If your career has included developing or maintaining websites, you have most likely fallen victim to a security hack at least once.
Like all network-connected devices, a website is equally prone to become a victim of malicious intentions. There are a lot of websites maintained by people who know very little about the inner workings of the site. They may possibly be bloggers or have simply created the site to share family photos. These ordinary sites are hacked on a regular basis.
There isn't a single way to protect a site from all harm. This is a multi-step process using various tools and a strong knowledge of web security. Large companies with a big web presence have the budget to maintain their site 24/7 in order to protect the website. Most companies have not budgeted the time or money required to keep up with all possible intrusion attempts. This article is for the small company or day to day people who maintains their own site, specifically those sites based on Joomla and Wordpress. If you are reading this article, there is a good bet you are familiar with these two platforms. Both offer an excellent blogging platform and are capable of extending features using extensions and plug-ins.
In this 'Part 1' article, we will delve into securing a site built in Wordpress and in the next article, 'Part 2', we will look at how to protect Joomla. Hopefully, through the steps, you will be able to better protect your site and maintain peace!
- Wordpress Security
- Choosing secure Web Hosting
- Users and Passwords
- Login Security Questions
- Wordpress Updates
- Login Limitation
- Plugin for Security
- Configuring PHP
- Configuring Wordpress XML-RPC
- Configuring Auto Logout
1. Wordpress Security
Wordpress has come a long way with regards to security in last few years. Over 60% of blogging sites globally are built on the Wordpress platform due to it's user friendliness and usability. As a result, it gets extra attention by hackers. Due to it's open source nature, there are hundreds of developers around the world scrutinizing Wordpress code to ensure it is secure. Extra plugins added to the site must really be watched. Most are made by 3rd party providers whose code may be closed source and may contain unsecured code. We will look at the best procedures you can employ to best protect your sites. As a general rule of thumb, try to use plugins from reputable providers.
2. Choosing Right Web Hosting
It is important to choose the right home for your website. A good web hosting provider will not only go out of their way to protect your site, but will share 'best security' practices so you can proactively take action. Don't just go with the cheapest web hosting platform you can find. Shop around and perform due-diligence. Ask them question about their service before you become their customer. Keep notes of their response level. If a hosting provider is not protecting their platform, your site in turn can be easily hacked by a neighboring site hosted on the same platform.
3. Users and Passwords
Follow strong user and password security procedures on your site. Add complexity restrictions for passwords on the site. Monitor the number of people with administrative privileges and maintain complexity rules for their passwords. Weak passwords are one of the most common reasons for site hacks. Add password expiry policies to the site as well. Changing passwords every 6 months is a good policy. Add extra layers of protection by having multiple passwords for multiple areas of the site. For example, Wordpress Admin Area, FTP, Hosting cPanel, Email accounts, Guest authors etc. Fine tune permission roles and assign only what is needed. Remember it is easier to grant rights than to take them away!
4. Login Security Questions
Security Questions are an additional layer of protection for logins. The user is required to know a unique answer to a question to pass the security layer. The answer should be something they alone will know. So if their password is compromised, no one will be able to login into Wordpress without answering the question correctly.
5. Wordpress Updates
Wordpress is continuously patching security vulnerabilities. Through the release of updates those security holes are fixed. It is important to keep your Wordpress software up to date. One way to ensure this, is to add yourself in the Wordpress email notification lists. That way, when a new update is released you will be notified and you can schedule an update.
6. Login Limitation
By default, the settings on a new Wordpress site do not limit the number of times a user can attempt to login using a wrong password. A potential harmful user can try numerous passwords without interruption, attempting to guess the correct one. By enabling the limit we can reduce and restrict a hacker from continually trying to gain access, hopefully discouraging them continuing.
7. Plugin For Security
If you are not very tech savvy, the simplest way to protect your site is to install security plugins. There are a number of plugins available which will perform the security hardening work for you with just few clicks. One of the best recommended plugin to use is Sucuri.
8. Configuring PHP
PHP file execution is a feature that is enabled by default and not needed by some Wordpress directories. By disabling this feature we can harden the Wordpress security. Simply copy/paste the following code into the .htaccess file and upload it to /wp-content/uploads folder.
deny from all
9. Configuring Wordpress XML-RPC
XML-RPC enables your Wordpress site to connect with web and/or mobile apps. It is enabled by default after WordPress 3.5. XML-RPC can actually amplify the brute-force attacks. For example, by using XML-RPC, a hacker can use the system.multicall function to try many hundreds of password with a mere 15 or 30 requests. If this service is not needed for your site, it is wise to disable it completely.
10. Configuring Auto Logout
This is also known as idle time log out. When configured, Wordpress will automatically log out the user after the set time. This is very useful when the user must frequently leave their desk or they forget to sign out in a multi-user environment.