At CatchThemes, we take site security very seriously. Our themes are coded to be simple, light, and secure. However, a secure theme is not enough for site security. There are other steps you can take to make your site more secure.
Unless you are a high profile site that is being targeted by sophisticated hackers, you do not need to spend a lot of money or time on ensuring site security. What you do need to save your website from are run-of-the-mill opportunistic attacks that take advantage of very simple things that have been neglected. These attacks use common tools and scripts to exploit weaknesses such as easy-to-crack passwords, use of public wireless networks, vulnerabilities in your plugin or hosting servers, and so on.
To understand where you might be vulnerable, and secure yourself, you need to look at the possible points of entry, or doors, into your site. Doors into your site can be broadly classified into two categories, access control (front door), and software (back door). In this post, we will talk about fortifying your site to minimize both these vulnerabilities, as well as a few others.
To minimize software vulnerabilities, you need to pay attention to a few important areas of your site, and follow a few simple rules. Here they are:
Keep your WordPress site, themes and plugins up-to-date
We call this rule: Update, update, update. You need to regularly update software for all three crucial areas of your site: WordPress core, your themes, and your plugins. Among other things, regular updates are also released to address known and emerging security vulnerabilities, so it is imperative that you incorporate these fixes into your site.
It is a good idea to never disable auto-updates for WordPress, especially during regular vacations and holidays. Hackers are targeting websites during holidays, or the weekend, when people are not checking their sites regularly. During regular workdays, you may want to give yourself time to check that nothing is broken because of updates, but if you won’t have time to check frequently, it is important to enable updates so WordPress can automatically update fixes for major security issues discovered in themes and plugins.
Be smart when adding third-party plugins
Every plugin is one more potential door into your site. Instead of targeting websites directly, hackers have shown how effective it is to target third-party products integrated into a website, which may not be as properly vetted as the site itself.
Never install a plugin that is not properly vetted, or is out of date. Some plugins are vulnerable to being hacked even if they are widely used so you need to look out for these issues before installation. If you install a plugin and you no longer need it, do not just disable it, delete it completely. Even if you have a plugin that you no longer use, you have just added one more door that hackers can use to gain access to your site.
Along these lines, you also need to cut back on your use of plugins. They can slow down your site dramatically, and also affect site functionality. Have strict criteria for allowing plugins into your site. One good rule is to use plugins with multiple functions you are looking for, instead of separate plugins for each feature. It’s simple really, fewer plugins = fewer doors into your site = a more secure website.
Buy themes from a reputed shop
Just as plugins could be an entry point into your site for attackers, themes can too. It is important to select a theme shop that is reputed, and pays attention to security issues. You need to look for theme shops that put out clean and secure code, not copy-paste jobs. Clean code does not just make a secure website, it also helps with SEO, as search engines can read and index your site much easier.
Scan your website regularly
Conducting regular security scans is one way to increase the security of your WordPress installation. There are many security scanners available that can test vulnerabilities, and provide real-time updates. These checks could include WordPress themes, application security, WordPress plugins, hosting environment and web server. You will be alerted to malicious code in your installation together with recommended actions to take. You can choose from a wide variety of available scanners, although one we encourage includes the Sucuri Sitecheck, which comes bundled with other functions and is a good security tool for your website.
Even more popular than software attacks are attacks that rely on common tools and scripts to exploit weaknesses such as easy-to-crack passwords. A very common tactic is brute force attack, where hackers continuously try different username and password combinations until a match is discovered. There are many easy ways to secure yourself against these types of attacks, including:
Never use the default username
The default username for access to your website’s back end is “admin.” If you stick to this username, you are just making life a lot easier for attackers, who start from the assumption that your admin username is “admin”. In fact, just changing your admin username can save you from a lot of brute-force and other attacks. It is easy to change your admin username if you are installing a new WordPress site. Simply type in your desired username when you are asked for it during the installation process. For existing sites, Siteground has a good tutorial here on how to change your WordPress username.
Keep your passwords strong
You need a password to be easy to remember. Unfortunately, keeping it too simple makes it easy for hackers to get into your site. Most attackers that employ brute force check a combination of possible passwords a certain number of times. If you have a weak password, they are in. If your password is strong, they move on. Some sophisticated attackers could also compile password lists from keywords available on your website. The best way to protect yourself is by always using strong, unique passwords.
