This is a guest post by Ibad Rehman of Cloudways web hosting.
Website security is one of the biggest challenges for webmasters these days and WordPress is no different when it comes to vulnerabilities. Because it is one of the most popular platforms, WordPress is a favorite target of hackers. Thus it is important to implement effective WordPress security to protect your site against threats.
In this article I intend to cover the following:
- Secure Website Hosting
- Shared Hosting
- VPS Hosting
- Dedicated Hosting
- Managed Cloud Hosting
- Frequent Backups
- Offsite Backup
- Local Backup
- Keep WordPress Updated
- Limit Login Attempts
- Two Factor Authentication
- Change WordPress Login URL
- Avoid SQL Injection
- Malicious Themes and Plugins
- SSL Certificate
- Security Plugins
- MalCare
- All in One WP Security & Firewall
- WordFence
1. Secure Website Hosting
Secure hosting plays an important part in securing your WordPress site against vulnerabilities. A secure WordPress host not only takes defensive measures against attacks but also ensures recovery of website data if such attacks affect your WordPress site.
Let’s look at some of the common types of web hosting and the level of security each offers.
a. Shared Hosting
Shared hosting is popular among small websites and startups who do not require very powerful hardware and have low budget constraints. In shared hosting, a single server hosts multiple websites which share the available resources.
Since sites share resources and space in this type of hosting, if one website is hacked it can sometimes affect other sites hosted on the same machine. Hackers can compromise other sites by gaining access to just one site on the machine and can also alter and delete data of any compromised website.
b. VPS Hosting
A Virtual Private Server (VPS) is more secure than shared hosting. Not to be confused with managed VPS services, which are common among shared web hosts. In VPS hosting, the web host allocates a specific portion of the physical machine to your website and you are the owner of that virtual server. Also, you have more control over your server and can implement your own security protocols.
c. Dedicated Hosting
In dedicated hosting, the web host dedicates a whole machine to your website. As a result, you are allowed to install software and the operating system of your choice. Additionally, it is even more secure than shared and VPS hosting as you can completely control the server and its security.
d. Managed Cloud Hosting
Cloud hosting connects multiple physical machines to ensure reliability and maximum up-time. Like a VPS, a certain portion of the machine is given to your website. However, it is more reliable and secure as your site is not bound to just one machine and gets its computing power from a network of servers.
Managed cloud hosting providers, like Cloudways, offer secure WordPress hosting to their customers. This type of service equips your website with Advanced Firewalls, Server Monitoring, and an up-to-date Operating System. Experts monitor and update your system regularly in order to avoid any security breaches on the server-level.
2. Frequent Backups
Website backups are like insurance which comes in handy on a rainy day. I recommend that you use automatic (and frequent) backups if you care about your website at all. It does not improve the security of your WordPress site but it is a safety net which helps your site to recover if a cyber attack causes data loss.
You can take backups in two ways:
a. Offsite WordPress Backups
Offsite backups can be taken by using WordPress plugins like UpdraftPlus and BlogVault Backups. Backups taken from these plugins can be directly sent to Google Drive, Dropbox, Amazon S3, etc. These plugins let you take both full backup or selective backups for just web files or database files.
b. Local WordPress Backups
Local backups are taken by your hosting provider and they are stored on your server for easy recovery. Some providers offer automatic backup options and some even let you take the backup at your will.
Most managed cloud hosting providers offer automated free backups and the option to back up the whole server in case of any disaster.
3. Keep WordPress Updated
A majority of hacks on WordPress sites are due to outdated WordPress core files, themes and plugins. These updates are essential as every WordPress update comes with improved security patches that are developed to deal with the current security threats.
Note: Updating is easy in WordPress but it is recommended to take a full backup before updating the core files and themes to avoid any hassle.
Bonus: For even less risk during updates, use a staging or development site. After backing up, make a clone of your WordPress site so that your live site is not affected when you are testing out the updates. In your clone site, simply check for the updates inside your WordPress Admin Dashboard and update the files, themes, and plugins accordingly.
If things go wrong after updating, you can revert to the latest version from your backups.
4. Limit Login Attempts
One of the common security vulnerability in WordPress is illegal login attempts. These attempts are made to guess the right username or password to gain access to the site. Unfortunately, a lot of WordPress sites still use weak usernames like ‘admin’ and passwords like ‘admin123’. As a result, hackers can easily login with just a couple of attempts.
A Brute Force attack is a very common type of cyber attack. Such attacks run a script to guess the username and password according to the guidelines provided by the hacker. In order to avoid these attacks, you can limit the number of login attempts.
To implement this, you can simply use limit login attempts plugin on your WordPress site. This plugin lets you define the number of times a user can attempt to login and after that, his IP is blocked either permanently or for a defined period of time.
