{"id":1514,"date":"2020-09-17T10:05:00","date_gmt":"2020-09-17T10:05:00","guid":{"rendered":"https:\/\/sectigostore.com\/blog\/?p=1514"},"modified":"2020-09-24T16:43:18","modified_gmt":"2020-09-24T16:43:18","slug":"wordpress-security-ultimate-guide","status":"publish","type":"post","link":"https:\/\/sectigostore.com\/blog\/wordpress-security-ultimate-guide\/","title":{"rendered":"WP Security: The Ultimate Guide to WordPress Security"},"content":{"rendered":"\n

Make yours a s<\/strong>ecure WordPress site with these 10 proven, easy-to-implement tips and keep the hackers a<\/strong>way <\/strong>  <\/h2>\n\n\n\n

WordPress is a real blessing for bloggers,\u00a0freelancers,\u00a0and startup business owners. You\u00a0don’t\u00a0need to pay thousands of dollars for software development and maintenance. Anyone can simply learn WordPress with online tutorials and start\u00a0promoting\u00a0their\u00a0business, products, or services\u00a0right away. But what about\u00a0WordPress security?\u00a0Sucuri<\/a> reports that 90%\u00a0(i.e., 9 out of 10)\u00a0of their total clean-up requests are\u00a0from\u00a0WordPress\u00a0sites.\u00a0\u00a0<\/p>\n\n\n\n

\"\"
Data source: Wpvulndb.<\/a>c<\/a>om<\/a><\/figcaption><\/figure><\/div>\n\n\n\n

Because WordPress\u00a0is an\u00a0open-source technology, anyone can make plugin and theme.\u00a0These plugins and themes might have a weak security structure or contain malware.\u00a0Wpvulndb.com reports<\/a>\u00a0that they have a total of 21,785 vulnerabilities in their database\u00a0\u2014\u00a0of these vulnerabilities,\u00a080%\u00a0are\u00a0WordPress, 17.8% are plugins, and 2%\u00a0are theme.\u00a0<\/p>\n\n\n\n

The irony is that startups generally choose WordPress because\u00a0they have\u00a0a tight budget, lack programming knowledge, or\u00a0are looking for an easy-to-use platform. If you\u2019re\u00a0one of them, you might be asking, “So, do I have to hire a techie and spend thousands on securing my website<\/em>?\u201d\u00a0The answer is, “No.”\u00a0\u00a0<\/p>\n\n\n\n

In this article, we\u2019ll cover 10 proven and powerful tips to secure WordPress sites. The plugins and products suggested in the article are either free or inexpensive.  <\/p>\n\n\n\n

10 Proven Tricks to <\/strong>Make Yours a <\/strong>S<\/strong>ecure WordPress Site<\/strong> <\/h2>\n\n\n\n

We have included some of the best freemium or least expensive security plugins and tools that are easy to use and won’t add burden to your pockets. Even a non-tech savvy person can instantly apply these tips to secure WordPress sites. <\/p>\n\n\n\n

WordPress Security Tip <\/strong>1<\/strong>:<\/strong> Block Malicious and <\/strong>S<\/strong>pam <\/strong>C<\/strong>omments<\/strong> <\/h3>\n\n\n\n

How:<\/strong> Install plugins like Akismet<\/a>, CleanTalk<\/a>, or Antispam Bee<\/a> to detect and remove spammy and malicious comments. <\/p>\n\n\n\n

Why: <\/strong>If you have a blog or discussion section that allows people to post comments, you must be beware of malicious comments. The hackers write scripts and codes in the comments to hack the website or get inside the WordPress database. They also insert backlinks to their website and unsolicited advertisements about their product\/service. Akismet<\/a>, a WP security plugin to remove malicious comments,\u202fhas blocked more than 503 billion spam comments to date\u202f(as of Sept. 24, 2020). <\/p>\n\n\n\n

WordPress Security <\/strong>Tip <\/strong>2<\/strong>: Limit Login Attempts <\/strong> <\/h3>\n\n\n\n

How<\/strong>: Install plugins like Limit Login Attempts<\/a>, <\/strong>Loginizer<\/a>, <\/strong>or <\/strong>WPS Limit Login<\/a>, to enable login lockdown feature to secure WordPress site.  <\/p>\n\n\n\n

