WordPress Website security – step by step

Why WordPress website protection is vital?

Security problems of WordPress sites are extremely relevant in our time. while some people are interested in your content, there are others who who want to break it or steal, may be it’s your competitors or, for the most part, people who are just hunting for easy money. According to statistics, WordPress content management system is one of the most popular, it provides services to the 4-th part of all the Internet resources. With a huge range, thus, making WordPress a target of interest for hackers who are constantly developing their techniques to harm your content, the safety of your clients.

So you built your blog on WordPress and started filling it with a container, install plugins and promote the site on the Internet.

Interesting information about WordPress:

  • 35-40% of sites launched in the world in 2017, work for WordPress;
  • All over the world, WordPress engine launched more than 125 million sites (as of the beginning of 2017
  • Approximately 50,000 free plug-ins for CMS are available in the official plugin catalog;
  • WordPress developer – more than 300,000 professionals were registered in 2017;
  • Only 20% of users install plugins to protect WordPress.As you can see, on the one hand the system is actively developing, millions of users use it, but only 1/5 webmasters worry about the security of WordPress sites that belong to them.

Why should someone break WordPress protection?

WordPress sites can be hacked automatically using various robot programs and manually.The first one is the most common one. has a massive impact. Moreover, your site can be both a huge portal with a traffic of several thousand users per day, and a personal blog, which on the strength of a dozen readers, including youFrom time to time in the network flashes information about such massive attacks on WordPress sites.Automatic hacking is based on using security flaws in WordPress as a platform. Especially it is exposed to the resources using the old version of the site engine, because developers constantly analyze the reasons for successful WP break-ins and fix flaws in new versions.
With automatic hacking of WordPress sites, attackers can be guided by the following motives:

  • Website theft – full copying of the resource and transferring it to a new domain in order to assign the developer’s work results, monetize the resource, and so on;
  • Obtaining links from the resource for compiling a grid of satellites, improving the reference profile;
  • Blackmail;
  • Obtaining personal data of users or other useful commercial information;
  • Making a profit by substituting information on the site (replacing card numbers, payment information);
  • Use of the site to infect users of the resource by sending out letters or programs with viruses;
  • Redirecting your traffic to your resources (redirect);
  • Use of system resources to store their data, more efficient hacking of other resources.

With manual hacking of sites, in addition to these reasons, hackers are guided by personal motives, among which the following may be present:

  • Revenge;
  • Envy;
  • Eliminating a direct competitor;
  • Hacking WordPress site to order.

This is only a small part of the possible motives of intruders, among which there are both commercial motives and human qualities.

That is why WordPress security settings are an important stage in the development of any website. If they are neglected, sooner or later your site will be infected with malicious code or hacked by a hacker

How is the attack or hacking of the website on WP?

35% of WordPress hacking due to vulnerable plug-ins. Even the best defense of WordPress is not working if you install a plugin with a vulnerability specially posted by the hacker. The same applies to installing software code on a site from unverified sources by users who have little knowledge of programming.

30% are carried out through unsafe topics in which vulnerabilities are deliberately or accidentally present. Conclusion: it is necessary to use paid topics from reliable suppliers. I personally recommend the TemplateMonster resource, where all templates are subject to strict moderation by professionals for security and functionality.

20% – hacking hosting. The owner of the site has little influence on the security of the hosting platform, so you should initially choose high-quality hosters with positive feedback and proven reputation.

15% WordPress hacking because of an unreliable password. Hackers simply pick up or brute force passwords, hacking sites in automatic or manual mode.

The security of the WP site should be solved in a complex way, that is, even if you use WordPress Security plug-ins, but at the same time install unverified code on your resource – you are at risk.

Is it possible to reliably protect the website on WordPress?

Completely! The number of web site owners who care about the security of their sites is growing every year, and therefore protected WP sites are more than hacked.
To ensure a reliable WordPress security, you just need to follow certain recommendations, which, in fact, are very simple and in some cases even primitive.

A list of simple rules for maintaining the security of a WordPress website

1. Regular updating of WordPress version

The main and most primitive protection against hacking WordPress site is regular updating of the engine. Thousands of hackers search for day and night vulnerabilities of WordPress versions, so the earlier you update, the longer WordPress security of your resource will last.
From the moment of revealing the “hole” to hacking hundreds of thousands of sites, it sometimes takes several days. Therefore, WordPress developers conduct an unequal battle with hackers around the world, constantly releasing updates, eliminating errors and weaknesses.
And it would be foolish not to use it. Install the update immediately, immediately after its release!
Due to this circumstance it is extremely undesirable to make corrections to the engine code independently, because After the upgrade, this functionality will not be available to you.
Therefore, to edit the site code on WordPress, you can edit only the theme files and make changes to the functions.php file, thanks to which the presence of the WordPress API can achieve the desired result.
And further. Although this has already been discussed, but I think it’s worth recalling that before updating, make sure to backup the site files and databases, because On the new version of the engine, some of the obsolete functions and WP plug-ins may not work.

