inexpensive compared to the potential financial and reputational damage of a hacker gaining access to your customer’s data. The password manager stores these long passwords for you and you can easily retrieve the login information each time you need to log into a site. Most of them will also generate secure passwords for you based on your preferences of length and complexity.
Here are some reputable password managers:
Two-factor authentication
In addition to using complex passwords, I recommend that you add additional security for your logins by installing a plugin that enables 2FA (two-factor authentication). What is 2FA? The first factor in two-factor authentication is “something you know”. If you know your username and password, you can log in. If a hacker figures out your username and password, they can log in as well. The second factor, in internet-based two-factor authentication, is usually “something you have” (cellphone, dongle, etc). Some of the 2FA plugins will allow you to set it for just admins/privileged users. It’s up to you if you want to require 2FA for all users or just the admins.
Here are some reputable 2FA plugins
Principle of least privilege for user accounts
Every user account is a potential entry point for a hacker. Having lots of unnecessary admins is one of the most common security issues that I see. The principle of least privilege means that account roles/privileges are to be assigned based upon the actions that a user will need to perform on the site rather than by organizational title. For example, if the CEO of the company is only going to be making an occasional blog post and not managing users, themes, plugins, etc.; maybe an editor or author role would be more appropriate rather than an administrator role. Following the principle of least privileges minimizes the damage that can be done if that particular account is hacked. You can see the list of roles and capabilities in the WordPress codex. I recommend using a plugin to create custom roles for users that need a little more or a little less than an existing role.
Here are some role editor plugins
3. Keep plugins, themes, and core updated/Remove unused plugins/themes
Another common entry point for hackers is through old WordPress core, theme, and plugin code that contains known exploits. WordPress code is updated regularly for multiple reasons besides just adding new features. Some of those reasons include bug fixes and security patches. Not all developers specifically mention that an updated plugin or theme release may include a security patch but those exploits may be well known to hacker groups that scan sites looking for exploitable code. Any plugin or theme that isn’t being used should be removed from the site. You can always store it locally and add it back if you change your mind and decide to use it later. If you are always using the latest version of WordPress core, plugins, and themes, you are much less likely to be running exploitable code.
4. Security/Monitoring plugin/WAF
Knowing what, if anything, has changed on your site is a major advantage when it comes to security. There are a few plugins I recommend for this sort of monitoring. I install the Sucuri Security plugin on every site we build. It provides a realtime file integrity check on the WordPress core files and lets me know immediately if anything has been altered from the original download. It also provides some security hardening options that prevent the direct execution of PHP files in locations where they shouldn’t need to be accessed for the normal WordPress site functionality to work.
Another plugin I’ve found useful is WP Security Audit Log. It is extremely customizable and allows you to log as much or as little user activity as you feel you need.
Web Application Firewalls (WAF) can protect your site from Denial of Service Attacks, Brute Force Attacks, SQL injection, and exploitation of known core, plugin, and theme vulnerabilities. You can add remote WAF services through companies like Sucuri and Cloudflare.
5. Update to the latest stable PHP version, connect over HTTPS/SSL, use a VPN service in that coffee shop!
This last bit isn’t quite as easy as just flipping a switch, but shouldn’t be too difficult with a little help from your hosting provider.
Update to latest PHP version
A lot of site owners don’t know what version of PHP their site is running on. WordPress currently recommends a minimum of:
- PHP version 7.3 or greater.
- MySQL version 5.6 or greater OR MariaDB version 10.1 or greater.
- HTTPS support
In WordPress 5.2 and above, you can find out which version of PHP your site is running by logging into your dashboard and clicking Tools and then Site Health. At the top of the Site Health page, you’ll click a link that says Info. Scroll down to and expand the Server section and to see which version of PHP you are currently running. If it is lower than the recommended version, you can contact your host provider for instructions on updating to a newer version.
Connect over HTTPS/SSL
SSL certificates used to be very expensive but now many hosting companies provide them for free through LetsEncrypt or similar services. If your site has a login or accepts information submitted through web forms of any type, you need to encrypt that information using an HTTPS/SSL connection. Logging into the back end of a WordPress site without encrypting that login information over HTTPS puts you in danger of having that information intercepted. If you’re not set up for HTTPS/SSL, you’ll need to talk to your hosting provider or your web developer to see if they can help you get set up.
Use a VPN service in that coffee shop!
Lots of people enjoy working from the local coffee shop but when you look around and see all those laptops do you know what they’re doing? It is easy to intercept information on these public networks because your laptop is already seeing all the information that’s being sent around you. It just ignores the traffic that isn’t meant for it. This means that with the right software installed, anyone can examine data packets intended for someone else on the network. If you’re not logging into your WordPress dashboard over an encrypted HTTPS connection, you are sending the login information in plaintext where every machine around you can see it.
A VPN service adds an additional layer of privacy and security to your internet communications by connecting you securely to a remote private network. All data that you send and receive is encrypted and passed through the VPN so that even if it was intercepted, it is encrypted rather than plaintext.
A VPN service adds another layer of privacy and security to your internet communications by connecting you securely to a remote private network. All data that you send and receive is encrypted and passed through the VPN so that even if they were to be intercepted, they are encrypted rather than plaintext.
Here are some reputable VPN companies
Take steps to secure your site now
As I said in the beginning, “security is an ever-moving target that can’t just be achieved by applying the “right settings” to the website.” Sometimes the hardest part of implementing new security is getting the client or management to buy into the need for those changes. The corporate culture of prioritizing convenience over security is spread far and wide. Have them read this post and maybe that will help them understand why these changes are necessary. Chances are, you’re reading this because you’ve been tasked with securing the site. It’s ok to remind them of that.
Need help with the actual implementation? Let us know and we can help! We also have maintenance plans to help keep you updated and secure.