Table Of Contents
- How to secure your website with HTTPS?
- Why should you add a CAPTCHA on the Logins?
- How to defend your website against Brute-Force Login Attempts?
- Why should you consider setting up Two-Factor Authentication?
- How to disable unnecessary features from WordPress?
- Why install a WordPress firewall?
- What steps to take if your website is hacked?
Issues with website security are common with all types of websites and plugins and there is no specific security type unique to WordPress. However, WordPress security issues are of utmost interest because WordPress powers around 40% of the web and it is also open source. When someone finds a vulnerability either in WordPress core or plugins, it poses a risk to other websites as well because the same code is being used by all of them.
This blog will elaborate on different types of vulnerabilities that WordPress websites face and will discuss different ways of coping with them. Moreover, this also applies to other types of web applications as well.
Here are some of the most common types of vulnerabilities that you might encounter.
- Pharma Hacks.
- Brute-force Login Attempts.
- Cross-site Scripting (XSS).
- Denial of Service (DDoS).
- Malicious Redirects.
These are the ones commonly faced by people however, these are not the only ones. Top web design agencies have a 360° approach to tackling vulnerabilities. The reason is that hackers use numerous different techniques to hack a website.
For example, they can physically access your website, or they can use surveillance methods to steal your password while you’re logging in. So, you should think of all the possible ways to be able to effectively tackle this threat.
Let’s discuss some of the most effective strategies to tackle hackers or at least make it a little harder for them to hack your website.
1. Secure Your Site With HTTPS
It's not by chance that we'll begin by talking about encrypting the website with HTTPS. The network and wire cables carry everything you do. Between the browser and the server, HTTP sends plain text data. As a result, anyone with network access between the server and the browser can see your unencrypted data.
You risk exposing important data to attackers if you don't secure your connection. Your data will be secured with HTTPS, and even if an attacker gains access to your network, they will not be able to read the data transferred.
Enabling HTTPS is the first step towards protecting your website. If you haven't already done so, follow this tutorial to convert your WordPress site to HTTPS.
Tools and WordPress Plugins for Migrating from HTTP to HTTPS
- Better Search Replace.
- Database Search and Replace Script.
2. Use Stronger Passwords
Weak passwords are the most prevalent technique for hackers to gain access to websites. You become subject to brute-force assaults as a result of this. Strong passwords, more than any other method described below, will improve your security. Always use strong passwords and check for pwned accounts on a regular basis.
Plugins for Enhancing Password Strength
- Disallow Pwned Password.
- Download Password Policy Manager.
- Password bcrypt.
3. Add CAPTCHA on the Login & Registration Form
You've already made things difficult for hackers by securing your website with HTTPS and using strong passwords. However, adding CAPTCHA to login forms might make it much more difficult. Captchas are an excellent technique to prevent brute-force assaults on your login forms.
Plugins for adding Captcha on WordPress Login
- Login No Captcha reCAPTCHA.
- Login Security reCAPTCHA.
4. Defend Against Brute-Force Login Attempts
Up to a certain extent, Login CAPTCHA will protect you against brute-force attacks, but not fully. Captcha tokens are usually only valid for a few minutes after they are solved. For example, Google reCaptcha is only valid for 2 minutes.
During those two minutes, attackers can conduct brute-force login attempts to your login form. You should block unsuccessful login attempts by IP address to fix this problem.Web development companies in Dubai and around the world advise that websites should enable mechanisms to safeguard websites against brute force login attempts because it is one of the most common ways hackers use to breach a website’s security.
Plugins for Preventing Brute-force Attacks.
- WP Limit Login Attempts.
- Limit Login Attempts Reloaded.
5. Use Password Managers to Store Your Passwords
When you connect in from a public network, you never know who is observing what you type on your laptop or who is capturing your passwords. Use password managers to conveniently access your credentials and store them in a secure location to address this problem.
They won't be able to acquire your credentials even if your computer is hacked. Browser-based password managers, not WordPress plugins, are available.
Browser Add Ons for Password Manager
- LastPass.
- 1Password.
- NordPass.
6. Setup Two-Factor (2FA) Authentication
Yes, you are more secured with safe passwords and captcha on login forms. But what if hackers utilized surveillance techniques to record the password you put into your website on video? Only two-factor authentication can safeguard your website from attackers if they know your password.
Plugins to Setup 2FA Authentication
- Two-Factor.
- Google Authenticator.
- WordPress Two Factor Authentication (2FA , MFA).
7. Keep WordPress Core and Plugins Updated
Vulnerabilities in the WordPress core and plugins arise often, and when they do, they are discovered and reported. To prevent websites from being hacked due to known and reported vulnerabilities in files, be sure to upgrade your plugins to the most recent version.
Switching to automatic updating is not recommended since it may cause your websites to fail without you knowing. However, because these updates include security fixes for the core, I highly advise you to enable WordPress core minor updates by adding this line of code to wp-config.php.
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
8. Set Correct File Permissions for WordPress Files
File permissions are rules that govern how files may be read, modified, and executed on the operating system that hosts your WordPress files. This level of protection is critical, especially if your website is hosted on shared hosting. When a website on shared hosting is hacked, attackers can access files on your website and read any material there if the settings are improper – particularly wp-config.php and gai.
