It is no secret that WordPress powers a large portion of the internet. In 2021, about 35,6% of all websites on the internet are built on WordPress. This staggering number accounts for the reason that adversaries are continuously exploring new tactics and techniques to gain unconsented access to WordPress sites, whether it be for financial gain, defacement or various other reasons.
1. Selecting a Good Hosting Provider
Securing your WordPress site needs to start from the ground up. This is why having a solid foundation for your site, good hosting, is the first step to securing your site. Here are a few factors to keep in mind when selecting a hosting provider:
- Support for the latest PHP version.
- Support for the latest version of MySQL.
- An included firewall.
- DDOS Prevention Measures.
- 24/7 Security Monitoring.
- Scheduled Malware Scans on your Web Server.
Selecting a good hosting provider from the start can help prevent nightmares down the road.
2. Disable File Editing
A common technique used by adversaries is to inject subtle malicious code to your theme and plugins. This code often goes unnoticed and creates a backdoor for hackers to access your site and data. To prevent this attack and disable the ability to edit plugins and the theme file, you can simply paste the following line into your wp-config.php file: define(‘DISALLOW_FILE_EDIT’, true);
3. Installing a WAF
Having a strong password is unfortunately not enough, it is highly recommended that you install A Web Application Firewall (WAF) to block malicious traffic to your site. A good option is, “Wordfence”, which can be found on the WordPress plugins page. Installing Wordfence will allow you to create an ACL, this will mean only specific IP’s will be allowed to access the WordPress dashboard. Wordfence will monitor your site’s file integrity, scan for malware, block brute force attacks and harden the overall security of your site.
4. Using SSL/HTTPS
The importance of having an SSL certificate on your site has greatly increased over the years. Not only does the SSL certificate encrypt all traffic between a user’s web browser and the web server, but it also increases your chances of ranking higher in Google’s search results, as Google recognises the importance of an SSL certificate and places sites without one lower in search results. Almost all hosting providers these days offer a free SSL certificate from, “Let’s Encrypt SSL”. For sites where more sensitive data is exchanged, a stronger SSL certificate should be purchased.
5. Updating WordPress & Plugins
Keeping your site and plugins up to date is an important aspect of ensuring your site is secure. Developers release frequent updates to plugins and themes, often times these updates contain patches for vulnerabilities and new security features. Hackers often search for outdated plugins/themes on a site during their recon stage to gain access via vulnerabilities, this is why it is so important to keep your site up to date constantly.
Although there are further tasks that can be completed to strengthen your site’s security even more, completing the above-mentioned tips will assist in building a solid security foundation for your site. These tips do not take long to complete and can save you time and money in the long run.
By: Michael Frese