Need for securing your website
Out of approximately 2 billion websites that exist today, 30% of the top 10 million sites are powered by WordPress. – A survey by W3Techs (-> to be included as an extra statistic aside from main body https://smallbiztrends.com/2018/03/wordpress-powers-30-percent-of-websites.html
If you are a business in the 21st century, chances are you have a WordPress website.
It is your responsibility to look after it, just like your physical store building. Therefore, you are in charge of keeping it safe and protected from theft and other unfortunate incidents.
Business websites hold sensitive information of both the organization and its customers. Information of user accounts and passwords, money transactions on e-commerce websites, etc. all generate important data stored on the organizations’ network, which if compromised, can harm the company and its customers. And if this information falls into the wrong hands leading to unfortunate incidents, the website owners stand to face legal repercussions, not to mention the loss of credibility and business.
Simply put, better to be safe than sorry.
Understanding the risks to your website
Security risks exist on 2 fronts – the network and the website.
The network is directly accessible to the organization and its employees, so it is susceptible to internal threats like misuse of organizational privileges by personnel for unauthorized access of data.
Think of your website like a window into your company’s information network, which allows the outside world to look in on your business. This is where the threats get out of your direct control. You can exert some degree of control over what data you share voluntarily by setting up the right security parameters – like assigning bouncers at a club.
The Essentials of WordPress Website Security
1. Regulating User Activity
a) Use e-mail to log in
On the default setting, WordPress accepts your username at the time of login. But it is a much more secure approach to use an email id to log in because –
- Every WordPress user account is associated with a unique email id
- User names can be predicted much more easily than email ids.
Various security plug-ins are available that enable you to setup login pages so that users need to use their email id to log in.
b) Set conditions for strong passwords –
8% were hacked because they had a weak password. (https://wpsmackdown.com/wordpress-hack-statistics-2013/ )
For example – Password must be at least 8 characters in length, should contain lower and upper case letters, numeric characters and special characters etc. These help to generate good passwords which cannot be cracked easily either by guessing, dictionary attack, brute force attempt, or any other common password cracking techniques.
c) Integrate 2 Factor Authentication (2FA)
Having a 2FA module for login pages makes for good security as it makes double sure the user who it claims to be – literally. The user needs to provide the login details for 2 separate components as decided by the website owner. It can be a combination of any 2 fields, such as account password and security question, or a human Captcha code and the Google Authenticator -which authenticates the user via a registered mobile device at the time of authentication.
WordPress provides plug-ins for adding these authentication factors to login pages.
d) Limit login attempts
Too many consecutive failed attempts at login could be a sign of a brute force attack. Thus a website lockdown mechanism can be a good way to guard against such a hacking attempt, especially if it is an elaborate effort from multiple systems across the globe.
Account log in attempts must be blocked for a set time after a fixed number of failed attempts. And users that show such activity repeatedly should also be banned from the site to safeguard against future attacks.
e) Automatically log out idle users
Users that log in and leave the web page open and idle on the system pose a threat to your portal. If the user’s machine is unsecured, then anyone with access to the machine may alter the user’s account credentials or website information. So for the protection of the user’s data and the website, it is prudent to log out idle users and close the current session.
WordPress offers several plugins to implement this measure. One such plug-in is Inactive Logout, with 4000+ active installations. Find it on this link.
f) Re-authenticate dormant user accounts
It is possible that user accounts that have not been accessed for a long time are dummy accounts or duplicate accounts, most likely created for unscrupulous reasons – like spam accounts. It is best to re-authenticate such accounts if there is a login attempt in the future. Websites that have existed for a long time tend to collect a lot of dead accounts over the years that take up server space unnecessarily. It may be beneficial to completely delete such accounts.
WordPress offers some solutions to this in the form of plug-ins – like the Inactive User Deleter.
Find it here. https://wordpress.org/plugins/inactive-user-deleter/
g) Maintain activity logs
Dashboard activity logs for users are a good idea for when your site has multiple users simultaneously logged on. With heavy traffic, sometimes even a single misstep can cause a breakdown. Logs help you retrace activities – the users, and your own, to identify the breaking point.
WordPress offers plug-ins for monitoring your site activity. A popular one is Activity Log with 100,000+ active installations. https://wordpress.org/plugins/aryo-activity-log/
h) Open a single session for a single user
It can be a good idea to employ a single user session to ensure that access is limited and from a single source. Allowing multiple instances to have simultaneous access for a single user makes it hard to differentiate between authorized and unauthorized activity.
