Web security is not to be taken lightly as an increasing number of data breaches continue to shock the world. According to the Evil Internet Minute 2019 report by RiskIQ, cybercriminals cost the global economy $1.5 trillion in 2018 alone. The report also states that $2,900,000 is lost to cybercrime every minute, and top companies pay $25 per minute due to cyber security breaches.
Your WordPress (WP) website is not safe from cyberthreats either. In fact, as WordPress powers 37.8% of all websites in the world, it is highly likely to face the impact of the growing number of cyberattacks. According to Sucuri, a popular WP security plugin, 90% of its cleanup requests in 2018 were from WordPress websites.
That’s why you need to pay attention to the security details of your WordPress site from the very beginning. Here’s a checklist of the security measures you can take to safeguard your website.
Let’s start with the basics.
What Is a Cybersecurity Threat?
A cybersecurity threat is a malicious act committed with the intention to corrupt (damage) or steal data or hijack a digital application that disrupts the normal functioning of the said application. There are several ways to conduct a successful cyberattack, such as phishing, social engineering, and exploiting security vulnerabilities in your system.
The intention, however almost always is financial gain or espionage. According to 2019 Data Breach Investigations Report by Verizon, while 71% of breaches were financially motivated, 25% of breaches were motivated by the gain of strategic advantage (espionage).
As a result, data breach will usually cripple your system, expose sensitive information to the dark Web, and prevent authorized users from accessing the data. In short, it can affect or totally destroy the normal functioning of your digital life, be it professional or personal.
In recent years, cybercriminals have shifted their focus on targeting small and medium businesses. In 2019, 43% of data breaches involved small business victims. In other words, you need to take active steps to protect your business applications and website going forward.
WP Security Checklist
If you have a WordPress site, whether personal or business-related, you need to go through the following security checklist. Taking these seemingly simple precautions can go a long way in keeping it safe.
#1. WordPress Security Plugins
One of the best ways to increase the security of your WordPress site, without any coding, is to install a security plugin. Security plugins can help you identify vulnerabilities in your website, block malicious networks, prevent cybersecurity threats, and monitor DNS changes, among other things.
Here are three of the most popular security plugins for your WordPress site.
Sucuri is perhaps the most popular security plugin for WordPress. This comprehensive plugin is available in free and premium versions. In the free version, you get features like activity auditing, file monitoring, and front-end malware scans. With the paid version, you can get malware scanning at server-level and Web Application Firewall (WAF).
Wordfence is also available in free and premium versions. The free version comes with features like WAF, real-time traffic analytics and monitoring, malware scanning, and Two-Factor Authentication (2FA). Of course, you get more advanced features in the premium version.
MalCare offers firewall protection, remote malware scanning, one-click malware removal, and several developer tools for advanced security measures. However, the free version comes with only basic scanning capabilities. With the premium version, you can remove malware after an attack.
#2. Turn Off File Editing
As you may already know, WordPress comes with its own code editor. The editor allows you to customize your theme and plugins as per your requirements.
However, you need to turn this file editing feature off because it can cause damage to your site’s security and integrity in the hands of unauthorized users. To disable this feature, you should add the following code in your configuration file.
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
#3. Disable PHP File Execution
WordPress makes a few of the directories writeable to make it easier for authorized users to upload themes, plugins, images, and other content to your site. However, cybercriminals can exploit this feature to insert malware or malicious script to your site, which can be accessed remotely.
Although it is not practical to remove writing permissions for all directories, you can remove writing permission for specific directories by disabling PHP file execution. This can reduce the chances of a potential malicious attack.
Start by typing the following code in Notepad:
deny from all
Now, save this file as .htaccess, not as .htaccess.txt. Upload this file to the desired directory using an FTP client. Once added, this code will stop any PHP file from running. This, however, is not a security fix for a website that has already been compromised.
#4. Limit Login Attempts
Hackers often use multiple username-and-password combinations until they can get access to your website, called as brute force attack. As WordPress allows unlimited login attempts by default, your website remains vulnerable to such hacking attempts. However, by limiting the number of login attempts, you can protect your website from getting hacked.