- All files should be 644.
- All folders should be 775.
- wp-config.php should be 600.
According to the aforementioned regulations, your hosting user account has permission to read and change files, while the webserver (WordPress) has permission to alter, delete, and read files and directories.
The contents of wp-config.php are inaccessible to other users. If changing wp-config.php to 600 causes your website to go down, change it to 640 or 644.
9. Disable File Editing from WordPress
The ability to modify files from the admin backend is a well-known feature of WordPress. Developers use SFTP and seldom utilize this, thus it is not essential.
10. Disable Unnecessary Features
WordPress has a lot of functionalities that you might not ever use. The XML-RPCendpoint in WordPress, for example, was developed to communicate with other applications. This endpoint can be used by hackers in terms of brute-force logins.
You can disable XML-RPC using the plugin Disable XML-RPC-API.
Another built-in issue with WordPress is that it provides a REST-API endpoint to list all users on the website. Open “/wp-json/wp/v2/users” to any WordPress install to see a list of usernames and user IDs as JSON data.
You can disable users REST-API by adding this line of code into functions.php
function disable_users_rest_json( $response, $user, $request ){
return '';
}add_filter( 'rest_prepare_user', 'disable_users_rest_json', 10, 3 );
11. Hide WordPress Version
WordPress automatically inserts a comment in the HTML of the page with the WordPress version. It also provides the hackers with the WordPress version you have installed. For example, if you're using a WordPress version with any core vulnerability, the hackers know they can hack your site using different approaches.
Plugins to Hide WordPress Versions Meta Tags
- Meta Generator and Version Info Remover.
- WP Generator Remover by Dawsun.
12. Install a WordPress firewall
A web program that runs on a website and examines all incoming HTTP requests is known as a firewall. It uses advanced algorithms to screen out requests that might pose any risk. To block requests, one can add their own rules to the firewall's built-in rules. SQL injection is one of the most prevalent types of attacks.
Let's say you're unaware that you're using a WordPress plugin that's vulnerable to SQL injections. Even if the attacker is aware of the plugin's security weakness, he will be unable to hack the website if you use a firewall. This is because requests containing SQL injections will be blocked by the firewall.
DNS-level firewalls can also be set up to execute before queries are sent to a web server. Cloudflare DNS firewall is one example. This technique has the benefit of being more resistant to DDoS attacks.
Application-level firewalls on the server allow HTTP requests to reach the webserver before blocking them. That indicates the server uses some CPU/RAM resources to prevent them from accessing the network. DNS-level firewalls do not use server resources, making them more resilient to hacker assaults.
Some WordPress Firewall Plugins
- Wordfence Security.
- All In One WP Security & Firewall.
- BulletProof Security.
- Shield Security.
13. Always Keep Backups
If your website gets hacked, the easiest approach to recover is to restore it to the most recent backup version that was not infected. Cleaning up your website might be a time-consuming process if you don't keep backups. In certain situations, because the virus deleted all of the data, it may not be able to recover all of the data. Make frequent backups of your website's database and files to avoid such situations.
Check with your hosting company to see whether they offer daily backups and if so, activate it. If not, these plugins can be used to perform backups.
- UpdraftPlus.
- BackupBuddy.
- BulletProof Security.
- BlogVault.
14. Use SFTP
Many developers already use SFTP to connect to web servers, but just in case you don't, it's a good idea to remind yourself about its significance.SFTP, like HTTPS, encrypts data before sending it over the network, making it difficult to read as plain text even if you have network access.
15. Track Users Activity
We've gone through a number of methods for protecting your website against unknown hackers but what if one of your workers with website admin access performs something dodgy like inserting links in content? None of the measures listed above can identify that. That is why it is important to monitor user activities and act accordingly if anything suspicious happens.
Plugins for Monitoring User’s Activity
- Activity Log.
- User Activity Log.
- WP Activity Log.
Now, let's discuss the scenario if your website gets hacked. Because the fact of the matter is that websites do get hacked. Even after doing everything and taking every precaution, hackers seem to find a way to evade all the hurdles and gain access.
Here are a few steps that you should take in case your website gets hacked:
- Firstly, change your passwords for emails and other accounts because the hackers might have gained access to them.
- Restore your website to the latest non hacked backup.
- Reset passwords for all website users.
- Update all the plugins on the website.
When it comes to security, take a holistic and 360° approach. Stress the significance of security to all of your stakeholders so that they are aware of the potential implications of getting hacked.
This is it for today’s blog. I hope you liked it and that you’ve learned a thing or two about securing your website from the imminent threat of hackers. If you want web development services from your personal or business website, reach out to Prism, the best web design agency in Dubai and we’ll take care of your web security so that you can focus on building your brand. Thank you and Goodbye.
About The Author: Lovetto Nazareth
Lovetto Nazareth is a digital marketing consultant and agency owner of Prism Digital. He has been in the advertising and digital marketing business for the last 2 decades and has managed thousands of campaigns and generated millions of dollars of new leads. He is an avid adventure sports enthusiast and a singer-songwriter. Follow him on social media on @Lovetto Nazareth