Exclusive by Ivica | 27 tips to keep your WordPress websites secure.
Why is website security important? Internet security is a key component of web design and development. Security issues can deter users from a website and cast a shadow of doubt on your brand. Website security protects your information and reputation, your visitors expect it, and Google likes it. Do not forget this, ever…
Improve your website security by following these 27 tips
1. Protect your computer (avoid being a risk factor)
About 10 years ago, there was a lot of media coverage about the need to install an antivirus system. Today, there is little talk of this, lot’s of the work around computer protection is done by operating system manufacturers in their software, which you have to regularly update.
This tip (keep your computer “clean”), is step #1 in protecting your WordPress powered website from malware, spyware and trojans.
2. Invest in secure WordPress hosting
It’s all about security these days, and that’s where SSL certificates come in. Your hosting provider must be able to provide you with a high-quality SSL certificate. This will allow your site to use HTTPS protocol, browsers will not warn your users that the site is insecure, and your site’s visibility in searches won’t be affected.
Start by ensuring your hosting company makes regular backups. A loss of data is equivalent to a fire in a traditional business!
Also, hosting should take ALL other active and passive measures/protection to stop attacks in its tracks.
3. Use HTTPS for encrypted connections (SSL certificate)
HyperText Transfer Protocol Secure combines the HTTP protocol with SSL/TLS to form HTTPS, the HyperText Transfer Protocol Secure. With this protocol, you can communicate encryptedly with your web server over a network and identify it securely. HTTPS connections are commonly used for money transactions on the World Wide Web and other confidential transactions in enterprise information systems.
How does HTTPS differ from HTTP?HTTP/HTTPS differs in that HTTP uses TCP/IP port 443 by default and its URLs start with “https: //”. HTTP, on the other hand, uses TCP/IP port 80 by default and its URLs start with “http: //”. This sounds quite complicated, but in layman’s terms, just the letter S at the end of the protocol name means SECURITY. Difference between HTTP and HTTPS protocols is that HTTP is insecure and can be exploited if a man-in-the-middle attack or eavesdropping attack is performed to access sensitive web accounts.
HTTPS is considered safe against such attacks (excluding older versions of SSL) since it was designed to resist them. In this sense, HTTPS is simply plain HTTP over an encrypted SSL/TLS connection, not a separate protocol.
4. Use the latest PHP versions
PHP is a popular scripting language used primarily in web application development (WordPress included). In a practical application to deploy web applications, it is good using the latest version with some of the actively supported branches of the version.
If you don’t use the latest version, it is easily possible that it’s not supported.
5. Disable WordPress error reporting
According to WordPress, Error reporting should be disabled because it is possible to use the error log to expose sensitive information. It is advisable to disable this feature if you’re not testing or troubleshooting your WordPress powered website, otherwise attackers could easily detect the vulnerabilities/issues on your website and use them to hack your website.
6. Disable the execution of PHP files in WordPress directories
If you do not disable the execution of PHP files, anyone can install a piece of malware into your website. All they have to do is upload a malicious PHP file. If you have it in your root directory, it can be called. Anyone can drop such a file on your website. It is essential that executables in WordPress are properly protected from being called.
7. Check and change the file permissions (protect the data on your server)
The rights on a WordPress powered website should be carefully controlled. If the file permission recommendations recommended by WordPress are not followed, hackers could take advantage of it.
8. Install a WordPress backup solution
A backup is a copy of the files that make up your website. WordPress stores all of its data in a central database. This database changes as you add new posts, pages, products, etc. If this database becomes corrupted, your website will cease to work. If you’ve a backup of your website, you can restore the broken parts or replace everything to get your website back online quickly.
There are many tools that can be used to create a backup of your WordPress website. If you run a standalone WordPress site, you can install software that backs up your site. Or ask your current hosting provider if they offer an automatic backup service. If you use WordPress, you may be able to use a plugin to backup your site.
9. Use Web Application Firewall/WAF (and stop attacks before they even start)
Virusdie website firewall runs in a berserk mode by default. To reduce the responsiveness of WAF, simply navigate to the Settings section and select one of 3 possible settings: Soft, Medium or Berserk. Each position has an average response strength twice as high as a higher one.
10. Take Advantage of Two-Factor Authentication
It was developed in response to phishing and similar attacks where criminals use fake (and often very convincing) websites and a vast (and often very resourceful) arsenal of social engineering tools to fraudulently obtain your username and password, and your data access. You can set up two-step authentication using an authentication app/plugin like Google Authenticator, Authy, or Duo.
11. Limit login attempts
If a hacker cannot guess your password, they will keep trying. They often do this with the help of scripts. Limit Login Attempts allows us to track and limit the number of failed login attempts.
12. Use smart usernames and strong passwords
If you ask the average user of web hosting services how many usernames and passwords he uses for different accounts, subscriptions, etc., he will probably take some time before answering you. Even then, he may not be able to recall the usernames and passwords for all the services for which he needs them. Modern life entails having a variety of password-protected digital accounts, as is the nature of today’s digital age. Users, however, often use the same credentials for multiple accounts, such as cPanel, email, WordPress, FTP, SSH, etc. Some people even use personal information as passwords, such as birthdays, names, and addresses. Passwords that are so simple shouldn’t be used for web hosting and can have disastrous effects.
For the strongest and most complex passwords, you should use all four character categories:
– Upper case letters (A, B, C, D…)
– Lowercase letters (a, b, c, d…)
– Numbers (0, 1, 2, 3…)
– Keyboard symbols (“‘ ,.? ~!{} []^ & * () _ – + = # $% \ |:; /@)
13. Remove inactive users
Identify, remove and prevent issues with inactive users to improve your site’s retention, engagement and growth.
