It seems every year now we hear about some mega corporation getting hacked and how the consequences impact their users. Yahoo and Sony are just some of the high profile examples. However, if you think only large Tier 1 businesses are the ones at risk, think again.
Just a few days ago, I was tweaking some settings for one of our hosting customers and had to scroll through the logs to get something I needed. As I was working, I noticed a few unwelcome (unsuccessful) attempts to access certain WordPress core files from IP addresses that originated from Russia and other parts of Eastern Europe. Here’s a snippet of the log:
Your internet business absolutely needs certain measures in place to mitigate these types of attacks and the risks they bring with them. While FissionBlue Creative managed hosting customers may have each of the following in place, there’s no harm in sharing some of the easy steps you can take to secure your WordPress website. These are usually very quick to implement by yourself or a trusted helper, and should not take more than an hour or two total in most cases. On the other hand, you are putting your online presence at unnecessary risk if you choose not to execute this list.
1. Install a security WordPress plugin like iThemes Security or WordFence.
Many of the most important features are free, and these guys will disable some of the most common entry points used by attackers. When you visit the iThemes settings page for the first time, the WordPress plugin will ask for your permission to set some very simple defaults. With just 2-3 clicks you’ve got a basic level of protection for your WordPress site.
WordFence is equally easy to setup and arguably just as potent. If you’re somewhat technical, you’d best visit the options page and review some of the checkboxes to fine-tune the level of protection to your tastes.
2. Make backups of your website regularly.
The frequency of your site backups is entirely up to you, however I recommend conducting either weekly or monthly WordPress backups, based on:
a. How busy your site is or how often you change content, and
b. How often you update your WordPress installation version, theme version, and plugins.
There are several free and premium solutions available, so I’ll do my best to explain what you need to look for as a bare minimum. Your WordPress website needs two components to run correctly. The first component consists of your actual website files like the core installation, any plugins, and any pictures or graphics you have uploaded. These are stored in a folder/directory on your host. The second and equally important component is your database. If you backup all your files and forget to do the same for your database, every setting you’ve ever customized and every word of text you’ve written will not be saved with it.
Though iThemes does include a backup tool, it only covers the database half, which is only suitable for very recent rollbacks instead of a full recovery. I recommend the WordPress Duplicator plugin or Updraft Plus to create a restore point of both components, whether you wish to restore your entire website after a catastrophe or move hosts completely. The backup is saved in a folder on your host by default, and can even be saved directly to your Google Drive, Dropbox, etc. with the premium plugin version.
FissionBlue WordPress Managed Hosting performs automatic weekly site backups (both files and database) with daily incremental backups (database-only) at no extra charge. This is automatically performed server-side and accessible through your control panel, so no there is no need for a backup plugin with us.
3. Sign up for a free CloudFlare plan.
CloudFlare is a DNS (domain name service) provider, which is essentially a phone book for the internet. What makes CloudFlare so different than other DNS providers is that they don’t stop there. They have an enormous plate of speed and security features, and many of them are available with their free plan. For example, CloudFlare can act as a content delivery network (CDN) to cache parts of your website regionally so that they load faster, it can provide free HTTPS/SSL (the little green lock for your visitors), and it can even stand in front of your website in case of a coordinated attack (like those distributed denial of service (DDoS) attacks we hear about in the news). One feature I myself enjoy is the ability to ban IP addresses or entire ranges of addresses from our web servers. Remember those hackers I talked about at the top of the post? No? Neither do I. None of our hosting customers do business with those IP blocks or countries, so I went ahead and had the offenders banned.
4. Change your WordPress login URL aka slug to something unique.
By default, you can (try to) login to any WordPress site by going to www.thatparticularwebsite.com/wp-admin. Given how popular WordPress is as a platform, any low-level hacker can try to gain access to your website through this easy channel. Try changing it to something easy to remember for you and your staff, but different enough to avoid being an easy guess either. iThemes Security already has this feature built-in. All you have to do is go to the “Advanced” Settings page, click on “Hide Backend,” and fill out the settings to your own desires. Some customized login slug ideas/examples for inspiration: staffportal, wp-secret-login, or stairwaytoheaven.
Many of our businesses rely heavily on having a safe and secure web presence for our users and our customers. We can’t afford to allow some unsavory “businessmen” to take our day-to-day ops offline. So even though these easy steps to secure your WordPress website are not 100% guaranteed, nor will they be able to stop more sophisticated attempts against you, you will avoid becoming the low hanging fruit. If you have any questions to ask or you think I forgot something important, feel free to add them in the comments below. All the best and stay secure!