What to do to make sure my WordPress site is secure

What to do to make sure my WordPress site is secure

Posted 14th December, 2018 by Diana

Why would someone hack you?

For thousands of websites , there wouldn’t be a reason for them to get hacked, it does not need one in the age of automation.

How easy it is to find a security bug within a plugin/theme/or even the core and write a script that will try to exploit that security hole?

This script would usually go not through one site, but through millions of websites until it gets those couple of thousands which it can penetrate.

Sometimes it’s pretty obvious when you are hacked- your site loads random websites, your subscribers send you angry emails why are you selling them certain services, or maybe your site is just slow (loading for 10 minutes and you don’t know why?), however there are also times in which it is not as easily detectable.

Types of hacks:

Clickjacking

Clickjacking is an attack which fools the user into performing an action which they did not intend to, and is commonly achieved through using iframes.

Website defacement

Website defacement is an attack on a website that would change the visual appearance of the site or a webpage, generally replacing your content with something else.

XSS

Injecting a server with malicious content so as to affect as many sites as possible.

Javascript injection

It uses the vulnerability in a plugin/theme’s code to get full access to the database. This means whenever the attacker sends a query they can also see the output , have full access to modify , delete and extract any data from the database.

Hackers often use JavaScript to inject evil scripts. For instance when visiting such website suddenly your browser seems to have opened a thousand strange tabs which you did not want to happen. The next time you open your website - this ‘issue’ is not present. It could often make people think there is an issue with their machine, while there is a ton of js redirecting to different places making weird things.

And many more. There are so many types of hacks, that just a simple blog post would not be able to look in details all of them.

We will look at two plans for securing your website, a 5 minute plan and a pro version.

The 5 minute protection plan:

  • Keep your core up to date!
  • Change your log in URL from wp-admin/wp-login.php to something custom.
  • Have a cool username!

The pro protection plan:

Having your components up to date is a good start in any case.

It is very very important for you to have your WordPress up to date , most of the updates of the core are security related, so taking the decision to not update your website - you are taking a risk of someone exploiting a security hole in your website.

2. Some .htaccess tricks. Let's start with blocking access to include only files as well as the access to the wp-config.php file. The config file is not accessible by default, however after the big revolution slider security vulnerability (fixed in the new version) this is a precaution for any future vulnerabilities of the same kind. After all this file contains your precious database details.

<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</ifmodule>

# block include-only files

<files wp-config.php>
order allow,deny
deny from all
</files>
# prevents access to wp-config.php

3. Use WordPress Security Keys.

The keys improve encryption of the information stored in a visitor’s cookies. They will also make it harder to crack your password as it adds random elements to them. A salt key phrase is added to make it even more secure. Those are situated within the wp-config.php file and looks as follows:

define('AUTH_KEY', 'put your unique phrase here');

define('SECURE_AUTH_KEY', 'put your unique phrase here'); ...

You can generate new ones using this URL https://api.wordpress.org/secret-key/1.1/salt/

4. Hide your wp-admin log in link using a plugin or manually set this to a custom link.

5. Have backups- this is more on the safe side. As if anything goes wrong you will have a backup to restore your files from. Just a good practice to add to the list.

6. Have a security plugin installed. In the last years plugins like Wordfence evolved so much with what they can and can't do and having one installed and set on your website is a great way to block certain malicious attempts.

7. Have a captcha - captchas are annoying, however they help a lot when it comes to automatic spam bots, as well as bots trying to exploit a vulnerability within a commenting plugin or a theme that would allow them to import an SQL query through the form. Having a captcha enabled on your site saves you from those automated bots we mentioned earlier.

8. Do not use any suspicious themes and plugins. Please ensure your website components are from reputable sources so that you don't end up with someone creating a backdoor to your website.

9. Have complex username and password for the admin area, using easily guessable username and password is a bad way to get your site brute force attacked.

10. Remove all components that you are not using. If you are not using a theme or a plugin - delete it.

Check our guides for more information on cleaning hacked websites for more information or contact us directly - we at fixed are always happy to assist!

Categories: Wordpress, Optimisation, Website Security