SUCURI Q2 hacked analysis report shows 74% of 9,771 infected websites was WordPress. WordPress is loved by millions of website owners and having more than 58% market share in content management system for websites.
I see hundreds of questions/concern every month in Facebook Group, Stack Overflow regarding website got hacked/malware infected.
Website security is as important as your content and SEO, and one should do whatever it takes to keep the online business safe and secure.
There are multiple approaches to tightening your WordPress however, following you will learn the practical ideas which I do and I hope will be helpful to you.
Hardening & Security Tips
1. Go Passwordless
Brute Force attack is one of the old techniques to constantly try to get into the WordPress admin with many user/password combination.
By going passwordless, you are not leaving any option for a hacker to attempt login. Wondering how does it work?
Let me show you.
The default WordPress login window look like:
When you go passwordless, you will not have the option to enter the user and password instead you will need to authenticate with your phone. It’s simple and convenient.
Clef disables password for login and XML-RPC both, and whenever you need to log in, you need to wave your mobile and magic happen in the background.
Once Clef is activated, WordPress admin window looks like:
By implementing Clef, you secure your website from the brute force attacks, phishing, keylogging. Clef give you the option to configure override URL that can be used when you don’t have a phone with you or got lost.
Override URL will show you the default login where you enter the user/password.
I am using Clef for last few months and so far, happy with it. Give a try to see if that works for you.
Alternative to Clef, you may also consider the following one who does almost the same thing.
UNLOQ has WordPress plugin too which let you replace the password with your phone. UNLOQ use TLS over the communication and data is encrypted with AES-256-CBC algorithm.
You can have up to 100 users with unlimited authentication in FREE which is more than enough for WordPress admin login.
Teddy ID is little different. You should enter your credential once and it store and encrypt the password for you in the browser.
In next login attempt, instead of entering the credential you must match the photo being displayed on your phone and if that match then your login is successful.
Teddy ID WordPress can be downloaded from here.
Let the magic happens and go passwordless.
2. Have Solid Backup Strategy
Backup is your friend! When things go wrong, and nothing works then, a backup will come for a rescue.
There could be many things go wrong like the following.
- Messed up with the configuration
- Files got deleted
- Website got hacked
- You installed some plugin and then site broken
- Site is broken after updating WordPress/Theme/Plugins
If you are unable to fix or taking a long time to put your online business operational, then you can consider restoring your website from the backup.
Most of the shared web hosting like SiteGround, InMothionHosting provide daily backup, so you are good. However, if you are with some other web hosting, then you may want to check the backup they provide.
If you are on VPS like DIgitalOcean or Linode, then the backup is not enabled by default, and they charge around 20% of your VPS plan.
So if you are in $10 plan, you need to pay additional $2 for the backup.
Trust me; it’s totally worth it. There were many situations when I had no option than restoring Geek Flare from Linode backup.
If you are cloud like AWS, Google Cloud then you must consider taking snapshot regularly or use a third-party backup tool.
If you have a backup with web hosting then I don’t see any reason to use the backup plugin but in case you want, here are some of the popular free backup & restore plugins for WordPress.
Active installed over 900,000 says a lot. Updraft Plus let you backup your website data in a cloud like Amazon S3, Google Drive, DropBox, FTP, etc.
Whenever you need to restore, you are just a click away.
Backup by Backup Guard gives you an option to backup files or database or both. You can customize your backup location and visualize the live progress of backup and restore.
Don’t settle anything less than a daily backup.
3. Use WAF/Security Plugin
The default WordPress installation may expose configuration/information and can be vulnerable if not harden properly.
There is many security related plugin available so pick what you like but ensure it cover the following.
Change Admin URL – WordPress admin is accessible by default as wp-login.php and the whole world knows about it.
For ex: example.com/wp-login.php
So if you know a site is built on WordPress then you can try to access admin URL by adding wp-login.php and do the nasty things in trying to get into, etc.
It will be a good idea to change the admin URL from wp-login.php to something else.
Comment Spam Protection – don’t let your blot post comments with full of spam, advertising.
Block suspicious request – don’t entertain malicious request, script execution
Implement Security HTTP Header – protect from clickjacking, secure cookie, XSS attack, etc. by injecting necessary parameters in HTTP response headers.
Let’s take a look at top four plugins
Wordfence is loved by over a million websites and has tons of features including the following.
- WordPress Firewall
- Blocking Features
- Login Security
- Security Scanning
- IPv6 Compatible
All In One WP Security & Firewall
All-in-one security plugin is developed by Tips & Tricks HQ and active installed on more than 400,00 websites. Some of the popular features/protection are:
- Comment SPAM
- Security Scanner
- Brute force attacks
- File system/database security
- User account/login security
iThemes plugin previously known as Better WP Security helps you to protect your website from more than 30 types of attacks.
Better WP Security is available in FREE with most of the common features/security, however, if you need more then you may try pro version.
Shield a.k.a WordPress Simple Firewall is simply awesome and gives you almost everything you need in FREE.
I use this plugin currently and love the dashboard and comprehensive features. Worth giving a try.
4. Use Cloud-based Security
Security/firewall by WordPress plugin is good, but it’s still within WordPress and protection start when the request reaches to WordPress.
If you are looking to have additional protection, then you must consider using cloud-based security. Security from cloud protects and block the attackers from the edge of the network.
Most of the cloud-based security provider also offer you a CDN (Content Delivery Network) to make your website load faster.
Some of the popular CDN & Security providers are:
Incapsula by Imperva offers CDN & Security for all types of website from blog to enterprise level of applications.
Incapsula has a FREE plan to get you started and offer the following features.
- Bad bot/SPAM protection
- IPV6 compatible
- DDoS/SQLi/XSS/Backdoor protection
- Content compression/minification
- Image optimization
- SSL support
- And much more…
- They offer a trial to the higher version so go ahead if you are serious about website protection.
The list won’t be complete without including CloudFlare. One of the most popular CDN & Security provider to make your website secure and speedy.
Take a look at the plan details for features comparison.
Some of the worth mentioning features of CloudFlare.
- Global CDN
- FREE SSL Certificate
- HTTP/2, WebSockets, IPv6 support
- DNSSEC, cache purge, custom rules
- Comment spam, content scraping, OWASP WAF, DDoS protection
StackPath recently bought MaxCDN and provide secure CDN and WAF. StackPath doesn’t have any FREE plan and pricing start from $20 per month.
Some of the StackPath’s features are:
- Two-step authentication
- Origin Shield
- OWASP top 10 vulnerability protection/WAF
- DDoS protection against SYN/UDP/volumetric attacks
- Hotlink protection
- Real-time analytics
5. Patching/Keep up-to-date
SUCURI says 55% of an infected website had out-of-date WordPress.
Having an old version of WordPress, plugin, theme may be vulnerable, and as a best practice, you much keep an eye on the vulnerable plugins and patch on priority.
You may subscribe to WP Scan Vulnerability Database for an email alert, so you know if used plugin/WordPress/theme are vulnerable.
It’s not hardening, but I think it’s worth mentioning about hosting provider. Choose the well-known quality hosting provider to host your website. Some of the popular hosting you may consider.
- Google Cloud Platform
Hosting your website on quality provider not only make your website faster but support you when you need help. Many things can go wrong, so expert support is the key when you consider web hosting.
Thank you Chandan Kumar from geekflare.com