Why: <\/strong>All WordPress sites allow unlimited login attempts by default. That means users have unlimited chances to insert their user IDs and passwords in the login field until they figure out the right credentials. This lack of control is very appealing to hackers who can exploit this feature with brute force attacks<\/a>.  <\/p>\n\n\n\n

In this\u00a0type of\u00a0cyber\u00a0attack<\/a>,\u00a0hackers\u00a0use a script or bot to apply a\u00a0database of\u00a0pre-guessed\u00a0user IDs\u00a0and passwords automatically\u00a0to websites\u2019 login fields\u00a0until\u00a0one of the attempts is successful.\u00a0Sometimes a\u00a0botnet<\/a>\u00a0is used, where\u00a0a large number of\u00a0infected devices deploy the brute force attack on a targeted login field.\u00a0<\/p>\n\n\n\n

The best way to prevent brute force attacks is by limiting the number of logins attempts a user can make in a specific period. After the\u00a0set\u00a0number of failed login attempts\u00a0(generally 3 to 5), the system temporarily blocks the user\/IP\u00a0address.\u00a0<\/p>\n\n\n\n

WordPress Security Tip 3: Regularly Scan Your Website<\/strong><\/h3>\n\n\n\n

How<\/strong>: Install WordPress security scanners\u00a0and firewalls to detect and remove threats. One such example is\u00a0cWatch<\/a>, scans your website and provides detailed reports on a variety of threats and vulnerabilities, including malware, brute force attacks, and DDoS attacks. Sectigo’s HackerProof Trust Mark<\/a> provides scans of your website on a daily basis to identify vulnerabilities and offer actionable intelligence on mitigation.<\/p>\n\n\n\n

Why<\/strong>: Cybersecurity is an ongoing process that often involves detecting and removing malware. You need a malware scanner and firewall that monitors your website 24\/7 for\u00a0cyber\u00a0attacks\u00a0and malware-related threats. It must\u00a0be efficient\u00a0enough to remove the malware, block suspicious IPs, and prevent the\u00a0cyber\u00a0attack\u00a0in the initial stage only to cease further damage.\u00a0\u00a0<\/p>\n\n\n\n

WordPress Security <\/strong>Tip 4: <\/strong>Encrypt Website Data Exchanges <\/strong> <\/h3>\n\n\n\n

How: <\/strong>Install an SSL\/TLS <\/a>certificate on your website. <\/strong>It’s always best to choose a commercial TLS certificate because the free ones don’t come with any sort of support or warranty in the event that something goes wrong. And paid commercial certificates won’t break the bank, either \u2014 in fact, many cost less than $10 per year! Use the Really Simple SSL<\/a> <\/strong>plugin to ease the installation process.  <\/p>\n\n\n\n

Why<\/strong>: If you don\u2019t install an SSL\/TLS certificate, all the browsers will show a “Not secure<\/strong>\u201d warning next to your domain name in the address bar. This message indicates a major security flaw, showing that the data your users’ browsers and your server exchange is unencrypted. Hence, if the hacker breaks the internet network and gets access to the data, they can read, interpret, modify, and steal it. Your website will be vulnerable to man-in-the-middle<\/a> (MitM) attacks.  <\/p>\n\n\n\n

The SSL\/TLS certificate will encrypt the data using public key infrastructure (PKI) processes and technologies. PKI is the framework for public-key encryption (asymmetric encryption),<\/a> which is a strong mathematical algorithm that assures robust data security in transit. It will remove the \u201cnot secure\u201d warning in front of your domain name and will display a green or grey padlock symbol (depending on your browser).  <\/p>\n\n\n\n

Note:<\/strong>\u00a0After\u00a0installing your certificate, you must regularly manage\u00a0it.\u00a0If it gets revoked or expired, all the browsers will show \u201cyour connection is not private\u201d or \u201csecurity risk ahead\u201d error page to your website visitors. You need to renew free SSL certificates every\u00a0three months<\/strong>\u00a0(90 days)\u00a0and commercial ones\u00a0at\u00a0a maximum of\u00a0two years\u00a0<\/strong>(more specifically, 398 days). Free certificates have a bad\u00a0history of getting revoked<\/a>, too. So, just choose your SSL\/TLS certificate wisely.\u00a0\u00a0<\/em><\/p>\n\n\n\n