WP Bouncer is a WordPress plug-in that restricts the number of simultaneous logins for your site users, in an attempt to deter people from sharing their site credentials. You can find it here. https://wordpress.org/plugins/wp-bouncer/
WP Session Manager is another great plug-in with over 6000 active installations to monitor user session data and deal with database load balancing.
2. Good Website Administration Practices
i) Disable – XML-RPC, .PHP error reports
XML-RPC is a simple and portable way to make Remote Procedure Calls (RPC) via HTTP and is enabled in WordPress on a default setting. It is a powerful utility, which can aid hackers’ brute force attempts – for example, using the system.multicall function, the hacker can try out thousands of password attempts with as few as 20-50 requests.
Disabling the XML-RPC feature can be done by the .htaccess file method, or by using an appropriate firewall that takes care of it.
PHP error reports generated by faulty themes or site plug-ins are definitely handy for troubleshooting, but the problem is they disclose your site’s most sensitive information – the path of the faulty file, thereby disclosing every single piece of sight information to the user. You can then see why disabling these reports is a good idea.
To disable PHP error reporting, you can add this little piece of code to your wp-config.php file.
j) Protect the core
The wp-admin directory is the core of your entire WordPress website – it powers all the admin activity on your site, and contains all administrator related information. It performs important functions like enabling connection to the database, displaying WordPress dashboard, authenticating a user as admin, to name a few.
Thus the loss of this folder means losing your whole website.
Protect the wp-admin folder with a strong password. Log in to the WordPress hosting cPanel dashboard and click on “Password Protect Directories”.
k) Change default parameter names –
- Rename the Login URL
By default, the login page can be directly accessed through the wp-login.php file, or by adding wp-admin to the site’s main URL. Thus renaming these files to something unique will not allow hackers to easily guess their way into your website. Furthermore, you can protect your login page with a 2 Factor Authentication in place. Also, check which IPs have the highest number of failed login attempts, and block them promptly.
- Change the default username “admin”
The default username for the admin account, as set by WordPress, is “admin”. With this knowledge being easily available, it is any hacker’s first guess for your site’s most important login credentials. Although newer versions of WordPress now require you to select your own username at the time of WordPress installation, it is not advisable to set your username field to any similar value either. A username like “admin”, “myAdmin”, “newUserAdmin” etc. make it easy for anyone trying to guess their way past your security.
- Change the default database prefix “wp_“
WordPress uses PHP to access the database. All site content like pages, posts, comments, etc is stored in the WordPress database. You can change the database table prefix during WordPress installation. This information is stored in the wp-config.php file.
As a general, it is always a good practice to change all default access values and credentials to unique strings made known only to those that need to know, such that no third party can take a blind guess and easily figure it out.
l) Set a strong password for admin side
Again, the importance of a strong password can never be stressed enough. Protect your admin-side files and directories with a strong password to prevent hackers from guessing the credentials. Use a combination of alpha-numeric and special characters to create a password that cannot be guessed by a dictionary hack.
m) Secure, Reliable Themes and Plug-ins
According to statistics, 22% of all successful WordPress hacks were executed via security issues in the plug-ins that were being used on the site. 29% of hacks were successful due to unsecured themes used on the site. (https://wpsmackdown.com/wordpress-hack-statistics-2013/)
The https://wordpress.org/ official site offers many themes and plug-ins for a price or free, which are safe to use.
Beware of nulled or cracked themes – several malicious third-parties lure people in by illegally offering themes and plug-ins which are originally paid. These free utilities often come with hidden malware, viruses or encrypted links, which pose major security threats for your website.
Lastly, try to use as few themes and plug-ins which you absolutely cannot do without. Get rid of utilities which are no longer active on your site, keep the ones in use always up to date. Generally, if the utility has a large number of active users, and has been recently updated, chances are it is a safe bet.
Some good resources for finding themes are Theme Forest and Template Monster. (? Suggestion)
n) Secure your server connection
- SSL (Secure Socket Layer) is mandatory for any site that processes sensitive information, like user’s credit card and bank details for online transaction. It ensures secure data transfer between server and clients browsers so that malicious access through connection breach or credential spoofing becomes difficult. You can acquire an SSL certificate by purchasing one from a third-party provider or ask your hosting company to check if they provide one with their hosting packages. (https://www.siteground.com/codeinwp-special?afcode=b1d0f6820e046c19802d21f3b46eb61d&campaign=letsencrypt ) Google tends to rank sites with SSL certificate higher than those without, so the added traffic volume is another advantage.
