When you have worked hard to build a thriving WordPress website, nothing could be more devastating than a hacker attack. From wrecking your files to hijacking your site to mine crypto coins, the online world is full of potential threats and any WordPress site is a potential target. Fortunately, there are a lot of different things you can do to defend your WordPress security through both high-tech defenses and a few clever best practices.
You probably already know about keeping your plugins current, using a secure WordPress hosting service, and have installed the top three to five WP security plugins. But there are also some important security measures that are less well-known that everyone should be using. Today, we’re here to share five of the most effective and un-sung WordPress security methods you can implement without diving into the code.
Table of Contents
Website Backups and Recovery Plan
If your website isn’t taking automatic backups of itself, it should be. Existing on the internet is never a sure thing. Anything from a corrupted auto-update to a ransomware attack could — theoretically — completely take out your site at any moment. But a disaster doesn’t have to be the end. With a comprehensive snapshot backup of your website taken recently, you can simply spin up a new server, redirect your DNS, and your website will be back online before you can play Tubthumping by Chumbawamba through the office because your website cannot be defeated.
And if you think we’re exaggerating, just see how you feel when your website comes cheerfully back online after a disaster that completely ‘destroyed’ it mere moments ago. Backups are worth it.
Stop Malicious Traffic with WAF web application firewall
Malicious traffic is when a malware bot tries to access your site. The goal is to either DDOS you or inject code into the HTML and PHP that governs the website. This kind of hacking can lead to all sorts of disasters, data corruption, and infrastructure damage to your website, not to mention malware infection. Fortunately, you don’t have to cut off access to your legitimate visitors to stay safe from malicious traffic attacks.
A WAF is a Web Application Firewall that checks the source of online traffic to your website before it actually allows a page to be loaded. DNS-level WAF directs all traffic to your site through a proxy server where the origin is checked for malicious IPs and signs of malicious routing. Anything questionable is booted while legitimate visitors are let through.
Application level WAF stops visitors at the entry to your server. It also refuses to load any page code until the visitor has been checked for signs of malicious intent or origin.
Login Attempt Management
One of the ways hackers gain access to WordPress accounts is with brute-force password guessers. They will set a program to try a username with a nigh-infinite number of possible passwords. They try hundreds or thousands in a matter of minutes. This is not only bad for security, but it can also DDOS your server with thousands of rapid login requests.
Of course, this kind of attack is impossible with one simple protection that you probably forgot to add: Login attempt limits. All you have to do is stop users from attempting to log in over and over again to throw a wrench in the brute-force attack strategy. You can even use clever human-interaction tools to let real visitors who really did forget their password to keep trying.
Change Your Security Default Settings
When you set up a WP site, the out-of-box configuration comes with some basic default settings. It has to in order to get started without a ton of programming. However, because WordPress is so widespread, hackers are definitely aware of what these default settings are and can use that knowledge to more easily crack into your site.
The four key default settings are your admin username, your database prefix, your WP version, and your config file. By changing even one of these things to a more secure setting, you can throw off the vast majority of opportunistic WP hackers looking for an easy by-the-books mark.
Change Your Admin Username
By default, your admin account login’s username is ‘admin’. But as we just discussed, a hacker with a username is already halfway to cracking an account open. This allows them to get the juicy access and permissions inside. If you want to keep your admin account safe (and you do) one of the best ways to do that is to simply change the actual admin username. We suggest something fun like “KingLobster” that doesn’t have the word ‘admin’ anywhere in it at all.
Change Your wp_ Database Prefix
When WordPress makes it’s SQL databases on your server, it gives them all the wp_ prefix to make things easier to find. However, a hacker who has gained server access and wants to wreck your day merely needs to look for the wp_ databases to know where your website data is stored. A fun and simple way to thwart this cheap trick is to change your prefix.
The new prefix can be anything. Just remember that it will be at the head of any database your WordPress website generates for itself. Consider using something other than an underscore to separate the prefix, as hackers might also recognize the naming pattern.
Hide Your WP Version
WordPress, by default, displays its version in the site header code which can be accessed by any hacker who knows what they’re doing. Knowing the version of WordPress you’re running can tell an informed hacker a lot about what plugins you might be running and what weaknesses may be inherent in your WP version defenses. Hiding the version grants you some level of security through obscurity.
Hide Your Config File
Finally, your config file is at the heart of your website and hackers know exactly where it is. There are a few different ways to hide or protect your config file. But, the best is to move it to a new location, carefully so as not to break your config connections.
Lock Down Your Admin URL Access
Did you know that you can stop other people from accessing any URL of your website you don’t want them to see? If only you or users from your office IP address need, say, access to the admin panels or special pages page, then you can use certain proxy services to ensure that all other users – legitimate or not – are routed away if they try to access your restricted pages directly. This can be an incredibly powerful tool for stopping hackers that are trying to insert code or force their way into the secure controls of your website.
With WordPress running so many of the world’s websites, personal and business, WordPress security has never been more important. For more insights into how to secure your site or fine-tune the security solutions you already have in place, contact us today!