WordPress Website Security: Here Are 15 Tips From Semalt To Secure Your Website

Recently, the topic of information security, with a focus on the security of WordPress sites, has begun to interest us tremendously. The simple reason for this is that many web sites are exposed to cybercrime and suffer from it enormously until they lose control of their site.

Being very aware of this, we decided to give you some very useful and relevant information that can help you to protect yourself from any danger against your site. 

So, I invite you to keep special attention to the information that will be shared in this article.

Then, discover the most basic tips to protect your website.

The most basic tips to protect your website

Before starting the superior advice it is important to take part in the following basic advice:

1. Update your version of WordPress regularly

True, this is something that should be taken for granted. But still, as someone who has access to quite a few WordPress sites (including client sites and sites I do not own), I come across a lot of sites with these notifications of updates, obviously, no one cares about maintaining them regularly.

WordPress is the most popular CMS (Content Management System) in the world, which means that as a system it is a very popular target for hackers.

Those who want to damage WordPress sites will always be able to find various security vulnerabilities. Whether it is in the system's core code, various plugins, templates, or more.

One of the reasons WordPress launches version updates relatively frequently is to plug security holes and improve the system.

Important note: the more plugins the site has, and the more "custom" it is - the more likely it is that a version update can break the site - that it, disrupts its operation. The recommendation is to always make a full backup of the site (files + database) before performing a system update.

2. We have updated the plugins and templates regularly

Directly following the previous section, most of the loopholes come from plugins or outdated templates and / or those downloaded from unreliable sites. You should always download plugins from the official WordPress repository, and not from sites you are unfamiliar with, especially if they do not belong to a trusted source.

Even the purchase of plugs and templates does not guarantee 100% that there will be no security vulnerabilities. But the more you get the above from reliable sources that you can trust, the less likely they are to be exposed to a loophole.

The recommendation for backing up the site before updating the template or plugin is also valid here. Open source is a great thing. 

But it also has quite a few drawbacks in this regard - because there is not always full compatibility between all the components of the system on their many different versions.

3. Back up the site regularly

It is impossible to talk about website security without talking about backups. It is not enough to make a backup just before updating the site, there should be a fully automatic backup set of the site files + the database. This is usually done through the storage company, but it is also advisable to take care of an external source of backup that does not directly depend on the storage company.

Backups to WordPress Sites

Some recommended add-ons for WordPress:
  • UpdraftPlus - One of the most popular WordPress plugins for backup. Works with popular cloud services like Dropbox, Google Drive, Amazon S3, and others.
  • BackupBuddy is a premium paid plugin, offers a lot of advanced features. Most users can certainly settle for the previous plugin I mentioned.
  • Duplicator - The purpose of the plugin is to copy a site from place to place (for example in the transition between storages), but it also serves as a backup plugin for everything.
If your site is hacked and you have no idea what caused it or what exactly happened, an available backup will allow you to go back and restore the site to its original state. This is assuming that the "worm" is no longer in the previous version of the files and is just waiting to erupt - for this is already a more complex case.

4. Proper use of username and password

Not surprisingly, a lot of publishers use the default "admin" user, which is very easy to guess. It is recommended to use another username, anything that comes to your mind, just don't keep admin.

This basic change alone can reduce the chance that they will try to break into a Brute Force attack (an attack that aims to guess the username and password of the site management automatically and quickly by lots of different combinations) by a few tens of percent.

If you already have a user named "admin", follow these steps:
  • Create a new user with the same permission.
  • Deleting the previous user + associating its content with the new user (WordPress will ask you to do this automatically when deleting the previous user).
Use a complex password - even if you changed your username, it will not exactly help too much if your password is "123456" or "abcde" or even your phone / social security number. True, these are memorable passwords and everything - but make your site a super easy target for this type of attack. The recommendation is to use a password that consists of small and large letters, signs, and numbers, such that one cannot guess in any way and in many cases will cause the simple hacker to give up and look for the next target.