- Secure your server connection with SFTP and SSH key access. It is a secure version of FTP which allows data access over an SSH (Secure Shell). You can also use SSH keys to authenticate server access for SFTP user instead of saving passwords in wp-config.php. Find out how here…(https://guides.codechewing.com/wordpress/enable-secure-plugin-updates-ssh-sftp )
o) Carefully track admin-level user accounts
Create users prudently, don’t give everyone access to everything!
For example, if you use your admin account to post to your site, the username is automatically shown on the page. Thus you can use a different Editor account with limited privileges that allow making posts, but don’t allow access to the sensitive database features.
When adding any user on the admin side, make sure the privileges assigned to the account are on a requirements basis. Try to keep only a few admin level users so direct access to your site data can be regulated effectively.
Keep track of admin level user activity through activity logs.
p) Enable Web Application Firewall (WAF)
One of the easiest ways to secure your website is to add a Web Application Firewall. WAF adds multiple security features at the click of a button to protect from various known and unknown online security threats. WAF can be implemented in 2 ways:
- Cloud-based security provider located outside the hosting infrastructure
- Hosted utility, usually as a plug-in, installed on WordPress, which examines, protects or blocks requests after they reach the server.
Some popular WAF plugins for WordPress are available on the official website.
3. Regular Maintenance Activities
q) Monitor audit logs
Handling a WordPress multi-site, or a single website with multiple authors, it is essential to understand the type of user activity going on. Writers and contributors may change their account passwords or other minor changes. But users with higher level access can make some important changes like widgets, themes, plug-ins. The site owner should ensure that no major changes are made without their approval. Audit logs help to keep track of all changes major or minor.
A good plug-in for overall security of your WordPress site is All In One WP Security & Firewall, regularly updated with 700,000+ active installations.
r) Regular backups
The importance of backing up your site data cannot be emphasized enough.
Regular backup of all site data must be made and stored in the form of multiple copies in secure drives or cloud servers that can be easily accessed when required from anywhere. In case the website is compromised, then you always have an easy way to restore your sight to its last known safe state. This prevents any major losses due to losing important site data.
s) Keep your WordPress tools up to date
New updates WordPress core may include security updates, bug fixes, speed and performance optimizations, new features, etc. WordPress releases regular updates every 5 months or so. Updating you’re your WordPress gives you the best performance of the latest standards, that are achievable with the technology. Consider automatic updates.
It is also imperative to keep your themes and plug-ins up to date for the same reasons. However, since these are third-party provisions, they are subject to the providers’ policies. Try and use themes and plug-ins that have regular updates, as that shows a degree of reliability for these third-party tools.
4. Secure Hosting
t) Choose a good, reliable hosting company
The WordPress hosting service plays a very important role in the security of your website. After all, the host machine has all your website data on it, so it is essential to ensure the genuineness of the hosting service provider.
Some features that you should expect from your host are e-mail account features, FTP access to your website on the live server, and WordPress support.
u) Disable directory listings (.htaccess and wp-config.php)
Completely disable directory browsing on the front-end of your site. By doing this, you prevent users from viewing the contents of every individual folder of your website, thereby accessing the site’s structural information. https://www.wpsuperstars.net/how-to-disable-directory-browsing-wordpress/
v) Disallow file editing
If a user has admin access to your site’s dashboard, they can view and change any file data part of your WordPress installation. If file-editing is disallowed then no one can make any file modifications, even with admin account password.
To do this, add a simple line of code to your wp-config.php file at the very end.
w) Carefully set directory permissions
Monitor sensitive files like .htaccess, wp-config.php, and set appropriate permission values for all files and directories.
Here are some recommendations by WordPress on setting permission values for files and directories.
x) Hotlinking is not hot
Hotlinking refers to the practice of direct linking to a web site’s files through a URL linking to the original website which hosts that content.
It basically means another person taking your content and stealing your server bandwidth to display your content on their website. This can cause your own website to slow down as server resources are redirected to serve requests on the other website.
You can find various security plug-ins that can help you guard against hotlinking.
All In One WP Security https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
Firewall plugin https://wordpress.org/plugins/wp-simple-firewall/
Contact Us If you are still facing any security issues with your WordPress site.