WordPress powers around 35% of all websites; therefore, it makes sense for hackers to focus their attention on exploiting vulnerabilities in the WordPress framework. This is one of the reasons why updates are a frequent occurrence with WordPress and third-party plugins. So, with that in mind, one of the first ports of call would be to ensure WordPress, your theme and any third-party plugins are all up to date.
You don’t only need to rely on WordPress security updates to keep you secure, and there is a lot you can do yourself and a lot you should take responsibility for. I will take you through some basic and more advanced operations in this article that will help you stay secure.
I would recommend scheduling regular vulnerability assessments, perhaps every 3 – 6 months to ensure you keep secure. If you have a WordPress management package, your chosen maintenance company would typically include these assessments as part of your plan.
Let’s start with the basics. Changing your password is one of the most straightforward precautions you can take. Not only for the WordPress admin page but any third-party accounts you’ve logged in on. And this may go without saying, but don’t use the same password more than once.
The next thing is your username, pick this carefully and don’t choose “Admin”. Admin is a go-to for hackers, so much so that many security plugins will block IP addresses which try to log in using the Admin username.
Keeping with the login theme, further securing your admin console login with two-factor authentication is a must. Even if someone does guess your username and password, having to enter a code sent to your phone adds a second layer of security that is almost impossible for a hacker to circumvent.
Types Of Common Attack
Let’s explore and understand some types of common attacks which you should protect against. This is in no way an exhaustive list, but it should give you an overview of attack methods and outcomes.
One of the most common and easy to execute types of attacks is a DoS or DDoS attack. These work by overwhelming your website’s resources to such a point it can no longer function. The result of this is that your website is offline, the hackers will not get access to any sensitive information using this attack, but if someone wants to take your service down, then a DDoS attack would suffice.
The best way to prevent a DDoS attack is by using a firewall. Plugins like Sucuri or Cloudflare can help with this, and they operate at DNS level, which means it can prevent an attack before it even hits your servers.
One common type of attack which could allow the hacker to get access to potentially sensitive information is a Man in the Middle attack, sometimes abbreviated to MitM.
MitM is where the attacker will hijack a session that is live between the client and your server. The makes the server believe that it is still communicating with the client. Resulting in any information intended for the client will ultimately be given to the hacker. One easy to implement method to help avoid these attacks is to use the HTTPS protocol and not use HTTP. This basically means that the communication is encrypted.
The final type of common attack we will cover is a password attack. This is basically logging in as a client using their password. The method of obtaining the passwords can vary, from simple guesses & trying to access stored passwords to more sophisticated techniques such as a dictionary attack. A Dictionary attack is where a dictionary of common passwords is used to try and gain access. One way to combat against this is to set a lockout on your account after several failed login attempts.
Now we know what types of common attack methods there are, let’s look at preventative measures we can take to improve our WordPress website security.
Use SSL Encryption
SSL stands for Secure Socket Layer, SSL encrypts the data packets in transit between the user and the server. This makes it hard for hackers to breach your connection. Put into context SSL encryption helps prevent MitM attacks. You can purchase an SSL certificate or talk to your hosting provider as they should be able to provide one. With WordPress, you can even use a plugin to implement an SSL certificate.
Security isn’t the only benefit here; Google will rank your website higher if you have an SSL certificate which is why this should be one of the first checkboxes when setting up your WordPress website.
Change your Database Table Prefix
When installing WordPress, the default database table is prefixed with “wp-“ this opens up vulnerabilities for SQL injection attacks. If a hacker knows how to find your database table by searching the default prefix, they could quickly gain access to a host of sensitive data.
The table prefix should be changed on installation; however, if you have already installed your website, a plugin such as WP-DBManager can be used to change the prefix.
Disable Directory Listing
Without disabling directory listing in your .htaccess file, anyone can see everything in that directory without requiring a password. This is achieved by just guessing the directory name and putting the name prefixed by a forward slash at the end of your URL.
This can easily be prevented by adding the code “Options All -Indexes” in your .htaccess file.
Back It Up
There’s no better security than having multiple backups, and there’s no excuse for not having a backup. You can have as much protection and take as many preventative measures as you want, but without a backup, you are leaving yourself wide open for failure.
When undertaking a vulnerability assessment for not only WordPress website security, but website security in general, checking you have adequate backups is the first thing experts check.
How often you backup would depend on your websites usage, if you have users entering essential data, you ideally want to be backing up as frequently as reasonably practical. If you don’t have a user portal and content is updating weekly, then once a week should suffice. To get a better idea of how frequently you should back up, as yourself the following question. What would the consequences be if my website just all data form the last hour? Then ask yourself that question again and extend the period, a day, 2, days, a week etc. You will then have an understanding of what the consequences would be, and you can assess how much risk you are willing to take.
There are multiple ways to create backups, your hosting provider should be able to provide an adequate solution, or there are 3rd party plugins where you can schedule your own backups. If you have a WordPress management package form WP Agents, backups are included.
WP Agents perform a full vulnerability assessment when commencing one of their WordPress management packages. Their experts can look into all aspects of your website and improve your overall WordPress website security. You can get in touch with WP for a free consultation here.