So WordPress now powers about 39% of all websites. Do you know what else all that popularity and ease of use buy? Yep, security breaches. As more and more businesses have started to move towards CMS platforms, cybersecurity is having a hard time.
Although there have been a number of security improvements being implemented day in and day out, third-party publishers are whole another story.
According to PurpleSec, 25% of all WordPress plugins were flagged as having critical security flaws. These malicious plugins could use your PC’s resources for crypto mining which could slow your computer down to a halt.
Now, not all hope is lost. There are a few measures that you can apply by yourself to safeguard your site. These tips will not only secure your site but also make it work better.
Backup. Your. Site!
Every list that you’ll ever see about security has to have a point about Backups. Physical property is quite rigid in its nature and can’t be duplicated. But digital data can be copied multiple times onto multiple devices.
When your site gets attacked, the firewall, malware tools, and a few other apps are your typical line of defense which are pretty effective in themselves but it all depends on the severity of the hack.
A backup on the other hand will ensure that whatever happens to your site data, you have a saved backup file snapshot in an offshore server that will restore it to its original condition.
But what if those servers are hacked and attacked? Well, which is why WordPress also offers the option to save the backup file(s) even onto your computer for safekeeping or even store it on an external drive if you’re that security conscious.
Keep it Up-to-date (including your plugins and themes)
WordPress came out with its 5.6 release last month which includes improvements to full site editing flows, bug fixes, and feature upgrades. These upgrades largely focus on upgrading the main codebase which could be infested with foreign code.
Rewriting it resets anything that shouldn’t be there otherwise. Another great thing with updates is that they improve overall stability and performance which patches further security holes.
The thing with a lot of themes and plugins is that they aren’t officially made by WordPress and hence have bigger security threats and vulnerabilities, especially the free ones.
Here a few indications of your plugin or theme being infected:
- You repeatedly keep getting redirected to an unknown website or get annoying pop-ups
- Your browser or antivirus software will warn you of suspecting malware
- You see your screen turning all white which will potentially block you from the screen
- Your .htaccess file has been hacked as you’re redirected to Google or any other site
Most of these problems can be solved with the same security patches but sometimes they don’t, which is why you can use VirusTotal, a website that can analyze any suspicious URL or file, and for themes, you can use the TAC (Theme Authenticity Checker) plugin.
Limit Login Attempts
Most hackers use a tool known as a decrypter that can randomly generate an infinite combination of words and numbers. Once it nails down the right information, you can bet it’ll access website data and then some.
The way that a lot of websites combat this is that they limit the number of login attempts a user can make. Once a certain limit is met, the website would request the user to try after some time.
Legit users will simply click on the ‘Forgot Password’ link and reverify their account to gain access. Any malicious party would keep trying over and over, thus locking themselves out indefinitely.
WP Limit Login Attempts is a great plugin that can set this up for you. It has features like captcha verification, a mechanism for brute force attacks, GDPR compliance, and much more.
Update Your Passwords
When you own an online business, passwords are everything. For example, Firefox won’t let you log in if you forget your password, period. You can reset your password but you won’t get your data back.
Since most people simply use saved logins, accessing passwords of any website or portal through the browser is pretty easy. Once you’re open for sabotage, expect data thefts, data leaks, ransomware, spyware, mining, and much more.
Here are a few pros to change your passwords regularly:
- Prevents access to multiple platforms at the same time
- Interrupts constant access to any hacker or third-party program
- Prevents the use of saved passwords
Now, changing passwords every 30-90 days could be a headache. A headache that is indeed worthwhile but when you’re busy than most people, you can use password managers like 1Password, Dashlane, and KeePass.
Get A Firewall
A Firewall effectively screens your traffic for malicious visitors or programs trying to breach your site. You can monitor your WordPress site through a WAF (Web Application Firewall) that displays all the web applications actively interacting with your website.
WAF for WordPress comes in the form of plugins. You can simply install them, set up parameters, configure security, and it’s done. Here are a few popular WAF plugins:
- WordFence Security – Offers everything from malware scanning to login security
- All In One WP Security & Firewall – A standard but comprehensive solution
- Shield Security – A simple to use solution for everyone
- Sucuri – A paid service run by experienced WordPress personnel
These protect you against all kinds of bots, spam, and DDoS attacks. If you get confused between going for paid or free, try going for paid ones because they are worth the cost in the long run.
2FA or Two-Factor Authentication is a digital authentication method that involves permission from at least 2 separate mediums to grant access. It is considered to be quite foolproof and popular among major conglomerates like Google and Facebook.
2FA simplifies user access for not only you but also for your customers in the form of ‘Forgot Password’ where a user can reset his/her password through an OTP or One Time Password.
A great advantage of this is that you instill confidence with the user about security and privacy and having to lose their password isn’t a big deal anymore. Another great thing is that you allocate more resources to other tasks since your privacy gets covered.
WordPress offers 2FA in the plugin, well, Two Factor Authentication. It has dual-standard protocols, WP Multisite support, graphical QR codes, support for WooCommerce, Elementor Pro Login forms, and much more.
How does hosting service aid in WordPress security? Well, considering there are specialized WordPress servers optimized for its codebase, a hosting service is your first and foremost layer of security against all threats.
Hosting services too have their own security measures in place to combat external threats like…
- DDoS protection to prevent clogging of servers
- SSL Certificate to secure the connection between the user and the website
- Firewall to monitor traffic
- Malware detection and removal
- Network monitoring
- Login security
- Two Factor Authentication
Now, it’s baffling to think just how a hacker can get through all of these and get through WordPress’s own security measures. Well, not all hosting services are the same and some are better than others.
You can’t just pick any hosting service and call it a day. You need a WordPress hosting that checks on all marks on the security and privacy side of things, like these.
The hosting services that we recommend have been tried and tested to be unbeatable for security and affordable for your wallet. They have great speed, uptime, user ratings, and customer support.
Not to sugarcoat, they have their cons but then what doesn’t?
There are also a few precautions to keep in mind. With security, there also come a few caveats that might hurt the user experience. Like, for example, when you limit login attempts, you could simply upset a user trying hard to remember his/her password.
It is better to keep the limit marginally higher for non-suspecting users. Another one would be logging out idle users. Someone could be simply away from their machine for an extended period of time, only to later come back and be logged out.
Better to keep that over a certain limit as well. Earlier we mentioned Firefox and its strict policy with data sync. Once you forget your password, you lose all bookmarks, extensions, and history.
This is quite effective against data theft and quite a standard for security but hurts the user more than anyone. Security is great, but it should come second to serving the user.
The last one would be to not be too reliant on password managers. Like everything else, they are an application as well and prone to cracking open. If you can, write them down somewhere. At least that way, some guy thousands of miles away can’t have a look-see.
Finally, let us know your thoughts down in the comments. Do you have any tips worth sharing? Any tools that helped you avoid a heart attack? Any performance bumps? Tell us about your experience!