With the recent global ransomware campaign affecting over 100,000 organizations and 200,000 individuals in 150 countries, it’s essential to assess your online security practices and policies. Even though this WannaCry ransomware wasn’t targeting WordPress websites, but Windows PCs, it’s still crucial to take a good look at your online defenses.
First of all, you have to secure your home base, i.e. your own computer, PC, Mac or Linux, doesn’t matter, with proper security protocols.
Protecting your computer
The first step in protecting your own computer is to keep your operating system (Windows, macOS or Linux) and your programs updated at all times. You should enable automatic updates for your operating system and possibly use a third party program like Personal Software Inspector (Windows) to monitor your PC’s programs, so you’ll be alerted to insecure programs that need updating (or have them automatically updated).
Next, you need to make sure that you have a good firewall on your computer. Windows, macOS, and Linux all have a built-in firewall, so you should check that it’s turned on. For Windows, I recommend that you use a third party firewall program like ZoneAlarm (available for Windows 10,8,7, Vista AND XP).
Then is the matter of choosing the proper anti-virus program. There are plenty of programs to choose from, but as with every other thing in life, some of them are superior in protecting your computer against malware and other online threats. And there are plenty of other threats besides viruses out there. In fact, viruses aren’t your main concern anymore. Nastier variants of malware include spyware, adware, and the above-mentioned ransomware. You need a security program that can protect you against every online threat and protect your online privacy as well.
Based on my own experiences and independent tests done by AV-Comparatives and AV-Test I recommend Avira (free), Kaspersky (paid) and Bitdefender (paid). These security vendors all offer program suites including firewall, anti-virus protection, privacy protection, parental controls (for your children’s computers), password management among other things. Go visit the websites of these vendors and select the best solution for your particular needs. For extra protection for Windows, use Heimdal Security (free/paid).
Now that your computer is secured it’s time to take a look at your home network. You should establish a wired, I repeat, a WIRED connection to your home router and go through all the security settings available ( DO NOT do this on a wireless connection). First of all, if your router has a built-in firewall, you might want to enable it. You definitely want to enable your router’s firewall if you have any home appliances (baby monitors, IP cameras, printers, digital video recorders etc) connected to your home network. You don’t want your devices to get hacked and used in botnets like Mirai.
Secondly, make sure you are using an encrypted wireless connection (WPA2/AES) in your home. And use a strong password (minimum 12-character alphanumeric random password). And finally, change the default wireless network name (SSID) on your router with a random name that doesn’t identify you or your location in any way.
Love ’em or hate ’em, but you must use them. Passwords. And lots of them. Nearly every website you visit requires a password to comment, shop, share or do any other online activity. And then there are those vital passwords that could lead to financial trouble if compromised. And don’t forget those really private passwords (wink, wink) that you don’t want anybody to find out ever.
The strength of a password is specified in information entropy, measured in bits. A secure password should be at least 80 bits long, meaning a 15-character password. Such a password would take billions of years to crack by a modern computer, and two centuries by the best botnets known.
So how to create a secure password? Mix up lowercase and uppercase letters, numbers and symbols and only use each once in a password. For example:
That’s a 16-character password, secure enough to be used on financial activities (banking, investment accounts, PayPal etc.). And never use the same password twice for any online activity.
You can use shorter passwords for less important online accounts (forums, blogs, message boards etc.).
So what do you think when looking at the password above? If you’re like me and most of the people reading this article you say: “How on earth could I possibly remember such a password?”. Right?
If you’re not blessed with a photographic memory, it’s impossible to remember such passwords. And you don’t have to. Simply use a password manager (some of the above-mentioned security suites include one).
An alternative to passwords is passphrases. Passphrases are phrases made of random words. For example:
social edify curve wound bacon lucky
This passphrase consists of six words from the Diceware word list. This passphrase has an entropy of at least 77 bits making it stronger than a 12-character password, and it would take approximately 3500 years for an organization capable of one trillion guesses per second to crack (Edward Snowden’s 2013 warning).
The above passphrase may seem as impossible to remember initially as the password above. But compare the two and you’ll soon notice that the passphrase IS possible to memorize, unlike the password.
BUT any passphrase you choose to use must be generated randomly, don’t use something silly like [email protected]@mcdonalds. Instead, use the Diceware method.
Use KeePassX (it’s free, cross-platform and doesn’t store anything in the cloud). Generate a seven-word master passphrase using the Diceware method for KeePassX.
Generate random, different passwords using KeePassX for your online accounts. And NEVER use the same password twice.
Here’s a tutorial on using KeePassX.
And a final note on passwords/passphrases: change them regularly.
For power users, I recommend Vivaldi, which is very configurable, is based on the open-source Chromium browser and runs most Chrome extensions.