Example of a password that is almost impossible to crack: 
  • nSJ @ $ # 
  • J24f8sn! 
  • NmSuWP
Another good and very effective way against Brute Force attacks is to use two-step authentications. Once you log in to the site, a security code is sent to your Smartphone and ensures that only you will only have access to the site.

You can use the WordPress 2-step verification plugin for this purpose.

5. Give the appropriate permission to other users on the site

If you work with content writers or content feeders, it is advisable to open them a user session with minimal permission for the actions they will need to perform.

For example, a user who deals only with content (writing + editing) does not need administrator permission. A "writer" or "editor" type approach will certainly be sufficient. Anyone who writes a guest post with you and you just want to add his signature at the end of the post - will be able to settle for the permission of "donor" only.

The following is an explanation of WordPress user permissions:
  • Subscription (Subscriber) - Someone registered the site, without any editing access to the contents of the site, apart from the profile (if there is one).
  • Contributor (Contributor) - They can write and manage their own posts, but not publish them (they will need the approval of the director). A classic example - article sites / sites that receive surfer content (without automatic approval).
  • Write (Author) - They can write and publish their own posts only.
  • Editor (Editor) - They can write and publish their posts, pages, and others, but without the approaches to areas "sensitive" site management such as templates, editing files, and other additives management.
  • Administrator (Administrator) - webmaster permission to any management system that features comes.
The higher the permissions for more users, the more ways to access the site. Minimize these entrances as much as possible.

6. Restriction of attempts to enter the site

Another step that will help you deal with Brute-Force attacks. This is a very simple trick - if a user is unable to connect to the site after 2-3 attempts (usually the number of attempts can be set), it will be blocked for a certain time which can also usually be determined.

A recommended plugin for this (which also comes with the installation of Softalicious): Loginizer.

7. Choosing a quality storage company

Choosing a hosting company has a lot of weight on the performance of your site, in several aspects: the speed of the site, its availability, and also - security. It is always advisable to stay in a company that is aware of the various security issues, with an emphasis on the vulnerabilities of WordPress, and puts this issue in the forefront of its mind. Quality storage can be more expensive than "standard" storage for a few bucks a month, but that gap is definitely worth your peace of mind and time, in my opinion at least.

8. Reduce the use of plugins to the minimum possible

I talked about it a bit in section 2, but let me be clear - plugins are one of the most common causes of security vulnerabilities in WordPress sites. 

The fact that in an open-source system anyone can write a plugin and distribute it to the world without more control - is a loophole calling for thieves.

Also, excessive use of plugins that are not necessary just loads the system and may cause a slowdown in the loading speed of the site. 

Therefore, the recommendation is to minimize the use of plugins to the minimum possible, and use only those that are necessary for the proper functioning of the site. Any change that can be made on the site without the use of a plugin (and assuming that it is not a change of source file that can be overridden in the next version of WordPress) - is recommended to make by "clean" means.

9. Regular scanning of the files on the site and security plugins

Just as you have an antivirus on your computer and you perform scans regularly (hopefully), so it is recommended that you have antivirus and routine checks of infected files on the server itself.

There are several ways to do this:

A- Scanning using an antivirus that is on the server itself (using cPanel for example) - in my experience not too up-to-date and does not detect various vulnerabilities.

B- Scan using various security plugins. Here are some popular ones:

Wordfence - The most popular WordPress security plugin. This plugin closes quite a few corners that I mention in the current article, but like anything - does not provide 100% protection but simply makes the work of hackers more difficult.

Sucuri Security - Another popular security plugin from the security company Sucuri. It's a little lighter than WordPress but also offers quite a few features including scanning for malware on the site, a firewall, preventing Brute Force attacks, and more.

iThemes Security - offers many features that help secure the site, such as Two-Factor Authentication, scanning infected files, logs and tracking user activity, comparing files for virus detection, and more.

