The online world is a dangerous world. Each moment we face signs of attacks from hackers in the form of denial of service, brute-force, phishing and so on. It is important for you to protect your WordPress website.
What have you done to ensure that you have a secure WordPress website?
- There is the good number of WordPress security plugins available.
- WordPress works with hosting and databases.
- It is important to go for the more comprehensive form of security for your WordPress site.
- Security does not mean the installation of WordPress plugins.
- Security is twenty-four into three hundred sixty-five days of constant vigilance.
- There is nothing as one hundred percentages of security.
- It is not absolute.
- It is about the proactive reduction of risks, elimination of imminent risks so that you should always constantly ahead of hackers.
- WordPress security is all about three prolonged security management.
- It includes local environment, online behaviours and internal processes.
- So it is about people, process and technology.
1. Website hosts:
- For self-hosted WordPress website, you need to choose from shared-hosts, managed hosts and other variations.
- It is important to go for a good and reputable hosts which not only update PHP and other WordPress installations but also update WordPress whenever updates are available.
2. Keep WordPress up to date:
- There are the large group of WordPress volunteers from the day in and day out they are releasing security updates.
- It is important to update WordPress to its latest version to make it more secure.
3. Security control and security posture:
- It is important for administrators to implement good security controls on the host file system to improve overall security posture.
4. Limit Access:
- Reduce number of administrative users to bare necessity.
- Remove unused plugins and themes. Install WordPress with cPanle site software instead of softaculous auto installer.
- This will reduce number of entry points to minimum.
5. Functional isolation:
- It is important to make most of apps to autonomous environment.
- It will greatly reduce the severity of damage of your website in case it is compromised.
- Make reliable backups. From time to time check the authenticity of backups.
- General practice is to keep at least three different variants of back up copy of WordPress website at three different locations.
- It might be inside email or cloud drive, CD/DVD , flash drive and external hard drive.
- Most website hosts do provide back up software.
- Check back on cPanel and apps to find these out. Back up WordPress regularly.
- You can download any back up plugin or go to phpMy Admin and download database to local computer.
7. Download plugins and themes from trusted sources:
- Trusted sources means WordPress.org plugin directory.
- Do not download plugins from other sources.
- Malware can be bundled with those premium plugins and themes downloaded from other sources to infect your site with malware.
8. Enable SSL for WordPress data security:
- SSL is secure socket layer and it encrypts to and fro database communication and that makes site more secure.
- Learn from here how to install a free SSL/TLS certificate signed by CloudFlare on your origin server.
9. Secure wp-config.php file:
- In wp-config.php critical data regarding database, username and password exists.
- So, make not accessible for trespassers through .httaccess file or leech protection.
- Move wp-config.php file out of WordPress installation.
- It is important to back up your WordPress site before making these changes.
10. Hide WordPress version number:
- Open functions.php file of activated theme of WordPress.
- Back up functions.php files before editing. At the end of functions.php file include following code.
11. Use regularly updated themes and plugins:
- Use themes and plugins from renowned sources.
- Watch out for regularly updated themes and plugins. Deactivate not used plugins and then delete it.
12. Secure WordPress admin:
- Use a good and secure password for the front end of WordPress.
- Do not use default username as username for WordPress admin. Use two factor authentication for log into WordPress Admin.
13. Secure WordPress log in screen:
- Limit Login attempts to stop brute-force attacks.
- Use CAPTCHA or reCAPTCHA on your log in screen to stop botnets from using your website to register as members.
- Use a security question to your log in screen to stop bots or hackers from gaining unauthorised access to your website.
- Use Idle User Plug in to automatically log out idle users.
- Mostly assign users the least possible privilege such as subscriber role.
- Do not provide administrative privileges to unknown and unauthenticated users.
14. Protect wp-admin through leech protection.
15. Database security:
- Use SFTP secure file transfer protocol to connect to your server.
- Change the WordPress database table prefix.
- Set stronger passwords for database. Back up databases regularly.
- Use stronger file and folder permission.
16. Website firewalls:
- Use stronger cloud-based firewalls in the form of a content delivery network such as CloudFlare.
- Learn from here how to set up free CloudFlare CDN for WordPress website.
- Use endpoint firewalls such as SiteLock or Norton to make your traffic redirected through secure traffic. Use content delivery network to constantly watch your website traffic.
17. Use remote scanners:
- Remote scanners such as free online scanners such as virus total, site lock and others.
- The hosting provider is providing ClamAV security scanner then periodically you can use it to the check the status of the website.
- It can scan mail, entire home directory, public web space and public FTP space.
18. Register wesite with reputations monitors:
- Reputations monitors or webmaster tools provide good amount of exposure for your website to search engine crawling. Register with Google, Bing, Norton, Yandex, Pinterest webmaster tools and authenticate your site with it.
19. Secure WordPress through cPanel protections:
- cPanel provides host of features to secure WordPress installation.
- You can use IP Blocker that will allow you to block a host of internet protocol addresses that you feel are bots or spammers.
- By using HOTLINK PROTECTION, you will prevent other websites from directly linking to files such as jpg,jpeg,gif,png,bmp.
- In this way, the other sites which could have been stealing your bandwidth, would not be doing so.
- Enable LEECH PROTECTION to prevnt users from giving out publicly their passwords from the restrictive areas of your site.
20. Security of WordPress website through CloudFlare content delivery network:
- CloudFlare CDN provides a host of security option.
- Do check out from your hosting as most of hostings also provide some additional features with it. Encrypt communication to and from your website using Flexible SSL by going to CRYPTO segment.
- Go to FIREWALL and adjust SECURITY LEVEL to MEDIUM. It is recommended feature, as CloudFlare challenges both moderate threat visitors and the most threatening visitors.
- In the next segment of CHALLENGE PASSAGE. Viistors with bad internet protocol reputation will be allowed for a maximum time and then that visitor will have to pass the challenge test.
- Most of CloudFlare account which are connected from your hosting account does provide UNMETERED DDOS MITIGATION as CloudFlare will stand in front of your website regardless of attack size or duration.
- You can learn from here how to setup free CloudFlare CDN for your WordPress blog.
- You can learn from here how to install a free TLS/SSL certificate signed by CloudFlare on your origin server.