WordPress security is an important part of running a WordPress site. While WordPress is currently the most popular CMS (content management solution) in the world, running a WordPress site means regular maintenance and proper website security, as a compromised site can affect your site’s SEO, the personal data of your customers and more. But how do you secure your WordPress site and is it even possible to keep your WordPress website secure?
In short, securing your WordPress site is attainable, very often with affordable tools and methods. While these tools might cost a bit every month, it is much more affordable compared to fixing up a malware infected site. And the downtime that comes with a compromised site. Not only will you lose business, you might even lose some clients for good.
But as this article will take some time to read, let us sum up what you need for your WordPress security.
As a web developer who runs a WordPress Website Maintenance business, these are some of the things that we do for our clients in order to keep the sites running smoothly.
We will work through the bullet points above as actionable steps to get you a secure WordPress site.
WordPress Security: Steps to Secure Your Website
WordPress is a powerful self-hosted content management system (CMS) that gives you the flexibility to purchase or develop features that you need. Unlike hosted CMS solutions like Squarespace or Wix, WordPress open-ended nature also means that security can be an issue. And very often, security is an issue overlooked by first time bloggers and website owners.
But WordPress security isn’t rocket science. All you need to do is to secure every component that could be a entry point for hackers and malicious software. Your WordPress website security is only as strong as its weakest link.
Here are some simple and practical steps to secure your website:
1) Move to a managed VPS Hosting Solution
Yes, a managed Virtual Private Server (VPS) hosting costs more than a shared server. Especially if you consider popular shared hosting such as Bluehost, SiteGround & A2 Hosting. There is no way a VPS server can be cheaper than a shared hosting plan. Plus, shared hosting gives you everything, including emails, so why move to a VPS hosting solution?
The truth is, your choice of hosting provider matters a lot to your security. If you are on a shared server, your site can be compromised even though you have the most advanced cloud firewall. All it takes is an outdated plugin or theme on your neighbour’s site (meaning another site on the same server as you), whereupon the hacker can gain access to the root directory and target all sites on the server.
In comparison, you are on your own in a VPS server. No bad neighbours can affect you. But can you still be hacked? Yes, but not via the managed VPS hosting that your are on.
Oh yes, please don’t go for IAAS (infrastructure-as-a-service) platforms such as Linode, Digital Ocean, AWS & Google Cloud, unless you have an experienced sysadmin on your team. While it is relatively cheap to provision a VPS server on these IAAS platforms, someone needs to manage the security patches, updates and server-level firewall.
2) Automate Your Backups with Incremental Cloud Backups to Amazon S3 or equivalent
We recommend that you get your site unto some cloud backup solution. Better still if you can put your site on an incremental cloud backup solution, as the risk of your backup failing from timing out is far lower.
If you’re not under some WordPress website maintenance service nor some managed WordPress hosting (e.g: WP Engine, Kinsta, Synthesis & Pressable), check with your hosting provider on where your automatic backups go to. And if you have both server and site backups.
We’ve encountered SOS messages from people whose websites have been compromised, but they’re unable to restore as the local backups were either corrupted or infected as well. Some hosting companies send backups to the cloud, but as they compress the sites before backup, it might fail if the site is too big or if they are on a shared hosting with limited resources.
3) Subscribe to a Cloud Web Application Firewall with Virtual Patching
A Cloud Web Application Firewall (Cloud WAF for short) with virtual patching ensures that your site is patched virtually when a vulnerability is found. Statistics has shown that plugin vulnerabilities represent 55.9% of the known entry points for hackers, whereupon a survey from Wordfence showed that 60% of website owners who knew how the malware came in, attributed it to an outdated plugin or theme.
Virtual patching is a set of rules to mitigate vulnerabilities that the site might have from outdated software, namely an outdated core, themes or plugins. While it is best to update them, virtual patching helps keep the site safe while developers of vulnerable plugins and themes issue security updates.
Furthermore, if you somehow neglected updating your site after the patches are issued, virtual patching will keep your site safe from malicious attacks.
On our end, we recommend PatchStack (formerly known as WebARX) for their Cloud WAF that comes with virtual patching. When compared to Sucuri Security and other well known WordPress security software, PatchStack’s focus on plugin vulnerabilities and their community of ethical hackers, the PatchStack Red Team, gives them the edge over competition.
4) Regularly update your WordPress Core files, Themes and Plugins
Updating your WordPress core files, themes and plugins regularly will ensure that your site stays safe from vulnerabilities. However, we sometimes get clients coming to us with sites that have not been updated for years, probably because updating the site could break some layout or feature on the site, or worse, the site itself.
