WordPress is one of the world’s most popular content management systems. It is no surprise that WordPress sites are frequently the target of attacks since attackers tend to target the most used platform to increase their odds. If unmaintained, WordPress sites can make easy targets. There are however a few easy steps you can take to greatly increase the security of your website. All of them are free and can be done through the dashboard. I will break up this post into three sections
- Security Checklist
- Security Plugins
- How to Mitigate an Attack
WordPress Security Checklist
- Keep usage of plugins to a minimum and remove any unused plugins. The more plugins you have activated, the more open you are to attack. This can be done from the “Plugins” sidebar menu.
- Update WordPress and plugins. That refresh icon in the top left corner of your screen? That’s where you should be looking each time you log in. Update to the latest version always (or wait a few days in some cases for bug fixes).
- Review how safe the plugins you are currently using are. Read the reviews for the plugin. View the history of the contributor who created the plugin (is it their first plugin ever?). In the past, poorly designed plugins have been known to allow any user input into the database without even checking it first (this is security 101).
- The less forms, logins, fields, and user input in general, the safer your site will be. It’s just like adding more and more windows to your house. Soon enough you will have a glass house and it will shatter.
- This one should go without saying, but I’m putting it here anyway: use strong passwords. 8+ characters, alphanumeric with lowercase, uppercase, numbers, and special characters. You can see for yourself how much of a difference this makes by trying out a password at this site. Do you want it to take million of seconds or years for someone to guess your password?
Security Oriented WordPress plugins
Here are some excellent plugins that will help you manage firewalll rules, malware scans, and monitor traffic by categories like failed login attempts.
- Wordfence – you get so much and more for free. There is a premium version which I have not tried but encourage others to consider.
- WP Cerber – another consistently rated plugin for security. This one specializes more in keeping track of bot and other suspicious activity. Also allows the creation of whitelists and blacklists, and even changing the login url to evade automated login attempts.
In most cases Wordfence is plenty. But you can still install both to get the best of both worlds. There are a few more plugins with positive reviews, but the plugin can only be as good as the author and their reputation.
How to Mitigate an Attack
With Wordfence it is really easy. Go to the “brute force” and “rate limiting” tabs. There you can decrease the number of login attempts before locking somebody out. Likewise you can throttle bots that are trying to access pages too quickly by lowering the number of pages per minute.
Try viewing the your site’s traffic from the “live traffic” menu. See any agents that look suspicious (accessing wp-login.php, xml-rpc.php, non-existent pages, etc). You can click “block this IP” (temporary unless made permanent) or go to “block this network”. If you go to block this network, scroll down to where it says “information related to…” and click it. Type in a reason for blocking it and click “block visitors matching this pattern”. You can add criteria based on user agent or other things. This helps protect against DDoS (distributed denial of service) where your site is constantly accessed by different devices — making it harder to which users are real and which ones are just imitators. By blocking the range of addresses you are preventing the attacker from countering by simply using a different IP address on the same network.
Eventually the attacker will become exhausted, run out of resources, and move on to easier targets.
If you aren’t afraid to open up the command line, there are other things you can do to harden your site like having correct file permissions. Some hosting providers also allow you to set your own firewall rules, which can add yet another layer of protection.