When someone mentions WordPress, you will often hear people saying “don’t use it, it’s insecure”. In a sense, those people are right – there is no such thing as a “silver bullet” in security. There are a few ways developers can fend off attacks concerning WordPress though – let’s dive into them.
The very first thing you should do is use HTTPS instead of HTTP. Now I get that a blog isn’t a bank and your readers could be perfectly fine to read your content over HTTP, but adding SSL on top of it ensures privacy and boosts SEO rankings. More information on HTTPS can be found here.
When you upload the WordPress files to your server, the first thing you need to do is to install the platform. After you select the language and provide your database connection details you should see this page:
There are two things that should be noted here:
- You shouldn’t use the word “admin” as your username.
- Use a strong password. Preferably the one that is generated.
Not using “admin” as your username might help to prevent bruteforce attacks and using a strong password provides more security for your account.
3. Keep everything up to date
You know what happens when websites fall out of date patch-wise? They get breached. A data breach is the last thing you want to see happening to your website, and to prevent it, you must keep the core, plugins and themes you use up to date. Simply keeping everything up to date does not ensure your website will not suffer a data breach, but it decreases the risk of such events.
4. Only install plugins from trusted plugin vendors
You see a plugin that you would like to install, but it costs money – it’s expensive too. What do you do then? Download a nulled version of the plugin and install it, right? Well,no. Nulled plugins often contain backdoors that can be used by a malicious party to gain access to your website – avoid using them.
5. Remove plugins you’re not using
Vulnerable plugins are the main cause of WordPress websites getting hacked so frequently. Now don’t get me wrong – I don’t have anything against the use of plugins in WordPress – use them, but use them wisely: remove plugins you no longer use and update them when WordPress asks you to – updates are very important because they frequently ship patches for nasty security flaws.
6. Change the default login URL
If your website has a login functionality, you will most likely encounter malicious login attempts. And if you would use “admin” as your username like many people do, the only thing an attacker would need to do is to guess your password. There is a way to prevent this though – most of the attempts to guess your password can be halted if you change your WordPress login URL.
7. Consider using a Web Application Firewall
Modern day Web Application Firewalls are able to protect web applications against multiple types of attacks such as SQL Injection (SQLi), Cross-Site Scripting (XSS) and so on. A web application firewall can also prevent vulnerabilities that are unknown to the vendor (zero-days) from being exploited – this makes a WAF a crucial security defense.
8. Use a Content Security Policy
A content security policy is a very good security measure because it helps website developers declare what resources are allowed to load into a web application. More information on CSP can be found here.
9. Monitor files for unexpected changes
Another thing you should consider doing is monitoring your files for unexpected changes. What do you do if your website gets hacked and the hacker changes the content of some files? A file integrity monitor can help you know about the inflicted damage so you can clean potentially infected files.
10. Backup frequently
It’s very important to have a robust backup strategy. Ideally, you should utilize the “3-2-1” strategy for backups, meaning that you should have at least 3 copies of your data – 2 of which are local but on different devices and one that is in a different location. If one of your data copies becomes unavailable, you can restore your data from a second device. However, if two devices are stored in the same location and you experience fire, flood or theft, there’s a good chance you will lose both of your backup devices. That’s why it’s important to also have a third copy of your data that is off-site meaning it isn’t in the same location as the other two.
- Use HTTPS – it makes websites faster, provides privacy and boosts SEO rankings.
- Don’t use “admin” as your username, use a strong password.
- Only use plugins you need, don’t use nulled plugins, keep everything up to date.
- Consider using additional security measures such as a Web Application Firewall (WAF) & a Content Security Policy (CSP).
- Have a backup strategy.