With all the recent hacks and data breaches of high profile sites, TalkTalk, Ashley Madison, Carphone Warehouse for example, we decided to take a look at how easy it would be to make a few changes to your wordpress sites.
Firstly, the security of your site is important to your SEO efforts. I am speaking from first-hand experience here. I spent two years building up a site (www.campingsitesinbritain.co.uk – I wanted to take a screen shot from waybackmachine of their messages but its not available) – to be the second biggest camping directory in the UK only for it to be hacked, its databases deleted and its content replaced with spam. As well as losing the site, it didn’t take long for the rankings to disappear with links disappearing as webmasters didn’t want to be seen to be linking to a host page. All because I hadn’t updated to the latest version of WordPress.
I learnt my lesson the hard way – keep on top of potential security issues on your site. So what can you do to prevent a hacker targeting your own site?
- Make sure you have the latest version of WordPress. At the moment it seems a new version is being released every 2 weeks, but this to fix any bugs / vulnerabilities which have being discovered.
- Update your theme. This won’t be as frequently as a WordPress core update but is equally as important.
- Update all your plugins. While it’s recommended to keep the number of plugins to a minimum for security reasons and to prevent conflicts, make sure these are kept up to date.
- Install some security plugins. While WordPress is great and is used by around 20% of the world’s websites, it should be remembered that it is open source software and prone to attack by hackers.
We have reviewed and tested three of the most popular security plugins. Each is measured against our own criteria but would recommend further research to find the best solution for your site.
- Wordfence (https://wordpress.org/plugins/wordfence/)
- Securi (https://wordpress.org/plugins/sucuri-scanner/)
- iThemes Security (https://wordpress.org/plugins/better-wp-security/)
For obvious reasons I am not going to reveal which, if any of these plugins we finally went with, but they all have their strengths, you have just got to find the one to meet that meets your needs. There are of course other security plugins available. Before considering them check they have been downloaded a significant number of times and have a good review score.
Other areas where you can help to protect your WordPress site
For some reason WordPress automatically creates a readme file, a file which is easily targeted by hackers and spammers. To close this backdoor into your site simply login into your cPanel and delete the file – instructions here if unsure.
Another simple technique to safeguard your WordPress site is to change the login page from /wp-admin to something completely different. Its so easy to guess.
Also, don’t use common user names either. From analysing my own site the most guessed usernames, which are tested hundreds of times a week, are:
- (name of the site)
Other quick fixes
- Make sure you have a long and secure password – but I don’t need to say any more than that.
- Two factor Authentication (paid feature in most security plugin’s but worth while)
- Change the login page from /wp-login to anything else (free plugins to do this and some of the above security plugins has this as a feature)
- Regularly back up your site. If the worst happens at least you can get the site back live as soon as possible, but fix the breach.
But what do the professionals think? Tarun is the head of security at online retailerEbuyer.com…
“With the immense popularity of WordPress as a Content Management System comes the risks associated with it and it has become a favourite target for cyber criminals. Why? Because it’s comparatively easy to hack a WordPress website, not due to any inherent weaknesses, but because not every webmaster considers it a priority to keep their site completely locked down. In actuality, WordPress does a very good job in keeping the platform secure and educating users on how to improve security.
“If you are wondering why someone would be interested in hacking your WordPress website there could be several different reasons. The most common being to host malware to infect other unsuspecting visitors to your website. It’s not uncommon for a hacker to do this with the intent of extorting money for the damage they could do. Alternatively, some script kiddie could just be testing his new learnt skills. It could be for any reason basically.
“Always the first step to securing a WordPress site is to ensure you have a good base, in this case a hardened platform. If you are a company with hosting capabilities and would like to host the site in your own datacentre then follow the general practices of putting the WordPress website on a hardened server in a separate DMZ (Demilitarised Zone) behind a Firewall/IPS/WAF stack away from your mission critical business websites.
“If you are hosting on your own servers, then you may want to take into account the following additional security control considerations:
a) Consider building a secure server architecture for WordPress which usually comes in the LAMP stack configuration – Linux, Apache, MySQL and PHP. Ensure the stack is built with the latest, patched & supported versions of software. In addition, ensure you have a good patch management schedule.
b) Use a strong password policy on all your systems and relaibale password management software to store all passwords. Employ least privileged principles for all users.
c) Use host level Intrusion Detection system software with File Integrity monitoring in place for critical files.
d) Consider having a host based firewall and Antivirus/Antimalware engine running on the server platform.
e) Use Secure FTP access when connecting to the server with some additional two factor authentication in place.
f)Most important of all, backup your system regularly as governed by the organisational backup policy and also before any major changes to the stack.
g) Finally, monitor the server logs regularly for any unusual activity.
“If you are an individual or a small company with no hosting capabilities then your best bet is to look at hosting companies that will host your WordPress website for a charge. As a general rule to follow – cheapest may not be the best. You can use the above 7 security control measures as questions when assessing your WordPress hosting provider.
“Once you have a sound and secure WordPress environment, then you may want to look at implementing all the security measures described in this Hardening WordPress article by WordPress.
“Now you have a hardened server platform with a hardened WordPress application but that is still not the end. The final link in securing your WordPress site is to put some security policies in place. Some of the basic practices you may want to consider are listed below:
a) Maintain a list of all users that have access to the wp-login page and review them once a month or every 60 days to ensure any dormant users are removed/deleted.
b) Ensure you follow a strict least privilege policy when assigning users a role on the WordPress install. If you are unsure, please refer to this WordPress Roles & Capabilities article.
c) Change the admin user to something that is a less obvious username. Simply create a new administrator account with a new username and delete the old ‘admin’ account.
d) Follow a process of authorisation on plugins that goes through review and test phases before the plugin gets installed on a live WordPress server. Ensure the plugin is thoroughly vetted before accepting it in a production environment.
e) Ensure there is a strict Patch Management schedule for the WordPress install including the Plugins and Themes.
f)To improve the security of WordPress and enable more features like malware scanning, two factor authentication for users, auditing, etc. you may want to look at installing a WordPress security plugin. To help you choose the category of your security plugin read this article. Some of the most popular and widely used plugins are Sucuri Security & WordFence Security but you may want to choose another according to your specific requirements.
g) Limit access to your wp-login page only from specific IP addresses if you have static IP’s to connect from. Some security plugins even give the option to do country blocking so you could allow access to the login page only from the country you are based in if you do not have a static IP.
“Finally, backup regularly before and after any major changes you make to the WordPress install or any plugins/themes. Often the installation of a new plugin can break the website and you may not be able to log back in. The best way to avoid this is to have the plugin/theme installed on a test server before a live server. However, this is only possible if you have a test environment exactly matching the live environment which may not always possible.
In summary, there is much that can be done to improve security both server side and on the actual site to prevent your WordPress site being comprised.
I am the Managing Director of Coreter Media and have been in Digital Marketing since 2009. Initially in-house working for some of the UK’s biggest brands, but now I run my own agency helping small businesses grow.