2. Monitor Plugins & Themes condition

Constant updating of WordPress plugins and themes very important for to prevent hackers from exploiting vulnerabilities for malware penetration.Plugins and themes can turn out to be deprecated, include bugs or vulnerabilities that pose extreme safety dangers for your website.To protect your WordPress site, we advise that you audit your plugins and themes on a regular foundation

Note

To make it easier to keep track of updates and make all updates to plugins, the themes and WordPress core automatically, you can use the WebDefender plugin function- Security Updater

WebDefender Updater — Settings for Automatic WordPress Updates

The function will help you keep track of the plugin’s security upgrades and functional plugin control.

The function has three separate blocks for managing theme, plugins,and WordPress core settings.

WordPress Core Updates

wordpress core updater

WordPress Plugin Updates

By default, automatic background updates only happen for plugins and themes in special cases, as determined by the WordPress.org API response, which is controlled by the WordPress security team for patching critical vulnerabilities.

To enable or disable updates in all cases, you can select here the plugins you want to allow to update:

plugin updater

WordPress Theme Updates

By default, automatic background updates only happen for themes in special cases, determined by the WordPress security team for patching critical vulnerabilities.

Please note: Any customizations you have made to theme files will be lost. Please consider using child themes for modifications.

To enable or disable updates in all cases, you can select here the themes you want to allow to update:

theme updater
 

3. Delete Deactivated Plugins

Another omission, which is expensive for site owners. If you used plugins and then decided to deactivate them without removing them from the site, you are still at risk:
• Plugins can be used for injecting malicious code;
• If you have not deleted deactivated plug-ins for the reason, they should be updated to improve security;
• The fact that the plug-in at the time of installation is safe does not at all determine its reliability in the future.

Try to use the plug-ins at a minimum, because they can become not only an input for hackers on your site, but also reduce its performance (especially if they use the third-party services API).

Do not forget to delete deactivated plugins !

4. Download plugins and themes from trusted sources

When using plug-ins to expand the functionality of the site you need to be extremely careful.
We recommend download all the plugins and themes that you want to use on your site from the official website of WordPress or at least from known and verified sources.
Hackers often use various free software place for instal to download infected plugins with viruses or vulnerabilities.
Especially tempting to download for free paid themes or plugin, be careful, this can be very expensive for you later

5. Using code from proven developers

When using pieces of code to extend the site functionality as an alternative to using plugins, you also need to be careful.
In my experience I will say that this is good, because, unlike plugins that write everything in sequence and nobody modifies, the code is developed, as a rule, by experienced developers.
In addition, it is not so much time consuming to scan a piece of code for the presence of a malicious program, as checking a plug-in that can contain up to several dozens of files and directories.
But when using code instead of WP plug-ins, you need at least partially to understand the programming and protection of WordPress from hacking to understand – the benefit or harm will bring you this code.
If you do not have the necessary knowledge or friends with their presence, then use, at least, authoritative sources, the competence of which can be judged by the feedback of other users and the subject matter of the site on which the code is placed.
If you want to expand the functionality of the WordPress site with a code from a resource telling you about earning money on the Internet, offering free programs and movies, or simply from some personal blog where the author shares his salad recipes in addition to this information, be careful!

6. Regular backups

It is important to have multiple copies of the site, which are stored on different media that are not related to each other in case your site is still hacked.
In this case, the availability of backup copies will help restore the resource as quickly as possible. The optimal backup scheme for medium and large sites is as follows:
• 1 copy is stored directly on the hosting – it is needed for quick work with the site;
• 1 copy is stored on the owner’s computer, which is also reliably protected from hacking by the firewall and antivirus – it is necessary for a quick recovery in case of hacking;
• 1 copy is stored on the cloud service, as the main backup source;
• 1 copy is stored offline on a flash drive.
Since the site is constantly in the process of development, it is important to regularly update copies on media, because you never know at what point on your site an attack can be carried out.
In backup you need to store not only the site files, but also the database data.
On hosting, the ideal frequency is 3 backup per day, which many hosting providers have installed by default (for example, my hosting host TheHost).
But it largely depends on the free disk space provided to you on the server hard drive within the tariff plan you pay.
So it’s better not to save on security
The other types of backups do not need such a frequent creation. It is enough to make a backup copy in the cloud 2 times a week, and on the local computer and flash drive – once a week.
Free plug-ins for WordPress site protection, allowing you to automate the process of creating backup copies:
• Duplicator – provides the ability to copy and move the site, and is also an easy way to backup;
• UpdraftPlus – plug-in for backup to the cloud on Dropbox, Google Drive or other services.
• WordPress Backup to Dropbox is a simple plug-in for regularly backing up files and database sites in Dropbox.

