Why security matters?
I am paranoid about the security of my website and the readers. After having invested money and lots of effort, time and creativity, I do not want to see my site go down the drain. I am sure, anyone would agree with that. Emotions apart, when you start your blog or E-commerce store, your website is the most critical resource to your business that you need to secure your WordPress website at all points of time.
The world (more so the Internet) is not a safe place. There is a constant threat around the clock from opportunistic individuals and corporations. It does not help us any better, when we use the world’s most widely used software – WordPress and which is under constant onslaught from the bad guys. It is certainly a cat and mouse game between us and them.
Many website owners either ignore or unaware of the security implications of their websites. It is a good idea to spend about 30 minutes and learn to secure your website.
What goes wrong with bad security?
There are numerous possibilities when a website gets hacked –
- Site is defaced with irrelevant or offensive content
- Loss of readers and administrator user account data
- Worse, lose access to Administrative accounts
- Domain gets blacklisted and the emails are marked as Spam and not delivered to recipients.
- The site is blacklisted and a red page with a warning is shown to your readers by the search engines.
- Loss of bandwidth when large or high-traffic files (may be the offensive type) are hosted on your server without your knowledge.
- Install Backdoors – act as a Dormant node of a Botnet network that may get activated during massive attacks.
- Spread malware to your readers.
I believe, there are hundreds of such known possibilities and of course, there are new ones that continue to be invented. Apart from the loss of business, there may be an extreme, financial and irrecoverable loss.
As website owners it makes sense, to spend some time to fortify the website and periodically review the security.
Checklist to secure your WordPress website
1. Credible hosting provider
Our websites are hosted on the physical infrastructure provided by the hosting providers. The security of this infrastructure is the first line of defense to our websites. Opt for hosting providers who provide current updated versions of WordPress, PHP, Databases (MySQL, …) and configuration software (cPanel, Plesk, Webmin, …). and security software such as Malware scanners, Firewall, Intrusion Detection systems and in general are security conscious and responsive.
I host my websites with SiteGround.com. I find them at top of their game. They have A.I powered security systems that constantly detect and block hacking attemptsTheir account isolation feature ensures my website is not impacted due to issues with others’ websites. In my other post, I have provided detailed steps to get started hosting websites with detailed steps to get started hosting websites with SiteGround
2. Themes and Plugins from reliable sources
A majority of the vulnerabilities with WordPress installations in the recent past are due to the infected or outdated themes and plugins. I never download WordPress themes and Plugins from torrent or unreliable sites. They are most likely to be infected with malware.
Install the themes and plugins from the WordPress repository or from reliable, well-known developers – ThemeForest, Themify.me and many others. Ensure the themes and the plugins have been recently updated. The unmaintained themes and plugins are likely to be vulnerable to recent security attacks and avoid installing them at all costs.
3. Periodic full site backups
Ask any IT guy, backups are the life savior in case of any unexpected disasters. Computers fail, software gets wrecked at some point in time. If you have the website configured for periodic backups, you can always roll back to the last, good state with minimal loss.
You can configure one of the many backup plugins. This site has BackWPup plugin configured to backup the entire site every week.
One important note – configure the backup plugin to backup the full site (Core PHP code, Themes, Plugins and the database) periodically (typically every week) and store the backup archive in a remote location (either in laptop or Dropbox or any other cloud providers). This ensures all is not lost even if your hosting provider is wrecked.
4. Always up-to-date WordPress installation
Your WordPress website needs many moving parts to have it working correctly and securely.
- Operating System, PHP, Database (typically MySQL), Configuration software (cPanel or others) – the software in this list are managed by your hosting provider. Ask them if they have been updated to the latest versions.
- Core WordPress software – the WordPress software is maintained by an amazing team that is always on-the-edge in fixing security issues as they are discovered and releasing updates. When an update or new version is released, you get to see the information in your website’s Admin page. Before you apply the updates, ensure your backup the site and store the archive in a safe location.
- Themes and Plugins – This is where it gets trickier. Some developers provide fixes to their themes or plugins as soon as the security issues are discovered and others are not responsive. As a consumer, when an update is available, apply it to your site at the earliest. However, for the unmaintained themes or plugins, look for other alternatives that provide similar features and are under regular maintenance.