14. Change the default username “admin” user
Simply click on the Username field and change the username at the bottom of the page and then click Go. Your settings will now be updated. Or you can create new admin user and delete the default Admin user. Check the Attribute all content to box to save the contents you previously created with your old admin account. Afterwards, you can select the new admin username from the dropdown menu.
15. Preventing WordPress username capture
There are quality web application firewalls on the market today. Look for ones that automatically block IP addresses with repeated login attempts or 404 errors. The idea is that your firewall will automatically block IP addresses that scan your site for pages that do not exist, or that try to repeatedly log in to your site. A good feature is also blocking XSS and SQL injections.
16. Automatically log out idle users in WordPress (and prevent Third-Party issues)
The first step is to install the Inactive Logout plugin on your WordPress website.
To do this, open your WordPress dashboard Add New Plugins and search for “Inactive Logout”. After you find the plugin, click on the “Install Now” button. In your WordPress dashboard, go to the Inactive Logout settings after you have activated the plugin.
Once you get to plugin’s settings page, you will see the basic configuration options screen. If you want to provide your users with the best experience on your site, you should set the length of time a user can be inactive before being logged out. You can set this time period as you wish, but don’t make it too short or too long. Once you have set the time, enter the message or text that will be displayed after the user logs out.
17. Pay attention to User Roles (apply minimal user permissions and reduce the risk of Third-Party)
In the online world, there are five standard roles: Administrator, Editor, Author, Contributor, and Subscriber. Always think carefully about who you assign which role to and what part of the work that role is for.
18. Contributing as a Contributor or Editor
Contributor publishing give you an option to share your posts and pages but doesn’t allow to edit them or delete them without first requesting the change and being approved by another Administrator/Editor.
Editor publishing allows you to publish posts and pages and also delete them without any request. You should publish as a contributor or editor in a WordPress site to lower security risk in case your admin user would be hacked plus this will prevent any unauthorized person becoming an admin.
19. Only use themes and plugins from trusted sources (avoid compromising your site)
Do not use “fake” or “nulled” WordPress plugins and themes. From simple websites to complex online businesses, WordPress themes and plugins can be used to create anything. Themes and plugins can do many things, but sometimes they are used for fraudulent or illegal purposes. You have to be sure that the website you are creating is legal and will not put you in danger or in an unpleasant situation.
20. Always use the latest version of WordPress, plugins and themes (and minimize security risks)
WordPress is free. It’s also a developer community who create it. Each new version of the software fixes bugs, adds new features, makes improvements to performance, and enhances existing features in order to stay current.
21. Uninstall unwanted themes and plugins
Unused themes and plugins are a security risk. It’s easy to forget about old themes you tried and did not use. But every one of those old and unused themes should be removed because each one is an opening for security problems.
22. Disable theme and plugin editor
By default, the editor is enabled so you can provide your clients with a wide range of options to edit their website’s content. Disable the editor to avoid your websites’ content from being edited by anyone else. Additionally, the editor becomes an entry point for malicious users who could use this feature to upload and execute malicious code on your website.
To disable Theme Editor and Plugin Editor, you must add a few lines of code to your wp-config.php The code is as follows:
define( ‘DISALLOW _FILE_ EDIT’, true );
define( ‘DISALLOW _FILE_ MODS’, true );
23. Disable directory indexing and browsing
To keep your website secure, we recommend disabling directory listings. Directory browsing exposes the internal structure of the web server, which in and of itself is not a threat, but it may bypass security mechanisms and configuration controls. However, it’s an important step, so do it right.
To disable directory browsing in WordPress you have to add a single line of code in your WordPress site’s .htaccess file located in the root directory of your website:
Options -Indexes
24. Disable XML-RPC
XML-RPC which has been misused for DDoS attacks, and is an open invitation to DoS (denial of service) attacks. If you’re running a vulnerable WordPress version, the xmlrpc.php script could be a target of the WordPress pingback vulnerability. Once the XML-RPC is disabled, hackers will have no more room for attacks. You can install a plugin called Disable XML-RPC to disable it.
However, this simple code does the same thing:
add_filter(‘xmlrpc_enabled’, ‘__return_false’); To make the above solution work, you can use an .htaccess file to block requests to xmlrpc.php that do not originate from WordPress. This will reduce the load on your server.
25. Lock your WordPress admin
The best would be to utilize a Website Application Firewall (WAF), an application that monitors website traffic and blocks suspicious requests from reaching your website.
Also you can add password protection to your WordPress Admin Area via cPanel or you can allow only read-access to your WordPress admin area, but still have possibility to update plugins and themes by preventing all access to the wp-admin folder and keep it readable only for yourself (simply add wp-admin to the user/group field of your .htaccess).
26. Protect the wp-config.php through .htaccess files
At the end of the .htaccess file, add the following lines of code:
#secure wp-config.php
<files wp-config.php>
order allow, deny
deny from all
</files>
These lines basically block access to your wp-config.php from internal hacking and code modification thus securing wp-config.php file.
27. Remove the WordPress’ version number
To completely remove your WordPress version number from both your head file and RSS feeds, you will need to add the following snippet code to WordPress:
function remove_version() {return ”;}
add_filter(‘the_generator’, remove_version’);
Website security is very important for a number of reasons. Without it, websites are open and susceptible to hacking attempts. Websites can be attacked in many different ways, so it’s crucial that you have the fullest level of protection in place (implement all these security tips) to ensure it doesn’t happen on your site or on your clients’ site.
———
Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.
Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.
Comments