10. Connect the site to the Google Search Console

Connecting the site to Google's webmaster tools not only helps to communicate with Google directly and provides broad information on aspects of SEO, but also allows for security alerts about the site.

Advanced tips

The more advanced tips for securing WordPress sites are for users who know how to work with servers, FTP, databases, and more. You do not have to be a great expert in any of the above, but yes with some basic experience in order not to do nonsense.

11. Change file permissions

WordPress has several files and several types of folders, some containing more sensitive information and some less. Each file type and folder has the default permissions. But there are also more stringent permissions that can be set for sensitive files (e.g. wp-config) and/or with the potential for hacking.

12. Security via .htaccess file

Htaccess file is on the Apache servers and sits on the main folder of the site. This is an important and powerful file that is responsible, among other things, for making 301 redirects from address X to address Y, for blocking permissions for certain files or folders, for server-level caching, for blocking various User-agents, and more.

Countless commands can be used to tighten and improve the level of security on WordPress sites. I am reluctant to know everything, but we will mention here some of the important and simple things to implement that are worth knowing:

Important files protection:

Prevent access to important files like wp-config, php.ini, and the error log file.

<FilesMatch "^. * (Error_log | wp-config \ .php | php.ini | \. [HH] [tT] [aApP]. *) $"> 
Order deny, allow 
Deny from all 

Preventing access to folders on the site:

Preventing access to folders on the site prevents users from viewing the folders on the site through the browser. This makes it difficult for someone who wants to infiltrate a malicious file into a particular folder, see which plugins / templates are installed on the site, etc.

Options All-Indexes.

Blocking the execution of PHP files with malicious code in the uploads folder.

By default, the uploads folder should contain mostly images / PDF. If you have been given files with a PHP extension, the following code in the htaccess file will prevent you from running these files:

<Directory "/ var / www / wp-content / uploads /"> 
<Files "* .php"> 
Order Deny, Allow 
Deny from All 

13. Tracking logs and site activity

Tracking the activity of users on the site allows you - right down to the smallest level of the individual - to know what changes have been made to the site.It also makes it possible to track the activities of different users and thus perhaps raise problematic uses that could cause damage to the site.

14. Computer protection

A virus to the site can come not only from an external source but also from our computer. If your computer is infected with a virus, malware, or anything else, and these files make their way to the server - hence the short way to infect the site and this is a format for trouble.

My recommendation - do not skimp and purchase an annual license for professional antivirus software that will also perform a real-time scan of the folders you are in and the sites you browse to warn of potential damage. In addition to antivirus, you should be equipped with software that can scan and deal with malware files - locally on your computer.

If your computer is clean, you at least know that the source of the problem on the site is probably not from your computer. If there are other users (especially those with administrative privileges) on the site, you should also inform them about this issue.

15. Changing the prefix of the database

One of the most popular and common vulnerabilities in WordPress sites is called "SQL Injection". It aims to exploit a weakness in the site's database and insert malicious code that can perform all sorts of actions that can validate permissions such as site access information, user information, and more.

The default prefix of the WordPress database is wp_. Changing the prefix, like anything, will not guarantee you hermetic protection against SQL injections. But it will challenge the attacker who will have to work harder and find the structure of the tables in the database and maybe just skip to the next victim's less difficult hairs.

It is recommended to set a different prefix for tables from the installation stage. But this can also be done afterwards - whether using a plug-in or manually.

In conclusion

Hope you enjoyed the guide. As you have seen throughout this guide, the issue of site security is not something to be taken lightly. So, if you don't have the appropriate skills to ensure the security of your site, I would advise you to call in the experts. This will not only prevent you from losing your investment but will also transform your site into a trusted place for Internet users.

So, if you would like to know more, please contact us and make an appointment for a free consultation. It will be our pleasure to help you!

Also, Semalt has a blog on topics that regularly cover essential topics in SEO.