Besides limiting the login attempts, you can also implement Google Invisible reCAPTCHA which also helps in controlling the bots from running the login scripts.
5. Two Factor Authentication
Two Factor Authentication or 2FA requires the user to authenticate their identity on two different mediums. With 2FA, the user only gets access if they provide the correct password and authenticate through a verification code sent through email or to their mobile phone.
Though it is an extra step before a user can login, it significantly hardens the security of your website and almost eliminates the risk of illegal access to your WordPress back-end. There are many two factor authentication plugins available which you can use to implement this extra layer of security on your WordPress site.
6. Change WordPress Login URL
It is a good idea to change the default wp-admin login URL so that hackers have a hard time finding it and attacking it with Brute Force attacks. The WPS Hide Login plugin can be used to change the default WordPress login URL.
Also, assign different user roles to the individuals involved in your WordPress site. For example, the content contributor should not be given admin access unless it is needed, because their sole purpose is just to create content and not to make changes in core files, themes, and plugins.
7. Prevent SQL Injection
SQL Injection is a common way of injecting malicious scripts using input fields. These scripts can retrieve data from SQL tables or can alter or delete the complete database. However, in some cases a hacker only wants to retrieve specific information, like the admin username and password, then leave without a trace.
This type of threat is constantly evolving, and I’ve found the best method of protection is a WAF (website application firewall), like Cloudflare or Sucuri. A good WAF solution will receive constant updates to protect against the latest threats.
8. Malicious Themes and Plugins
A typical WordPress site contains both themes and plugins. Plugins are great as they add a specific feature to your WordPress site without writing a single line of code. However, over time malicious hackers may take over both plugins and themes, especially when not updated regularly.
It is important to run scans and audits to highlight such malicious themes and plugins because they could be behind the next security attack. If you come across any plugin which has not been updated for quite some time, then consider contacting its developers or look for an alternate.
Also, avoid using nulled themes and plugins. If you are getting a paid theme/plugin for free, there is likely a catch, and it could be you! Most of the time, these pirated themes contain malicious scripts and this will give back-door access to hackers inside your WordPress site.
9. SSL Certificate
Sensitive user data such as personal information, credit card details and social security number is most vulnerable over the Internet. Therefore, it is very important to secure the channel through which this information travels.
SSL Certificates provide a secure and encrypted channel through which the browser and server can transport data. Information travelling through this channel is secure because it can only be decoded by a private key. You can use free SSL certificates via Let’s Encrypt to secure your WordPress site.
10. Security Plugins
Many folks use WordPress security plugins to harden the security of their website. There are tons of free and premium plugins available, but I will cover three security plugins which can effectively secure your WordPress site.
- MalCare
- All in One WP Security & Firewall
- WordFence
a. MalCare Security
Various top WordPress sites use the MalCare Security plugin. It is easy to use and manages WordPress security efficiently. The plugin provides a lot of options for configuring the type of security you want to have. Also, the developers have equipped the plugin with a firewall, auto-scanning, login protection, and white-listing options.
b. All in One WP Security & Firewall
All in One WP Security & Firewall is another great plugin to use for WordPress security. It has over 700,000 active installs which makes it quite popular among WordPress users. This is a complete plugin for web security and offers tons of features and options to its users.
This plugin uses a grading mechanism to display the current security situation and thus helps them to work on the weak spots. It also has options for limiting the login attempts, blacklisting IPs, support for adding Google reCaptcha and database security.
c. WordFence
WordFence has over 2 million active installations. WordPress sites use this plugin extensively due to its reliability and features. The plugin has a built-in firewall that protects your WordPress site from attacks. WordFence regularly scans your website for any possible malicious code or intruder and also suggests the way to counter these threats. It has both free and premium versions. The Premium version comes with advanced security features.
Stop Spam Comments
Editor’s note: this section didn’t really fit where it was originally inserted, but it is something every WordPress site must address, so I’ve left it here as a bonus tip.
Having a commenting option is great as it lets your readers leave their feedback on your blog post or other services. However, this could also be the gateway for spammers and hackers to enter your WordPress system.
By default, WordPress has built-in support to avoid spam and unwanted comments.
Inside the WordPress dashboard, go to Comments. There you have options to Approve, Unapprove and Mark as Spam.
You may also keep the comment pending if it does not meet a certain criteria. For that, head over to Settings -> Discussion.
Akismet is an effective plugin to counter spam comments.
Final Words!
You cannot neglect security in WordPress and it should be on top of the priority list of any webmaster. Plugins alone are not enough to fight these threats, so you should take all these measures to ensure maximum security of your WordPress site.
The folks at WP Buffs include all of these tips in their comprehensive security solution. If you don’t have the time to implement all of these on your own, their service will get it taken care of for you in no time at all.