To create a strong, unique password, you need to be unpredictable and unique. The bare minimum you need to do for a solid password is to include upper as well as lower case, include special characters, use numbers, and make it longer than 8 characters.
Do not use things that are easy to guess; including dates, names, places, pets. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrases. Although it might be tempting, do not reuse old passwords as attackers compile lists of passwords from every successful attack, and your site will become the proverbial sitting duck.
Keep changing your password regularly. Remember, your site is only as secure as your password.
Never allow browsers to remember your login credentials.
According to Tripwire.com, approximately 95% of attacks in 2015 harvested credentials from users’ devices and used this stolen information to compromise their accounts. There is a reason why banking sites don’t let your browser save your password. Saving passwords on your browsers creates twofold risks. The first is that anyone snooping around your computer can log into your account and see your passwords. If you have them stored, you are also giving easy access to viruses and malware that are created to steal such saved credentials.
Consider two-factor authentication
Two factor authentication is a security strategy that you should seriously consider, especially if your site might be a valuable target for attackers. This strategy adds an extra layer of security by requiring not just a username and password, but also a key piece of information from a physical device that the user has such as a cellphone or USB token. Using a username and password together with a piece of information that comes from a device physically on the user’s person makes it much harder for attackers. A lot of large corporations and organizations already require all employees to use two factor authentication to login.
Supplementing your access control with two factor authentication does not have to be difficult. There are plugins such as Clef that make two factor authentication simple.
Provide admin access only to those who absolutely need it
Granting too many people access to your WordPress admin area is inviting trouble. Increasing the number of people with access to your back end is basically increasing the number of potential doors for attackers. Even if you set a strong password and change it regularly, it is likely that one of your admins will not, making you just as vulnerable. We cannot stress how important it is to restrict access to your WordPress admin area. Give permissions to only those who absolutely need it, and even then, do not give them full permissions if they don’t require it. If a certain user such as your third-party developer requires access only for a short duration, you should deactivate their accounts once their work is over.
Once you give access, it is also important to brief all those with back-end access to your site on security requirements such as setting strong passwords, changing their password, and so on.
Restrict the number of login attempts
Brute force attackers are nothing if not persistent. Their whole strategy is to try to login to your site over and over again until they crack your password. Limiting the number of times a specific IP address can attempt to login is a simple way to add a layer of protection against these attacks. There are plugins out there that will allow you to do just that. Sucuri Security offers this feature, along with a whole host of other security features, and would be a good tool in your defense arsenal.
Keep track of dashboard activity
If you have a site where limiting the number of users is not an option, you will want to monitor user activity carefully. You can do this by logging dashboard activity easily. There are a wide variety of plugins available for this purpose. They allow you to track changes to posts, plugins, themes, user profiles, and so on. Many also allow you to get email notifications if certain defined changes have occurred. You can use these plugins to get informed right away in case someone makes changes that compromises the security of your site, and take corrective action immediately.
This is also a great feature for other important functions in your website. If problems occur on your site, you can easily see what caused those problems (new upload, new plugin) and reverse those changes.
Ensure your hosting server is secure
You might take all the precautions to keep your site secure, but all that will not save your site from attackers until your hosting server is also secure. Make sure your site is on secured WordPress hosting. Here is a list of hosting servers we recommend for their track record in secure WordPress hosting.
Of the hosting servers, WPEngine.com is the most secure, although a little more expensive. They also have a partnership with Sucuri Security, which you will benefit from. If you have a site that needs to store sensitive information such as customer’s credit card information, or user profiles, they are a worthwhile investment.
Ensure your computer is free of viruses and malware
Install a good antivirus on your computer, and a good firewall. Doing this will not just protect your WordPress site, but protects your computer from attackers. Many standard antivirus software such as Norton come with firewalls. You need to ensure that firewall protection is enabled. Your WordPress site is also vulnerable to malware on your computer. You should run regular security checks to ensure your computer is free of viruses and malware.
Do not login to your website from public wireless networks without VPN
Never engage in sensitive browsing on a public wireless network if it can be helped. Other users on a public wireless network can easily steal your passwords, credit card details and other sensitive information. It is best to prevent this by waiting until you get home to do these things. If you have to update your WordPress site from public wireless networks frequently, consider using a virtual private network. VPN services route all your activity through a separate secure, private network, thus giving you the security of a private network even though you’re on a public one. One simple, free option is CyberGhost.