Before we can even start talking about securing your WordPress website, we have to talk about hosting security. That is the foundation of your website’s security, so you should take that especially seriously.
As we’re talking about WordPress websites here, you should choose a hosting company that specializes in WordPress hosting. These companies offer automatic backups, updates to WordPress software, plugins and other software used, a firewall, malware scans, the best server hardware and data centers, SSL, CDN, security audits, special account isolation techniques and capable technical support personnel among other things.
In short, you should choose a hosting company that starts building its services with security in mind from the ground up and avoid the ones that just try to react to security breaches as they occur.
Read my article about the essential features you should be looking for when selecting your WordPress hosting company here.
Now we start our deeper examination of the WordPress security landscape. But before we take a look at any specific security methods or practices for WordPress, we should take a look at the broader landscape.
WordPress isn’t secure
Often times people say that they don’t want to use WordPress because it’s an insecure platform. And that may truly seem to be the case with the constant news about breaches and hacks against WordPress websites.
Keep in mind that WordPress is the most popular content management software, powering over 30% of all websites on the Internet. And like Windows being the most popular operating system and thus being the main target for hackers, so is the case also for WordPress. It’s popularity simply draws more hackers.
But most security breaches and hacking incidents (nearly 80%) exploit outdated software and/or weak passwords. People use the default “admin” username for their administrator account with a weak password. That’s like keeping your house key under the carpet in front of your door, or in the flower vase next to your door.
And not updating the WordPress core and especially your plugins is as dangerous. An outdated plugin is the most common reason to get hacked besides a weak password.
And for such oversights, you can’t blame WordPress. The blame is on you.
I’m too small for hackers
The second common misbelief among WordPress users is that they believe hackers only target high-profile companies. Who would be interested in my small handicrafts website? Or this small ma&pa restaurant website?
But in fact, hackers specifically target small and midsize businesses. Big companies tend to have better security systems in place, it’s simply easier to hack small businesses. And 60% of small businesses that get hacked close down within six months.
So it’s crucial to protect your WordPress website, no matter how small your business is, as getting hacked might cost you your entire livelihood.
I have secured my WordPress website with an SSL certificate
That’s excellent, SSL protection is a way to show your visitors that you care about your business and your customers. Many customers know to look for the padlock symbol in their browser indicating that the website has SSL protection. And Google started labeling websites without SSL protection “Not Secure” in January of 2017 in Chrome browsers.
But an SSL certificate only protects the information (login data, credit card information etc.) passing between your website and your visitors, it does NOT protect the information on your website itself. In short, your website is as vulnerable to hacking attempts with or without an SSL certificate.
Protecting your WordPress website
Now it’s time to take a closer look at how to protect your WordPress website. First, though you should understand that there’s no such thing as 100% security. As soon as you connect any computer to any network that computer is compromised.
All you can do is to maximize your security efforts thus making your website too difficult for hackers to even bother with it. By hardening your website defenses to the max, hackers will ignore you and search for easier prey.
Guard Dog Sign
You know this trick: people put a sign warning about a guard dog on their premises even though they don’t have a dog in the first place.
The same practice can be seen on WordPress websites too. Moving or hiding the wp-admin folder or the login page, or changing the prefix of WordPress database tables. These measures are only security through obscurity, hiding your access point isn’t considered a best practice action to WordPress security. Any knowledgeable hacker can find hidden login pages.
As I stated earlier in this article in regards to protecting your own computer, keeping your WordPress core and plugins up-to-date is the crucial first step in protecting your WordPress website. And as I said earlier, outdated plugins are the main attack point for hackers. Remember the Panama Papers case? An outdated plugin has been listed as one possible cause for the breach. Read more here.
So keep a close eye on your plugins and update them as soon as updates are released. You can also use a WordPress maintenance service like iThemes Sync to keep your plugins updated. Or you can always outsource the whole thing.
Updating the WordPress core is very important as most minor updates are security updates designed to patch a certain new security flaw or shortcoming. The best WordPress hosting companies will update the WordPress core automatically, so you don’t have to worry about that.
One final word about updates. If you for whatever reason decide not to use a certain plugin anymore, deactivating that plugin isn’t enough. If you just deactivate the plugin, chances are you forget the keep it updated after that. And as I discussed earlier outdated plugins are the preferred attack point for hackers.
So when you deactivate a certain plugin, because you won’t be using it anymore, delete it immediately. Always delete any unused, deactivated plugins.
Getting hacked and having no backups is the ultimate disaster scenario. I bet a majority of those 60% of small businesses hacked and closed down within six months, didn’t have any backups.
Regularly backing up your WordPress website is essential, and you should do a backup always before you update the WordPress core or your plugins. Otherwise, the frequency of backups depends on how often you publish new content on your website.