WordPress Security\u00a0Tip 5: Enable 2FA as a Minimum<\/strong><\/h3>\n\n\n\n

How:\u00a0<\/strong>There are many\u00a0two-factor authentication (2FA)\u00a0tools\u00a0such as\u00a0Two-Factor, WordPress 2-Step Verification,\u00a0Unloq\u00a0Two Factor Authentication, etc. There’s also\u00a0Google Authenticator<\/a>, which is free and simple to implement.\u00a0\u00a0<\/p>\n\n\n\n

You need to install the Google Authenticator<\/a> plugin on your WP site and download the Google authenticator app on your cell phone. Every time you log in to your WordPress dashboard, you need to provide a unique code generated on your cell phone on the Google Authenticator app. It also works for multiple site admins, employees, and co-authors.  <\/p>\n\n\n\n

After completing the\u00a0installation process<\/a>, your WP admin login page would look something like this:\u00a0\u00a0<\/p>\n\n\n\n

\"\"
Image source:\u00a0WPbeginner<\/a>\u00a0\u00a0<\/figcaption><\/figure>\n\n\n\n

Note:<\/strong> 2FA is a term that’s often interchangeably used with\u00a0multi-factor authentication (MFA)<\/a>. Any authentication that has two or more authentication processes fall under the umbrella of MFA. So, all two-factor authentication is a type of multi-factor authentication, but not all MFA is 2FA.\u00a0Got it?<\/em><\/p>\n\n\n\n

Why: <\/strong>Two-factor authentication is more secure than passwords alone. After all, passwords can be stolen, leaked, or guessed. According to <\/strong>Verizon\u2019s 2020 DBIR<\/a>, 80% of breaches within hacking involve brute force or the use of lost or stolen credentials.\u202f <\/p>\n\n\n\n

As we mentioned earlier, hackers even use brute-force attacks to find the right user ID-password combinations. But when you enable two-factor authentication, no one can break into your WordPress admin dashboard because the only person holding the cell phone can access the unique code, one-time password (OTP), or secret PINs.   <\/p>\n\n\n\n

WordPress Security\u00a0Tip 6: Scan Your Backups Before Storing Them<\/strong>\u00a0<\/h3>\n\n\n\n

How:<\/strong>\u00a0We strongly recommend\u00a0CodeGuard<\/a>\u00a0because it automatically\u00a0creates a\u00a0backup of your site, scans it for malware, removes\u00a0if it finds anything suspicious, and stores\u00a0only\u00a0the clean copy on a third-party platform.\u00a0<\/p>\n\n\n\n

Why<\/strong>: We all know that maintaining a current backup is crucial to the health and security of your online business. If the hacker has locked your website’s file, folders, and databases for a ransomware attack, you can easily restore it using your secure backups. But if an attacker inserts malicious code into your website, and if you take a backup without first scanning it, that malware will be stored in your backups, too. So, the backup copy will be useless, and you\u2019ll have to build your site from scratch!  <\/p>\n\n\n\n

In short, all your backups won’t help you when you actually need them! Hence, the best WordPress security practice is to scan the backups before storing them. CodeGuard is one of the most efficient backup tools that will automatically scan your entire website and databases before taking the backup.  <\/p>\n\n\n\n

WordPress Security\u00a0Tip\u00a07: Change\u00a0Default Settings<\/strong>\u00a0<\/h3>\n\n\n\n

How<\/strong> and why<\/strong>:<\/strong> Because WordPress has a default structure<\/a> for URLs, file names, and storage locations, it\u2019s easy for attackers to find important pages and files to hack them. You should manually change these paths and file names to something unique so that only you know where to find them.  <\/p>\n\n\n\n

You can follow the below-mentioned tricks using plugins such as iThemes Security<\/a> or WP-DBManager<\/a>. <\/p>\n\n\n\n

1. Change your file and web page names. <\/strong> <\/p>\n\n\n\n

WordPress has default admin page URLs,  <\/p>\n\n\n\n