Posted by Aimee Cozza on March 18th, 2019

So you’ve decided to launch a foray with WordPress as your backbone. Congratulations! Whether this is your first or fifteenth WordPress website, you may or may not have dabbled in tightening down your security. We go over some of the essential security you should use and implement on your WordPress site. Remember what they say, an ounce of prevention today is worth a pound of cure!

Why bother with securing your website?

The answer here should be clear as day, but in case you’ve never thought about it, here it goes: you don’t want to leave your website open for anyone to do what they wish with it. The normal sort of hacker will usually want to use your website to spread information further. Sometimes that can mean embedding links or files into your page (even if no normal person can see it), creating malicious links, or using your website to deliver malicious links, files, and information. Having a website hacked can be devastating and you can lose lots of your hard work… Plus the repercussions of being blacklisted by sites like Google, Bing, Facebook, Twitter and even malware firewalls that come pre-loaded on popular routers. It’s a big mess that can be hard to get out of, so trying to do what you can to prevent it from happening is better than the subsequent cleanup.

Let’s get started!

1. Pick a Good, Secure Host

This is #1 on the list because the security that your host has in place will be your number one defense. Above all else, if your host is not blocking nefarious scripts from running, or people hitting your page constantly, then it’s going to be harder the ward off any attackers.

Hosts like GoDaddy, HostGator, and other EIG hosts are not particularly known for their security. In fact, we’ve had sites hosted on GoDaddy that didn’t even have files facing the public but they still managed to get hacked. Sites like GoDaddy would much rather try to sell you some sort of security plan (that doesn’t do much at all, considering the people who owned the site had the plan and still had non-accessible files hacked!) than prevent hacks from occurring.

Most hosts do care, however, because one hack can affect a lot of people on the same server. You may want to do a little research on a host to find out if they help assist in defending against hacks by asking questions like: do you offer any brute force protection? Do you offer any rate limiting? How do you handle bots, crawlers, and spiders? In the event of a hack, what kind of services do you provide to help people recover?

2. Put a Firewall in the Way

A good way to help assist with nefarious traffic is to put a firewall in the way of your site and the rest of the world. CloudFlare is one such firewall. What CloudFlare does is stands between your host (where your files are) and the people on the other end getting it. CloudFlare is a robust firewall and DNS propagation service that allows for a litany of security services that can help you thwart attacks such as rate limiting, blocking, white listing, and loads more.

CloudFlare allows one website per free account, unless you are using a preferred hosting partner, and in that case you may be able to get more than one website protected for free. CloudFlare is also great because it helps you and your visitors conserve bandwidth as well, saving your visitors precious load time. CloudFlare is also good for people who can’t get any sort of SSL certificate from their host without paying tons of money. CloudFlare offers certificates for free.

The only pitfall to CloudFlare is that it introduces another point of failure, meaning if CloudFlare goes offline, your website will too. Still, CloudFlare is very sturdy and has a very high up-time as many people use it, so it’s OK to rely on it.

3. Install Security

Your WordPress site needs its own security, too. A security plugin can help you detect when attacks are happening, when files are modified, or even if one of your users goes rogue. Here are some of our favorite and most useful free security plugins. Keep in mind not all of these will play nice with one another, so please be careful if you’re trying to use more than one security plugin.

• Sucuri – This plugin, created by security experts Sucuri, allows you to monitor changes in your files, where people log in from, and even scan for malicious or suspicious files. It also gives you some clear-cut suggestions for improving your security and allows you to “harden” your security with the click of a button.
• BulletProof Security – This plugin can allow you a lot of extra bits of security. Chock full of things including a malware scanner, BPS comes fully loaded to help you prevent attacks on your site — and let you know if any are happening.
• WordFence – When all else fails, bring in Wordfence! A super robust security plugin that actually allows you a lot of control including rate limiting, bot limiting, and much more without having to tinker with your htaccess code. WordFence also has password security you can enable to make sure you’re not using common or easily breakable passwords, blocks people after certain attempt amounts, and more.

4. Change your WP-Admin Login Area

By default, WordPress lets you log in to your back end by accessing /wp-admin or /wp-login. Most people know this, so hackers or people wanting to get into the back end of your installation may target or hit that page and then commence a brute force attack in an attempt to guess your password.

There are many plugins out there that can easily help you move your login area, such as Hide My WP. You can also do this, with a little know-how, without any plugin at all.

5. Restrict Access to your WP-Admin Login Area

Even if you hide your WordPress login area, some hackers may use scripts to sniff out where your new login page is. Cutting off access to this page can help thwart brute force attacks. One such method would be allowing only trusted IPs to access your WP-Admin area in your htaccess. You can add a rule like this:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^Some Sort of IP Address$
RewriteCond %{REMOTE_ADDR} !^Another IP Address$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

The only downfall here is that if you don’t have a static IP, your address might change when you restart your computer, meaning you’ll have to have FTP access to give yourself backend access again if your IP address ever changes.

6. Take Frequent Backups

Having backups is important, whether you’re trying out a new theme, new plugins, or just running your site as normal. Having a good backup that you can fall back on can help you in the case of a hack so you don’t end up losing your entire website thanks to some ne’er-do-wellers. Use a solution such as UpdraftPlus to take backups and send them off site to Google Drive, Dropbox, Amazon S3, or somewhere else. Trust us, you’ll find this quite handy if an update breaks your site!

7. Don’t Go Overboard with Plugins & Choose Wisely

One of the biggest mistakes beginners make is using a plugin for everything. Plugins are good for hard-to-make code and robust interfaces, but shouldn’t be used for solutions that are permanent and use code that doesn’t change. For example, if you implement SSL on your site, you do not need to use a plugin to run it… You can just use a find and replace tool to change items in your database (carefully, though, make backups first!) so those changes are permanent and not plugin reliant.

Every time a plugin is introduced it’s a new potential area for attack (and they can slow down your site considerably!), so make sure you’re using under 20 plugins, and the ones you are choosing have a lot of downloads, a good rating on the WordPress repository, and are coded by a reputable source.

8. Update, Update, Update

Set a reminder for yourself to check back on your website once a month to complete any core or plugin updates. Most often these updates are for security reasons such as patching holes or potential areas of attack. Staying up-to-date on updates can help you thwart many well-known attacks.

Have any security suggestions? Let us know in the comments below!