How To Protect Website
If you have built a site with WordPress, you should first take some time to analyze the possible problems related to its security to learn how to prevent and avoid them. In this guide, you will find the most well-known WordPress security vulnerabilities and what are the measures to take to better protect your site. Like any online platform, WordPress security is not 100% efficient. To make it totally safe you need to know what and how to defend yourself against.
WordPress is a very widespread CMS: 25% of the websites currently online have been created with this platform. Only a small part of these 700,000 sites know how to defend themselves against a possible hacker attack since not all of them pay the right attention to online safety and the protection of published content.
The most common hacker attacks
Before knowing how to protect your WordPress site, it is useful to understand what you need to defend it against.
Brute Force Attacks
Among the most common attacks, we find the “Brute Force” (literally “Brute Force”) in which the hacker generates infinite combinations of letters and numbers to find the password of an account. WordPress, for its part, has no limit on login attempts, and therefore it is not difficult for the hacker to succeed with this attack – unless the overload of requests from the server causes the suspension of hosting services.
Code inclusions and SQL injections
Other security concerns are file inclusions in PHP code and SQL injections. The PHP code can be hacked if, within a plugin or a theme, a hacker has inserted a file that will allow him to take possession of your login details or worse, take possession of the wp-config.php file on which it depends. totally your installation. By SQL injections, on the other hand, we mean the accesses to the WordPress MySQL database by a hacker who can create new accounts with administrator privileges and manipulate all the data within the site.
A very large percentage of website security issues are caused by Xss (or Cross-Site Scripting) attacks. In this case, the hacker, through a plugin, load a dangerous script on the targeted site that can steal data from visitors and redirect them to malicious sites.
Finally, we have malicious software, better known as malware. These programs, once accessed to a website, collect all the user’s sensitive data. The most common malware are backdoors, drive-by downloads, pharma hacks, and malicious redirects. To clean the site of these malware, simply locate the malicious file (by checking the recently modified files) and update WordPress or upload a backup of the site.
Updating means preventing
The open-source code of WordPress is continuously analyzed by a team of developers specializing in cybersecurity. The team is responsible for identifying possible problems and finding and applying the most suitable solutions. The base code is therefore modified through the release of updates and patches designed to close the possible flaws in its security. The first rule of keeping a WordPress site safe, therefore, is to make sure that you always update it to the latest released version.
It is equally important to update plugins and graphic themes and make sure they do not have any dangerous flaws for the site. In fact, most of the problems related to the security of WordPress sites derive from plugins for personalization (52%) and from graphic templates (11%).
A site on WordPress becomes vulnerable when its owner does not pay attention to certain risky behaviors. The first, as already mentioned, is to not constantly update WordPress and the installed themes/plugins, but it is not the only one. To avoid running into possible problems, it is a good practice to make regular backups.
It is also wrong to choose passwords that are too weak for your account, as they facilitate the success of Brute Force attacks. It is always good to choose unique passwords (not used for other services) and complicated, strong.
Another risky behavior is to choose unsafe graphic templates. There are many sites that offer free or bargain graphics themes, but don’t trust them too much. Better to use the WordPress.org repository or templates offered by other well-known companies.
Finally, it is good to avoid shared or poor quality hosting, because if only one site hosted by these servers is hacked, hackers can find a way to access other sites on the same server as well.
How to secure a WordPress site
Now that you know all the risks your site runs on WordPress and have updated the platform, plugins, and themes to their latest version, you can move on to the last step: optimizing their protection.
Change the username from “admin” to a name of your choice: the more complicated it is, the harder it will be to guess. Furthermore, in the settings, it is good to choose to hide it from publications. You will be able to continue publishing content through a Publisher user-created and managed only by you.
Choose a complex password, different from all those you use for other online access, which is alphanumeric and, above all, longer than 6 characters. Remember to change your password every six months to cancel any attempts to access your account.
Solutions for the lazy
There are plugins on the net that allow you to protect your site on WordPress at 360 °, such as IThemes Security and WordFence. These plugins allow you to automate most of the actions to secure WP websites and manage various aspects of them. iThemes Security will allow you, among countless things, to restrict authorization permissions to directories hosted by the server to limit unauthorized access and modification within files and folders. The Wordfence plugin, on the other hand, allows you to scan the entire site for any malware.
However, using their help does not mean avoiding any problems and it is always a good habit to manually take care of most of the actions useful to prevent possible hacker attacks on the account.
Conclusions + recommended reading
WordPress is a constantly updated platform and does not need many precautions to be protected from the most known hacker attacks. By combining the right strategy with a minimum of patience, you can secure your site and sleep peacefully. A very useful book that takes stock of the situation in the WordPress security world is the book written by Bonaventura Di Bello entitled: Blind WordPress with iThemes Security and Wordfence: Protect your WordPress site from cyber-attacks for FREE! or you can sign up for my course ” Create a site with WordPress “.