Securing your WordPress site

Last Updated on September 20, 2020 by Christopher G Mendla

Just because you are paranoid doesn’t mean they aren’t out to get you. WordPress sites are often under attack within the first hour of going public. There are steps that you should take to protect your site.

Overview

The following is THE MINIMUM you need to do to secure your WordPress site.

The problem

Hackers make money with every site they compromise. For a detailed explanation / case study see our article on Pharma Hacks. When a new WordPress site hits the Internet, it is under attack almost immediately. Remediating a compromised site is costly, time consuming and not always successful.

Protecting your site.

Security Plugins and other tools

There are a number of security related plugins. A WordPress site may have a dozen or more plugins in order to provide the required functionality. Our article on common WordPress plugins details how to choose plugins and describes some of the common security tools.

The most common type of attack is a Brute Force attack or a variation of a brute force attack. This is where the attacker tries to guess the credentials for your site.

WordFence

WordFence is a plugin that provides a firewall based on the behavior and characteristics of visitors. Firewalls are, by nature, complex and have a learning curve. WordFence will block certain visitors based on parameters that you set.

Country

You can block visitors by country. Suppose you have a website for a typical local auto repair shop in the United States. For the most part, visitors from other countries such as Australia, China, Russia etc will have little value.

On the other hand, if you are near the Canadian Border, you might want to be visible to Canadian visitors.

You can set which countries can see your site. In the example of a site for a local brick and mortar business, this will block visits from countries where hacking is prevelant.

Attempted admin logins with the wrong user ID.

Hackers will often attempt to guess the credentials for a site. They will use variation of the site name as well as common possibilities such as ADMIN and ADMINISTRATOR. You can set WordFence to block users who try these common admin account names.

Three strikes and yeeeerrrr OUT.

Another common setting is to block a user if they fail to log into the admin account a certain number of times. For example, if they fail 3 times within 15 minutes you can block that IP for 24 hours. Keep in mind that this could block you if you ‘mess up’ when entering your credentials.

WordFence Summary:

Wordfence has a free and pro version. If you are running a WordPress site, it is imperative to have some type of protection, especially against brute force password attacks.  In a worst case scenario, the attackers will get lucky and guess the admin password. Even in a best case scenario, the repeated login attempts consume resources.

Hide your admin url

One simple trick is to hide your admin url. This is the url where you enter your credentials to log into the administrative tools for your site. You can simply change the WordPress admin url. If attackers can’t find the login page, they can’t try to guess the credentials.

Backup your site

Taking periodic backups can help you recover if your site gets hacked. This is an absolutely last ditch tactic. If you monitor your site regularly and find evidence of hacking, you can load a backup of the site as it was prior to when it was hacked.

This works best with sites that are not e-commerce and have little user interaction. If you have an online store or a lot of user comments, then this will cause you to lose valuable information in terms of sales and user comments.

Don’t use dirt cheap hosting

I have seen several cases, mostly with very cheap hosting, where an attacker can gain access to one site on shared hosting and then use that breech to gain access to other hosting accounts and sites.

Don’t use easily guessed or short passwords.

WordPress generates a very secure password. You can use the auto generated password or your own password.

Two Factor Authentication

Security can be enhanced by requiring another means of authentication in addition to your password. This can be a little annoying at first but it will add a great layer of security

Least Rights principle.

The principle of least rights means only giving users the rights they need in order to do their jobs. Users in WordPress can have different levels of rights. Suppose you have a company where you need to have several people adding and editing content on the site.

You can make everyone an administrator which is the highest level of rights. BUT if any an attacker gains access to any of those accounts, they will have access to the entire site.

You should understand the various levels of permissions and assign the user the correct role such as Editor, Author or Contributor. Each of these roles will allow the user to perform specific tasks.

Keep your WordPress installation and plugins updated

WordPress is constantly updated. You should always keep your WordPress installation and plugins updated. You should also keep an eye out for any news about vulnerable plugins. You can do that by subscribing to the WordFence newsletter and/or setting up Google alerts for “WordPress Vulnerability”

Templates are also can allow a site to be compromised.

Use only the plugins you need.

It can be very tempting to add a lot of plugins to your site. While plugins add features and functionality, they also increase the vulnerability of your site. In other words, your site is only as secure as the most vulnerable plugin you have installed.

Hosting and domain security

In addition to locking down your WordPress site, you should also make certain that your hosting account and domain registration is secure. This can be done with strong passwords and two factor authentication. If an attacker can gain access to your hosting account, they can easily compromise your WordPress site.