But not updating your site due to a fear of things breaking, isn’t correct. Portions of the site will eventually stop working when your server updates to the latest PHP version, and believe me, you’ll want to keep your server on a supported PHP version.
A better alternative would be to engage the services of a company specializing in WordPress Care Plans, or better known as WordPress website maintenance service. Just like a car, you”ll need your site maintained in order to perform well and avoid costly repairs.
A word of caution if you are considering automatic updates, as that will most probably break your site. We run a backup before every update, in order to ensure that we are able to roll back if the site breaks.
Read: MalCare Review
5) Subscribe to a WordPress Security Plugin with Malware Scans and Removal
A WordPress Security plugin will go a long way in ensuring your site stays safe. Together with a cloud WAF, cloud backups and regularly updated WordPress core files, plugins and themes, the WordPress security plugin plays an important role in keeping your site safe.
However, not all security plugins are the same. Many times, we’ve seen people trying to save some money and subscribe to a security plugin that doesn’t really do much, like the iThemes Security plugin. The iThemes Security Pro is affordable, with the Gold tier costing you only $199/year for unlimited sites. This makes iThemes Security a choice for many WordPress website webmasters and maintenance agencies, as the cost becomes negligible when you have more sites.
It also comes with some interesting features, such as file integrity monitoring, brute force attack protection, reCaptcha to protect against bad bots, enforcement of strong passwords and lockouts due to failed login attempts. Honestly, it seems like a great deal.
But choosing a plugin like iThemes Security (or something similar) can quickly be a costly affair and is a security risk. While iThemes Security does malware scans, it only does so via Sucuri’s surface level scanner. This means, it will not detect if your files or your WordPress database has been compromised. Malicious files will be left in your server. You will want a WordPress security plugin that does automated malware scanning on your site.
What are the consequences of a hacked site?
And while ignorance is bliss, a hacked site will take time and effort to clean. In some cases, your site can be subject to SEO Spam such as the Japanese Keyword Hack,which causes your site to be blacklisted by search engines, affecting your traffic and ultimately, your revenue.
What WordPress security plugins do we recommend?
Over at our agency, we use a combination of MalCare Pro and Virusdie. While that may seem like an overkill, it is proven that no single WordPress security plugin can fully cover your site, as they have different antivirus heuristic analysis and tend to detect different viruses and malicious code in your site. MalCare Pro is well known for their for database malware scan which helps to detect malware caused by SQL injection, while Virusdie is able to find files like the Image Trojan, that MalCare isn’t able to detect.
Hence, it is wise to have an extra layer of security, or better, multiple layers of security on your site. This help us address security issues holistically and cover security vulnerabilities and any form of security breach.
MalCare and Virusdie are both cloud-based security solutions, which means your site will not be encumbered or slowed down while they conduct a security scan.
6) Secure Your Login with Two Factor Authentication and Brute Force protection for the login form
While it is good to deck your site with WordPress security plugins, you should also consider your login, as your site is only as secure as your weakest link. And brute force attacks to log into your site is the simplest method to access your site.
A common form of attack on WordPress is to hammer the login URL (siteurl/wp-login.php), until they get in or the server dies, hence it is called the ‘brute force attack’. We recommend the following security measures
As you can see, it progressively becomes harder for our logins to be compromised. Even if our login details is compromised, the two-factor authentication keeps the site safe.
Why should you remove the admin username?
Removing the admin username will help remove one of the common brute force attacks on the site. This is because most early versions of WordPress defaulted to this.
Why do you need Recaptcha on the login form?
Including ReCaptcha into the login form will make it difficult and frustrating for people trying to brute force their way into your site manually, but will not stop some bots.
Why should you enforce strong passwords to your site admins?
Do not use a weak password like ‘123456’ or your birthday or name. Those passwords are quickly compromised. We recommend enforcing a strong password combination to it harder for brute force attacks to succeed.
If you find it difficult to remember your strong password, just sign up for a password manager like LastPass Authenticator or Bitwarden.
We tend to further enhance our login forms with a brute force protection plugin like LoginPress, which temporarily suspend bots and hackers who failed their login attempts. This provides respite to our servers while keeping brute force attempts down.
Why do you need a two-step authentication plugin?
However, if you want to truly secure your WordPress login, install a two-step authentication plugin. This makes it even harder for brute force attacks to succeed, as hackers will need to verify their login attempts with the app of your choice.
Conclusion: WordPress Security isn’t difficult
WordPress security isn’t difficult as you just need to ensure every component of your website security is taken care of. While it may seem cheaper to not bother about the security of your site, the cost of fixing a hacked site is much more than keeping it safe.
If you run a WordPress site and are not sure on how to maintain the security of your site, consider outsourcing the WordPress website maintenance to a company you can trust.