The Down and Dirty Guide to Securing Your WordPress Website
Data breaches and website hacks occur daily. Some of them are not made public while others affect so many people that there’s no way to keep it quiet. In either case, the website owner has a major mess to clean up.
Security for your WordPress site is not something to take lightly. Along with your data, your readers and customers may also be at risk. While you may not be a security expert, there are things you can do to protect the site. Some of them are quick and easy. Others will require more effort; get help from an expert if necessary.
Start With a Review of Your Web Host
Did you know that one of the more common areas of vulnerability rests with your web host? The resources provided to protect data tell you a lot about whether you should stay with that host or not.
- Regular updates to software and tools
- Up to Date SSL/TLS certificates
- DDoS Protection
- Around the Clock Support
Does the host offer dedicated as well as shared hosting? If so, know that dedicated hosting is more secure than shared hosting. It’s worth the cost to protect your data.
One simple way is to use managed wordpress hosting, which is often a superior option to generic shard hosting (also referred to as cheap hosting). Although a managed solution still shares server resources, it’s generally monitored more actively by the host.
Check out this Code in WP Article if you’re still unsure.
Be Creative With Your Database Naming
The point of database naming is to easily identify each database associated with your website, but it’s easy to get into a rut when creating them. Some people even fall into the trap of coming up with something that looks an awful lot like the WordPress site name everyone can see.
If you’ve done that, don’t despair. You can change the database convention name to something that still makes sense but is a little harder for anyone to guess. Consider this example:
- Your website name is: inyourdreams.wordpress.com/myblog
- Make the associated database name something like: inyd_wordpress_mb
There are other variations, but you get the idea. Don’t make it too easy for someone to look at the database names and immediately know what’s in it. At the same time, keep it identifiable enough that you know what it means.
Make the Most of Two-Factor Authentication
What’s two-factor authentication? Basically, it’s a safety measure that requires a user to provide more than a single bit of information in order to reach the site’s control features or hidden data.
Instead of using just your user name and password to get to the management tools, there will be one more piece of data to provide. It could be answering a question only you would know, using a fingerprint scan, or even a facial scan.
That secondary approach to authentication should be something that would be difficult for anyone else to replicate. Even if you have a co-administrator, it’s easy to set up a 2FA that confirms when each of you accessed the tools.
Check Your Audit Logs
Audit logs are basically electronic lists that record every action that occurs with the website. Typically, the log or list is arranged chronologically, but you can re-sort it by other columns if you like. Typically, the log will record entry and exit times, which set of credentials were used to gain access, and the destination and source addresses.
What does a review prove? It shows in sequence what has been done with your site and who did it. If you know that you were not working on the site at 3:00 p.m. yesterday but someone gained access using your credentials, something is up. You now know to (a) change your credentials, and (b) find out what data was changed, exported, or otherwise corrupted.
You can decide what legal action to take after you assess the damage. Take care of the site and worry about the rest later.
Your Use of Theme or Plugin Updates
Many WordPress plugins accept automatic security updates. Others, including some third-party plugins, will need to be updated from time to time.
WordPress does make it easy to update plugins even if you don’t select to receive them automatically. Basically, you select the plugins to update, make one click, and the process begins.
There are reputable plugins found elsewhere. Your job is to qualify them before adding them to the site. Check for reviews and comments on function, security, and general performance. Make a note of how the plugin receives security updates. If that point is a little unclear, look for a different plugin.
There are also WordPress-compatible themes offered by third parties. If you like one, find out all you can about the theme developer and what protections are built into it. Even better, look for a customizable theme offered through WordPress that will provide the look you want.
Invest in a Web Application Firewall
The right type of WAF protects you in a number of ways. The firewall will prevent unauthorized access to servers, a single website, or even a set of websites. Think of it as a moat around your castle (website.) Unless somebody knows how to let down the drawbridge, getting in will be quite difficult.
It’s okay to add a secondary WAF if you like. One more layer of protection never hurts. Make sure the second WAF won’t slow down the site and you’ll be fine.
Review Your File Permissions Regularly
File permissions allow access to individual folders or files. This is a handy way to restrict access to certain files if there is more than one administrator. WordPress makes it easy to assign file permissions to different admins.
With WordPress, the permissions are in the form of three digits. They are not random.
- The first digit identifies the primary administrator (that would be you).
- The second digit identifies a group (like secondary admins).
- The final digit identifies everyone in the whole world.
As an example, you use 5 for the primary administrator, 7 for the secondary administrators, and 0 for everyone else. On a file with permissions of 570, you have the ability to open, read, and edit the contents. Secondary admins can open and read, but not edit. Everyone else is denied access to the file.
Remember to review and update file permissions from time to time. Definitely change them along with other access if someone leaves your employ. Doing so makes it harder for anyone to open a file and manipulate the data.
There are more ways to protect your WordPress site. Start with these and then move on to more advanced approaches. While there will always be threats, the right protection strategy will render most of them ineffective.