Websites tend to be “If you build it, they will come”, but this also means hackers will want to come to check out your site as well. Is there anyway stop them from coming? There are simple steps in WordPress security and the first step is one of the most important actions to take. That is making the step to a proactive approach (instead of a reactive process) and to do it TODAY. Any website, even the simplest of test sites, and the site that does not get any traffic can be infected if not maintained properly.
The bulk of WordPress websites that are infected is typically due to out-of-date core, theme, or plugin files, use of insecure logins, or a brute force attack. Mostly though it is due to not being updated regularly or logins. I have watched first hand a brute force attack on a test site that was not indexed by Google and had no visitors. However, while nothing is ever completely and utterly full proof, there are simple steps to take to avoid the bad things that could happen. Let me share some simple steps anyone can take to keep their online presence safe and secure that require a little bit of time and no coding on your part.
Secure Passwords ALWAYS
A great password is the first line of defense to keep the unsavory people and bots out of your websites. When a bot comes to try to get into a WordPress dashboard, the first thing they try to use when logging in is “admin” and “password” as that combination is the most widely used login STILL. Changing it around to be “Pa$$w0rd” does not make it any more secure either. This is due to the fact it still reads as “password”. Names or anything that will still read as a legible words or phrases are the easiest and quickest hacked passwords.
Typically, all passwords should be at least 12 characters that are illegible, containing upper and lowercase letters, numbers, and special characters. The more characters in the password, the harder it is to break. If you want to test how secure your passwords are, check the How Secure Is My Password checker. This will show you how long it would take a computer bot to break your password. The checker told me that it would take a desktop PC about 377 billion years to crack one of my passwords. That is when you know you have a great password!
Passwords should also be unique to that login and only one login. The more you use the same password, the greater opportunity that it could become found and used against you. Imagine if you used the same password on all logins. It would take a bot or a person less than 5 minutes to find out your email, website, banking, and all of your online information. No one wants that to happen. Again, always use secure and unique passwords. It is also advisable to use a password keeper like LastPass or 1Password to keep your passwords secure, but we will get to that later.
Security plugins can help!
There are many types of security plugins that do a full range of options. You can use more than one security plugin on your site as long as you do not have them set to do the same things. Here is a list of some great WordPress security plugins that are available.
Jetpack – I use the multi-functional plugin Jetpack on all of my sites. They have a few features built in for security measures.
- Monitor – Jetpack will notify you when your site goes down and when it comes back up again. Always be in the know when your customers can not access your website.
- Protect – Protect used to be a stand alone plugin called BruteProtect. It was one of the highest used plugins to block out brute force attacks. Automattic acquired it last year and now has it built into Jetpack.
- Manage – Jetpack’s Manage lets you update your plugins, themes, and core of all of your self hosted websites from one dashboard and gives you the opportunity to have automatic updates.
iThemes Security (formerly Better WP Security) – While iThemes Security is NOT a security firewall, it does give great benefits to securing a website without having to change any the code yourself. They do have a free and a Pro version.
WordFence – While I do love WordFence’s scanner, I typically only have it downloaded to a site when I am double checking to make sure all malware has been deleted. If you feel like your site has been infected, WordFence can detect any WordPress file that has been changed from it’s original form. If you do choose to use WordFence, and you can enable all options, do not run it with iThemes Security, Jetpack’s Protect, or the Sucuri Security as they can cause conflict with each other. If you do choose to use WordFence with iThemes Security, only have the scanner active on WordFence.
SiteLock – SiteLock WordPress Plugin provides complete website security management without leaving WordPress. Users can access their SiteLock Dashboard from within their WordPress back-end, allowing you to focus on what’s most important—your business, your passion, your word.
Sucuri Security – Sucuri has both a Firewall and an AntiVirus that can help block the bad guys and bots out of your website for good. Sucuri has the most widely used WordPress firewall in the industry. You can run the Sucuri CloudProxy Firewall with iThemes Security but get the list of the CloudProxy IP’s from Sucuri to put in your IP WhiteList in the iThemes Security settings.
Two-factor Authentication is a must!
Any login that you can have a two party authentication on, it is always advisable to use. There are different ways this can be set up. There can be a CAPTCHA, a Google Authorization code, or a simple math question to prove that you are a human. With some options now, you can have a choice of fingertip or facial recognition on mobile as well. If you choose to use any of these, make sure that each person accessing the dashboard has their own unique login. Shared logins can cause issues especially if using the Google Authorization code that is sent to a single cell phone.
- iThemes Security Pro – Has multiple two-factor options including CAPTCHA. Google Authorization, and simple math.
- Two-Factor – Works right out of the box.
- Google Authenticator – Uses two-factor authentication by the Google Authenticator app for Android/iPhone/Blackberry.
Always update all the things!
The biggest reason malicious code gets into a website is due to a found vulnerability in code for a plugin, theme, or in an outdated core file. This is easily remedied by having your website on a regular update cycle. Some site agencies and owners will have a set day of the week to update their website, while others will update every time they login. There are plugins that can help keep your sites updated. Please make sure you are updating your site at least once per month. It is recommended to update sites once a week at minimal. We update our sites as soon as they come through however, we do test the updates on a staging server before updating the live site.
Here are some options to help you run your site updates
- Jetpack – Handle all of your Jetpack connected sites in one WordPress.com dashboard
- ManageWP – A comprehensive dashboard for updating, backups, and security options.
- iThemes Sync – Sync up to 10 sites for free so there is one dashboard to update, run BackupBuddy, and unlock iThemes Security lockouts.
- WP Staging – Gives you the ability to build a staging site to test updates on before updating your live site.
Always have a backup
There is very little that is more important than having a backup system in place. As long as there is a full backup of the website including the database, you will never lose your website. No loss will ever be permanent. There are numerous ways to backup a website, some are automated, some are manual. It is up to you to decide which way you want to keep them. Do not leave it up to your hosting company unless you have direct access to the backups. If the backups are made with a plugin. always send your backups somewhere other than your server.
Here are site backup services that CSG recommends.
- Updraft Plus – They have a free and premium version to backup your website.
- Jetpack’s Site Backups – Built into the popular Jetpack plugin
- BlogVault – A premium backup service that has white-label options.
- BackupBuddy – A premium backup plugin that integrates with iThemes Security and Sync.
Other tips that are equally important
While these do not fit into their own category, they are just as important to remember and to follow.
- Always use SFTP when using a file manager if it is available.
- Using SSH or WP-CLI is even better!
- Never, ever have your files and directories wide open at 777 or 666! That will leave them wide open and executable by everyone. Especially hackers!
- Use a complex and unique username and password for your site’s database.
- Use a password manager to keep track of your logins. Passwords should never be so easy that you remember them and you should never save them to your browser. LastPass and 1Password are great tools that can be used on all popular browsers and on your mobile devices.
- Do not EVER send passwords in an email. Attach them as a zipped text document. You can also use a sharing program like One Time Secret or Password Pusher.
- Always have an antivirus on your machine to stop the automatic downloads from a malicious websites. Even if you are using a Mac, have an antivirus active on your machine.
- Use a VPN when using public WiFi. There are many good choices out there in every price rage.
Following these simple steps can keep you and your online presence safe. Securing your site today will save you from having to pay to get your site cleaned tomorrow. If you find your site is hacked, Can’t Speak Geek can help you through cleaning a hacked website.