5. Fortify your website
Now, the next step is to plug all the cracks in your website.
- Web Application Firewall – Plugins like WordFence, Sucuri and iThemes security constantly scan the traffic to your website, any access and modifications to the files, brute-forcing attempts and block such suspected operations. Install one of the above Web Application Firewall and configure it according to your threat perception.
- Block File editing in Admin page – If a hacker gets access to your site’s Admin page, he can easily modify the code (Appearance > Editor and Plugins > Editor). We need to prevent or make it difficult to allow such nefarious operations. Use a File manager in cPanel or an FTP manager and edit the wp-config.php file. Add the following line at the end of the file.
define( 'DISALLOW_FILE_EDIT', true );
- Prevent access to critical code – The files – wp-config.php and .htaccess contain secure, configuration information and control access to file requests. You need to lock down such invalid requests. Again, use the File Manager or FTP Manager, edit the .htaccess file and add the following at the end of the file.
<files wp-config.php> order allow,deny deny from all </files>
<Files .htaccess> order allow,deny deny from all </Files>
- Hide your login page – You need to frustrate your site attackers and send them on a goose chase. Install the WPS Hide Login plugin and customize the default login URL. Remember, to bookmark the new URL so that you remember it the next time when you need to log in.
- Spam protection – Creative hackers invent text combinations (aka spam) that can wreck your website and post them as comments in your blog pages. Install Akismet plugin and sign you for their service. They do a great work and stay always on top of their game.
6. Periodic Security Audit
Security is never a one-time effort but a continuous process. You need to regularly log in to the Admin page and ensure there are no unexpected changes. The plugin – WP Security Audit Log will help to record all the login attempts, file changes, plugin installs/uninstalls. You can vet these logs and take corrective actions if required.
7. Remote Access
This step is all about ensuring secure access to your website. We need to discuss your laptop/PC, how you connect to the Internet and the tools/application that you use to upload files to your site.
- Your personal device – On your laptop/PC, ensure there are no malware, keyloggers or other such applications. Install a good anti-virus and run a full scan before you connect to your website.
- Internet connection – When you are on the go – never connect through public WiFi access points. If you have to, connect to a good VPN service and then log into your website.
- Tools/Applications – Any applications that you use to connect to your site should support secure mode. Configure your FTP client (Filezilla or any others) to connect using SFTP (and not FTP) and similarly for console access, use SSH.
8. Stronger Passwords
This is usually the first quoted best practice in every security guide but yet in most media reports, I find weak password management as the #1 cause for the security lapses. Rather than memorizing my passwords, I prefer to generate random and longer passwords and then use password managers to store them.
Password generator – Strong Password Generator
Next, an important tip is to use a different password for every software that you use on your website – Hosting provider, WordPress, Database, cPanel, Facebook, Twitter, Google, MailChimp and so on. This ensures that in the event of any compromise, the loss is restricted to one particular source.
9. Cleanup unrequired stuff
This step is overlooked by most website administrators. You do not skip them. Over a period of time, many unrequired files get accumulated in your site. Apart from the adding to the disk space, there may be critical vulnerabilities lurking in them.
Identify unused themes, plugins, images, databases, troubleshooting applications (PhpMyAdmin, …) and other WordPress installations and delete them.
If you had created any temporary users, you need to delete them to avoid their misuse.
As I said, earlier security is really a cat and mouse game. You need to continuously monitor and secure your WordPress website. Any inactivity or oversight can cost your business dearly. Fortunately, the WordPress ecosystem is highly responsive to security incidents and has large options in terms of features and support.
If your website is hacked, the team at WordFence (and other WordPress security companies) can help you to recover your website. Check WordFence site recovery page.
You can verify if your website or E-mails has been blacklisted from the following links
As always, I welcome your comments suggesting any improvements or errors in this article. Have a safe day !!.
This article may contain affiliate links to few recommended products. At no extra cost to you, the merchant may prefer to pay a small amount as commission to me. Please refer to Disclaimer page for the complete details.