According to WordFence, there are 90,000 attacks a minute on WordPress websites. Although the platform comes with many measures to mitigate potential risks, the complexity of modern threats requires your regular active involvement in order to secure your WordPress site from hackers who are constantly scanning the web. Here are six easy measures you can put in place today to better secure your WordPress site:
- Keep all software updated
- Switch to HTTPS
- Enforce strong password on your users
- Implement strict user permissions
- Setup two-factor authentication
- Backup your site on a regular basis
Keep all software up to date
Outdated software is often one of the primary point of entry for hackers attempting to breach your website, since updates are often released to patch a specific attack discovered by hackers and shared all over the internet. Attackers use automated scans that looks for every possible website with outdated plugins, so it’s always a matter of “when will it happen?”.
The WordPress software is the core of your site and should always be kept updated. Failing to update it can leave your site vulnerable to attacks that are public knowledge and being attempted on an ongoing basis. WordPress should also run on the latest version of PHP. Old versions of the language have vulnerabilities that could lead to a full takeover of your site.
In addition, not only should you keep your plugins and themes updated very thoroughly, but you should also do your due diligence before installing any plugin, to ensure that it has been backed by the community and has been deemed to be reliable. This will go a long way to securing your WordPress site, but your journey doesn’t stop there.
Switch to HTTPS
HTTPS, also known as SSL or TLS, is an encryption protocol that secures the information that transits between your site and its visitors. Securing your WordPress website with HTTPS encryption is an absolute necessity today, especially if you handle sensitive user data. When a website doesn’t use HTTPS, hackers can intercept and modify data shared between users and the server.
A TLS digital certificate can easily be obtained for free. Any hosting company worth using makes secure hosting available. This should be one of your top priorities to secure your WordPress site.
Enforce Strong Passwords
Users with any sort of administrative privileges should create strong passwords comprised of special characters, numbers and capitalized letters. More importantly, they should generate unique passwords that are not used by any of their personal or work accounts. This measure should be strictly enforced and the reason is simple. Millions of leaked passwords, usernames and emails can easily be purchased on the dark web for a small price. Hackers incorporate these large databases into hacking tools, allowing them to attempt millions of passwords that could potentially grant them access to one of your accounts with administrative access, should that user’s password be disclosed on the dark web following the data leak of a compromised website. These attacks, known as brute-force attacks, can also be mitigated by installing a plugin that limits the number of consecutive login attempts. With that said, another layer of protection can also be added to secure your WordPress website if an attacker is able to connect to an account.
Implement Strict User Permissions
People are too often careless when it comes to protecting their accounts. They do not adhere to strong password policies, or they let a malicious email message trick them into revealing their credentials. If an account gets compromised, the impact of the breach is significantly less important when it can’t actually access anything sensitive.
This is where the principle of least privilege comes in to save the day. It can be summarized to giving each account only the strict necessary permissions for their roles.
WordPress defines six roles: Super Administrator, Administrator, Editor, Author, Contributor, and Subscriber. A website should have just one Administrator account (Super Administrator is only for multisite installations.) People who only create content should have the Author or Contributor role. Only trusted people should be Editors.
While you’re at it, change the name of the “admin” account to something else. That makes it a little more difficult to identify and target by attackers. It could also be important to consider adding a plugin to control your users’ roles access granularly, allowing you to create new user roles and give them very least access you can.
Setup Two-factor Authentication
On a similar note as the previous one, this measure should add an extra layer of security for users using a compromised password. Multi-factor authentication requires an additional confirmation from the user to validate their identity. When the user logs in, the server will verify the access by sending a text message, making a voice call, or using a mobile application. While this is not entirely bulletproof, the risks are very limited and this will simply add another step to discourage hackers from targeting your website.
Users have to demonstrate something they have (a phone number or instance of an app) in addition to what they know (the username and password). Additional logins over a short period of time from the same IP address usually don’t require repeating the confirmation.
The accounts with the higher levels of responsibility — administrators and editors — should always use two-factor authentication. Authors and contributors can have it as well, but it’s less critical. Several plug-ins are available for multi-factor authentication.
Backup your site on a regular basis
Absolute security is impossible, unless disconnecting entirely from the internet. If your site is compromised by a motivated attacker, you need the tools to remove the cause and then get back to a working state quickly. This can easily be done if you run regular, automated, offsite backups. An onsite backup can be ruined at the same time an attacker compromises the files on the server. An offsite, remote backup is safer.
Offsite backups normally update only what was changed since your last user session, so, the actual volume of data to restore since the attack isn’t much. Especially when it’s possible to back up your website every hour.
Want to know if your website could be hacked?
Our penetration testing services were designed to help organizations like yours improve their cybersecurity against the latest threats. Contact our specialists to get started.