Most hosting companies backup your website automatically, or you can do it manually yourself. But you should never rely solely on those backups. They are probably after all on the same server as your WordPress installation. Having them in the same place is not a good idea. In the worst case scenario, you could lose all the data on your website AND your backups.
So always do and store backups independently of your hosting company. You can store your backups on AWS, Google Drive, Dropbox, OneDrive, Rackspace or Azure for instance.
Next, I’ll talk about the three security plugins that are essential in securing your WordPress website. I’m personally using these and I have followed the companies behind these plugins for a quite some time now.
There are a lot of different WordPress security plugins available. Some are designed to do one specific task, others are more like multi-purpose plugins. And having fewer plugins is always better, so there’s no point installing several plugins to do one specific task as you can achieve that with one multi-purpose plugin.
Wordfence is a web application firewall including a malware scanner and other tools to monitor the visitors on your website and the bots trying to hack you.
The main reason for installing Wordfence however, is the built-in firewall. Firewalls have been used from the beginning of network security and are still used today simply because they work.
Wordfence is installed and configured like any other plugin, it’s a stand-alone firewall sitting between your WordPress website and the Internet, filtering all traffic coming to your website before it even reaches your WordPress installation and your plugins.
You should also set up regular malware scans with Wordfence to make sure there are no unwanted nasty bits running around your website.
The new version of Wordfence (version 6.3.11 and up) includes a handy feature that alerts you if you have plugins that are abandoned or removed from the WordPress.org plugin repository. Read more about this feature here.
iThemes Security Pro
This is the plugin to use for hardening your WordPress website against attacks. And remember what I said earlier, there’s no such thing as 100% security. However, we can make our WordPress websites so hard nuts to crack, that hackers won’t even bother with our sites as there are so many easier targets out there.
And iThemes Security Pro is the perfect plugin for this job. It includes most of the essential features needed to secure your website. Having this plugin installed on your website makes other security plugins designed to do one task obsolete.
Here’s how iThemes Security Pro plugin can protect your WordPress website:
Brute Force Protection
Lockout those bots trying to guess your login password.
Strong Password Enforcement
Make your users (admins, editors, authors etc) use strong passwords. This is one of the best ways to secure your WordPress website.
File Change Detection
Hackers usually make changes to your site and files. If that happens, you’ll get alerted by email, so you know your website is compromised and you can take necessary actions.
Ban Bad Users
Ban anyone with too many failed login attempts, or too many 404 errors, or if they’re on a bot blacklist.
reCAPTCHA (Pro-version feature)
Verify users trying to log in or submitting comments are indeed human, not those bad bots.
Two-Factor Authentication (Pro-version feature)
This is the gold standard of login security. You can and should protect your every important online account with 2FA. On your WordPress website, you can enforce certain users (mainly admins) to use 2FA. This will greatly enhance the security of your website.
These are only some of the settings available in iThemes Security Pro, you can read more on the plugins website.
WP Security Audit Log
This plugin is used to monitor every activity on your WordPress website. You can track every user on your website to make sure that they are only doing what they are allowed to do on your website.
The main purpose of WP Security Audit Log is to alert you to any suspicious activity on your website, so you can act swiftly and stop any attacks or breaches immediately.
And if something still goes wrong, despite all your security measures in place, WP Security Audit Log will tell you what happened, by whom and when. That is invaluable information to have when searching for the culprit(s) and plugging the possible security breach.
As I stated earlier, Two-Factor Authentication is the gold standard of login security. If hackers manage to get your username and password, they still can’t log in to your WordPress website remotely, unless they have your smartphone with the authentication app.
This is a really important feature to utilize, with 2FA you can lock your WordPress login page tighter than with anything else. And with reCAPTCHA and 2FA, bots are powerless against you.
Use 2FA to secure all your important accounts, banking and investment accounts, social media accounts, hosting and CDN accounts etc. So even if your login details (username and password) were compromised, your accounts would still be secured by 2FA, thus making any breaches highly unlikely.
One last bit in your websites defenses is Content Delivery Network (CDN). You can use a CDN to protect your website, besides delivering the cached, static content of your website to your visitors based on their geographic location. A CDN makes your website faster and most importantly more secure.
You can get a free SSL certificate to encrypt the traffic between your website and your visitors. If you collect any personal information or credit card details you simply must have an SSL certificate. Many CDNs offer also the free Let’s Encrypt SSL, or you can use your own SSL certificate.
A CDN can protect your website against bad bots, DDoS attacks, and image hotlinking.
Besides the obvious speed benefits of using a CDN, the security enhancements make using a CDN a must for every WordPress website owner.
There you have it, a long list of things you can and should do to protect your WordPress website and your business.
Start implementing these security measures today and you’ll be one of the WordPress website owners whose website is too tough for hackers. And whilst over 73% of current WordPress websites are vulnerable to hackers, you’ll be left alone with some many easy targets available for hackers.