7. Protection of the WordPress admin panel

Access to the admin panel of the WP site is the dream of most hackers. But, nevertheless, to protect the WordPress admin panel is very simple and for this there are many ways.
The most effective is disguise.
Most programs for automatic hacking are configured for wp-login.php. If you change the access address, you can significantly improve the WordPress security resource, because automatic programs will simply give out an access error.
Possible solutions (plugins):
• Login LockDown – quickly determines the password selection and blocks the request from this IP;
• Revisium WordPress Theme Checker – defines the most typical ways of hacking your template, checks access to the admin panel;

8. Password-protect of the wp-admin directory

Additional possible way to prevent this is to password-protect the wp-admin directory. With such security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.
You can use the AskApache Password Protect plugin for securing the admin area. It automatically generates a .htpasswd file, encrypts the password and configures the correct security-enhanced file permissions.

9. 2-factor Authentication when logging

This security measure is another effective means of protecting the WordPress admin area along with setting up HTTPS on the WP site.
It consists in using not only the standard input of user name and password when entering the admin panel, but also in the input of a special confirmation code sent to your phone.
Therefore, if the brute force attack of attackers is successful and they manage to pick up the data of the administrator account, the second stage will stop them from gaining control over your site.
The most simple and convenient way to implement two-factor authentication on your site is to install special plug-ins. Here is the list of the most popular, uploaded in descending order of downloads:
• Google Authenticator – Two Factor Authentication (2FA)
• Duo Two-Factor Authentication
• Rublon Two-Factor Authentication
Descriptions of their capabilities I will not give, tk. they are all about the same. And the coolest logo on wordpress.com is from Rublon, so be sure to go and check out

10. Installing an SSL Certificate

Interesting things turn out. VPN is not reliable, public Wi-Fi for site administration is generally prohibited.
And then how to be, if you need to go on a long business trip or on vacation, in a word, be a long time without a tested and protected Wi-Fi, and the site at this time need to be administered?
In this situation, the use of an SSL certificate for the transfer of data over a secure HTTPS protocol can come to the rescue.
To simplify the translation of WordPress to HTTPS, I personally recommend using special plugins that make life much easier.
• Really Simple SSL – plugin allows you to install the certificate on the WordPress SSL certificate in a couple of seconds. You just need to get an SSL certificate, install the plugin and activate it. The rest of the action will be performed automatically, including redirection, making adjustments to .htaccess and replacing all urls of the site with the HTTPS protocol.
• WP Force SSL is a plug-in for redirecting traffic from HTTP to the advanced HTTPS protocol, including manually typed links.
• Easy HTTPS Redirection – a plugin very similar to WP Force SSL in its operation, because allows you to configure redirects from HTTP to HTTPS for all site URLs and for individual URLs.
• SSL Insecure Content Fixer – this plugin protects the WordPress site from dangerous content and warnings about mixed content.
If you suddenly do not know how to install the WordPress plugin, then I recommend that you read the article by reference.
In manual mode, installing on the WordPress SSL certificate and its configuration will be quite difficult and expensive for you if you refuse plug-ins and use the services of professional developers

11. The danger of using VPN services

Using VPN services is extremely dangerous because of the security of the WP site and the local computer and the data stored on it.
Therefore, fans of VPN services, I strongly recommend that they refuse. At least for the duration of the work in the admin panel of the WordPress site.
First, you do not need a VPN connection to work in the admin panel.
And, secondly (and this is the most important thing) – when using VPN services your data is passed through third-party servers, where they can be used as you like.
Therefore, the username and password of the administrator can be stolen by hackers and used to control your resource.

12. Public Wi-Fi channel for hacking the admin panel WP

Never use the WI-FI connection to access the admin panel of the site, which is used by someone you do not know.
For the history of the existence of Wi-Fi networks, there are thousands of cases of theft of data administrators with the subsequent hacking of WordPress sites and the theft of information of device owners using “free” Internet in public places.
And access to such networks can be either password-protected or not-the main condition is the presence in them of someone else besides you, in the motives of which you can not be 100% sure.

13. Install WordPress captcha

This technology of cyber defense has been around for almost 20 years, as it entered our life. Nevertheless, until now not all sites can be seen using it.
If you suddenly do not know what CAPTCHA is and why it is needed, I recommend expanding your horizons thanks to the article on the link.
There you can also read about what kinds of it exist now and you can choose the one that you like best and fit into the design of your site.
Capps installation, as a rule, is needed on various forms, through which actions are made on the site. This is necessary to ensure that your resource is not penetrated by robots and did not mess things up
The most common places to install CAPTCHA in WordPress are the following:
• the form for adding comments;
• registration and entry to the site;
• feedback form;
• Order registration (if you have an online store on WordPress);
You can install the captcha in WordPress either manually using the third-party services API, or use special WordPress plugin plug-ins.

14. Protection of e-mail

E- Mail – the basis of the entire security complex.
Hacking it, an attacker can change the permissions to the FTP server, admin panel and get full access to the site.
Very often, focusing on protecting WordPress from viruses, site owners forget about the potential danger of e-mail:
• To register a domain and hosting, start a separate box;
• Do not open suspicious emails, especially with attached files;
• Once every 2-3 months, change the password to a complex combination of numbers and letters;
• Do not specify anywhere e-mail opened for domain registration, as contact information;

Leave a Reply

Your email address will not be published. Required fields are marked *

Make safe your website
Make safe your website with webdefender