You can use a variety of plugins to restrict login attempts. The Limit Login Attempts Reloaded plugin is perhaps the best options you’ll come across. With over one million active installations, this 100% free plugin allows you to customize login attempt settings.
By default, the plugin allows four login attempts, which you can change along with the lockout period. For example, you can set the limit to three attempts, and the lock users out temporarily, say for 24 hours.
#5. Create Regular Backups
Despite your best security measures, your website may still fall prey to hacking as nothing is 100% safe on the Web. Regular backups, however, can help save important files and data from your website in case your website gets hacked.
Ideally, you should backup files daily or if possible, turn on real-time backup. You should also create multiple copies of your backed-up files.
#6. Ensure Regular Updates
Updates are also as important as regular backups. In 2018, 44% of hacking was caused by outdated WordPress sites. Research also states that only 6.6% of the websites are using the updated 7.3 version of PHP, and the rest are still on vulnerable versions.
Updates can help you stave off cyberattacks as they often patch up security vulnerabilities in the older versions. While WordPress will update minor fixes automatically, you will need to manually download major ones like version updates.
Apart from the core WordPress updates, you also need to keep the plugins and themes updated as well. Make sure to periodically check for relevant updates.
#7. Always Set Secure Passwords
None of your security measures will work if you use weak passwords for your WordPress site. Unfortunately, as secure passwords are difficult to remember, most people often use passwords like ‘andy123’ or ‘reachel1984.’
However, hackers can easily crack these passwords and gain backdoor entry to your website. So, you need to use lengthy and complex passwords with a combination of random characters, alphabets, and numbers.
Never use your name, initials, phone number, birth or anniversary dates or any other personal information or their combination as passwords. Also, never use the same password more than once. You can find several different password managers that can help you create strong passwords.
#8. Security Questions
Security questions provide users with an additional layer of security when logging into their WordPress site. Even if your username and password fall into the wrong hands, unauthorized users won’t be able access your website if they are unable to answer your security question.
You can use the WP Security Question plugin to set security questions. You can set universal questions for all users or user-specific questions using this plugin. However, you will need to buy the premium version to unlock all the advanced features.
#9. Turn Off Directory Indexing and Browsing
WordPress has different directories to store the content. The WordPress core files that remain static are stored in directories like /wp-admin or /wp-includes. User-generated content, on the other hand, is stored in /wp-content directory. It basically stores themes, plugins, and media files.
WordPress enables directory indexing and browsing by default. However, this setting makes it easier for cybercriminals to browse through your /wp-content directory to find out which plugins and themes are installed.
Thus, they can identify and exploit the vulnerabilities in one or more themes or plugins to launch an attack. That’s why it is necessary to disable directory indexing and browsing.
Connect to your website using an FTP client and go to the .htaccess file in the root directory. Once you have located the file, download it on your PC. Open the file in a text editor like Notepad and add the Options-Indexes code to it just before the #END WordPress.
Hit the Enter key to add a blank line between this code and the #END WordPress. Save and upload the modified file to your root directory using the FTP client. Verify if the directory browsing is disabled. If you see “404 – File not Found” error message, you have successfully turned off directory indexing and browsing.
#10. Secure Hosting
Hosting is also critical for your website’s security as hackers can exploit security vulnerabilities in your servers. You have to choose a WordPress hosting provider that offers your site maximum security.
Make sure your WordPress hosting provider offers SSL certificate add-ons, firewall and antimalware protection, automated backups and updates, and real-time system monitoring, among other things. They should also offer a comprehensive DDoS attack prevention strategy and disaster recovery plan to protect your data in case of an accident.
WordPress is one of the most popular and secure website building platforms in the world. However, you will still need to take necessary security measures to protect your WordPress site from malicious attacks. Hopefully, this checklist will help you secure your WordPress site and provide your users with a seamless browsing experience. Which security precautions have you taken to secure your website? Feel free to tell us about your experiences and share your doubts in the comments section.
About the Author!
My name is Ronik Patel and I run UnlimitedWP, a white-label WordPress agency purpose-built to help digital agencies consolidate the hundreds of tasks they perform for their clients on a daily basis.