All websites should aspire to maximum security. This axiom applies to big and small, from e-commerce to simple non-commercial sites. All sites are hacking targets. It’s nothing personal and often done by bots (computer programs or algorithms). And, the hacking may not even be visually apparent.
The good news is that sites can achieve 99.9% security. That’s the goal. You can reach this with a shortlist of basic steps, and an action plan to keep it secure. A rock-solid security plan involves three parts: initial hardening, monitoring, and a quick recovery plan if a breach does occur.
The focus of this post is on WordPress site security. But, much of what follows applies beyond WordPress.
First, let’s cover the basics. These are quick and easy first steps to secure a site – the most critical and the low hanging fruit. Next, we’ll look at how to monitor a site to keep it secure.
Look for tight integration with modern tools and services. For best security, this includes:
- Web Application Firewall (WAF) integration
- SFTP for file transfers (and disallows insecure FTP)
- Strong database passwords, by default
- Automated backups integrated with offsite cloud storage
- HTTPS and HSTS knowledge and support
Automate and Test Your Backups
Test a recent backup to ensure you have everything you need to deploy the site from scratch. Think of this as a sort of fire drill; a way to verify that all parts of the site are covered and an opportunity to create your Quick Recovery Checklist in case you need it.
Redundancy and automation are both good things when it comes to website backups. Use different backup methods and store the backups in different places. If one backup fails, you are still covered. For example, your host may run one backup which resides on the host’s servers, and you schedule another backup stored on DropBox or Google Cloud.
Use Two-Factor Authentication (2FA)
Two-factor authentication (2FA) has proven to be one of the most effective ways to prevent hacking. It’s also low-hanging security fruit because it’s free and easy to set up.
Install a two-factor authenticator on your phone, such as Authenticator for the iPhone. And, install a Two-Factor Authenticator plugin in WordPress, such as Authenticator. Go through the setup to associate your user profile with a code. Then, when logging into the site, you’ll be required to enter an authentication code, sent to your phone (or email address).
Most hosts now include SSL certificates as part of all hosting packages. Ask your hosting provider if it is included, before buying a certificate. If your host does not include an SSL certificate, you still have excellent, free SSL options including Comodo and Let’s Encrypt.
To verify it’s working: Point your browser to the HTTP version of your site. It should automatically redirect to HTTPS. You should see the padlock next to the URL. If there is no padlock, check https://www.whynopadlock.com and make sure that the certificate is valid, that the domain and signature are correct, and that it passes the mixed content check.
Disallow Theme and Plugin Editing from the Dashboard
Add this line to wp-config.php:
To verify it’s working: Check your dashboard. Under Appearance, the “Theme Editor” option should no longer appear. Likewise, under Plugins the “Plugin Editor” should be gone.
Use a Professional Web Application Firewall (WAF)
Cloudflare and Sucuri are both excellent, cloud-based options. One of the main advantages of a cloud-based WAF is that bad traffic is blocked before reaching your site.
Having a professional (paid) WAF in place from the start will also speed up and reduce recovery costs if a site is compromised.
Use a WordPress Security Plugin
Key features of the best WordPress security plugins include:
- Web Application Firewall (WAF)
- Automatic lockout after a set number of failed login attempts
- Blacklist by IP address and geolocation
- Malware scanning tools
Sucuri, WordFence, and iThemes are all popular security plugins.
The Sucuri plugin reports changed WordPress core files right in the admin dashboard. This feature is included in the free version. However, to get a report on all files changed – including theme files – you’ll need the Pro version.
Sucuri also reports on security best practices, such as header file settings.
Install an Activity Log
A WordPress activity-specific log is essential for monitoring. In addition to flagging potential security issues, a logfile is useful for general site troubleshooting.
The Activity Log plugin is one option. Installing a separate plugin to log activity may be overkill if your WAF or security plugin also does this. But, redundancy is a good idea, especially while implementing a new plan.
Check Your Themes & Plugins
In addition to Site Health Tool recommendations to update themes and plugins, keep an eye on themes and plugins. Specifically, they should be from an active developer and updated regularly. They do not necessarily need to all be premium, but that is often the best way to get support.
Setup Automatic Reminders to Change Passwords
One way to force all users to change passwords regularly is to install and activate the Expire Passwords plugin. You can specify the number of days between password resets.
Consider using a password manager such as LastPass, 1Password, or Dashlane. These managers can alert you if you have not updated a password recently or if you try to use the same password on multiple sites. Reusing passwords is a leading cause of breaches.
Change the Login Path
The default login location for WordPress is example.com/wp-login. Change it. Usually, a plugin is the preferred method because it won’t be impacted by theme updates. And, a plugin is quick and easy to deactivate for general troubleshooting.
All you need to do is decide on a new login location and then enter it in the plugin settings. And, notify your team of the new login path.
Protect wp-config.php & .htaccess
Add the following code to the bottom of your .htaccess:
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files> # protect .htaccess <files .htaccess> order allow,deny deny from all </files>
Use the WordPress Site Health Tool
The Site Health tool was introduced in WordPress 5.2 and is found in the admin dashboard under Tools / Site Health. It checks for both Security and Performance issues.
The advantage of this tool is that it provides one place to check for the most common causes of security problems: dated and unused software, server-side software issues, and security certificate problems. If SSL or system software is flagged, talk to your host and reference the Site Health tool warnings and recommendations.
The ideal is to reach 100% site health with this tool. There may be perfectly valid reasons not to achieve 100%. But, in general, it does provide a quick and easy way to check general health.
Add ReCAPTCHA to the Login Page
Read more on that here.
Use a Custom Database Table Prefix
By default, WordPress uses wp_ for all MySQL tables. Change this to a custom prefix and update the wp-config.php. Some hosts do this automatically for all WordPress sites. That’s a good sign.
Restrict Database Privileges
It’s not necessary to give everyone full database access. Select, Add, Update, and Modify are sufficient in most cases.
Some plugins will need more access. Additional permissions can be granted on a case-by-case basis, at least temporarily for installation and setup.
HSTS (Strict Transport Security) is used to automatically load sites as encrypted HTTPS. Check with your host. Wired covered it here: https://www.wired.com/story/google-encrypted-top-level-domains/
Use a Commercial VPN
Use a paid Virtual Private Network (VPN). Have it load on system startup, so you don’t even have to think about it. Some sites and services (including your employer) may block access. So, check with your sysadmin.
Harden The Headers
Your WAF or Security plugin can do this for you. (The Sururi dashboard reports if headers are securely set or not.)
The goal is to set Strict-Transport-Security, X-XSS-Protection, and X-Content-Type-Options.
To verify it’s working: Use curl or this tool: https://onlinecurl.com.
Otherwise, update your .htaccess to include the following:
<IfModule mod_headers.c> Header always set Strict-Transport-Security 'max-age=31536000' Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff </IfModule>
Monitor and Audit Regularly To Keep It Secure
Check the Site Health Tool and strive for 100%.
Check your WAF or Security Plugin dashboard for alerts and changed files.
Set up security emails and text alerts.
Remove unnecessary files (backup archives and logs).
Run full site scans for malware.
Check built-in browser tools for warnings (“Security” tab in Chrome dev tools.)
Check the logfiles for odd behavior.
Add a unique string to the site including your domain name. Google the string to check for copyright infringement or other abuse.
Review how Google has indexed your site. For example, run this in the address bar: “site:example.com” (with your URL, and without the quotes).
Stay paranoid. But remember that sticking to a proven security checklist will keep you a step ahead.