Although this topic scares, because for most of us is unknown, there are many aspects that you can cure to improve the security of WordPress and raise the level of protection to the maximum possible. We have made a guide to learn your the best WordPress practices to security now days.
It is useless now to talk about statistics on the number of attacks that are made every day to websites around the world. The automatic systems scan the network every day in search of “weak prey” to benefit from it.
However, if you’re reading this article, and to deal with the subject with due attention.
What we’re going to see is not just a list of plugins to be installed mechanically because, to increase the possibilities of not being attacked, the topics to be addressed (and understand) are different.
We’ll still give you a turnkey solution to protect your WordPress site.
But follow all the content carefully, because you will increase your knowledge about this new and fundamental topic.
The points we face in these lessons
- The reason why you are attacked and the consequences to which we meet.
- When it comes to security do not think only about WordPress, but of the whole environment that surrounds it.
- We will analyze the 4 activities to be done to make your site safer.
- We’ll go down in detail of your WordPress site by seeing configurations, plugins and services to use.
- We will close with the activities to be done in case your site is compressed.
Why are sites attacked?
Let’s start with understanding the different reasons why all websites are at risk of attack.
Knowing the causes will bring you to a higher level of awareness.
If your online project has just started, it might occur to you not to be at risk, as having no competitors or enemies to annoy you, you’re just a little fish in the ocean.
But be careful, because the types of attack have different purposes.
Being chosen as a specific target is very difficult, as there should be someone who has an interest in damaging our activity. This is only about 1% of the attacks that are revealed in the network.
The motivations that lead someone to want to harm an activity could be economic, personal, political… but only you can know (or imagine), if you are in danger for a targeted attack.
The rest of the attempts to tamper with the websites, that is, 99% of cases, has no specific target, because what interests and find weaknesses in the network to take possession of the server or use our site to make criminal activities. Yes, in short, to be used.
Imagine if you wanted to spam by email, what would you do?
Use your site, your server, or would to send emails using someone else’s server? Here, just to make the idea.
The most widespread motivations, which push to this type of activity, are those with economic aims, pursued by the addition of spam to our site or through the distribution of malware (viruses or similar types).
The addition of spam is to be able to insert texts and backlinks within our pages that sometimes are not visible while browsing, but are present in the code.
If instead they managed to infect our site with malware, then we will be used to infect as much computers as possible, including those of our visitors. The aim is to derive sensitive informationsuch as online banking or similar.
You understand then how, compared to the attack of a specific target, this type of activity tends to attack as many victims as possible, “shoot in the heap” as they say, using automatic systems that scour the net in search of easy prey.
For example, if a security bug is discovered for a plugin, then it is very likely that the network will be scanned to find sites with that particular plugin installed.
Consequences of a compromised site
When a site is compromised the consequences may be different, depending on the type of damage that has been caused.
Needless to mention the possible economic loss to which you could go to meet.
Whether our site is an eCommerce, rather the monetisation through affiliations or advertising, having even for a few days the site out of use means losing the turnover of this period.
In the eyes of the users see the compromised site certainly goes down the level of evaluation and confidence that we had managed to achieve.
But perhaps, most of all, the biggest damage is what about the positioning in Google, the SEO and our pages in the SERP.
Google In fact has a constantly working algorithm for detecting network security issues.
When Google finds an infected site, in addition to communicating the incident directly to the owner, it takes immediate action to defend other users and the Web in general.
The security field of action
I want to immediately take the attention to the title of this article, or “WordPress Security” and take it to a previous step, bigger.
So let’s talk about “security” of the entire structure where WordPress and only one of the players in the field.
When it comes to this topic, we are not only talking about technologies and programming, but about people and the processes that interact with all these parts.
We have several groups to analyze:
For environment we mean the various parts that allow you to get in touch with your WordPress site.
Think about the computer or the different devices. If the PC with which you connect and work is full of malware, Trojans or whatnot, good are the possibilities to give free access to your online world, because these are designed to recover such information: FTP password, account, social data, email and other data They’re all at risk.
So pay attention to the maintenance of your work computer and if someone else besides you use it children, boyfriends, wife, husband etc… – take proper precautions. In fact, if you should be super careful, don’t assume that others are the same.
Now, instead, think about the places where you connect.
In the end we connect from anywhere! From the pub, the hairdresser, to the airport, practically where there is a WiFi network available we are ready to connect.
Remember that you can have the most advanced and secure WordPress site and server on the market, but these are not the only things you need to take care of .
This is also why many times, for those who try to penetrate a system, and easier to search for access keys where our attention fails.
If you think the hacker world is made up of computer codes written at the speed of light inside a black terminal, then you’re wrong.
The human aspect is fundamental and is also the weakest one .
As for my experience, most of the times we found ourselves in front of compromised sites, we found its causes precisely due to human errors , above all weak passwords.
You also have to know that, extrapolate information from people, and an activity that is part of the hacker world. It’s called social hacking.
So do not trust anyone, especially if you are asked for access keys or personal data and always try to know exactly who you are interfacing.
In the “Application” layer we have our WordPress and all its components, such as themes and plugins.
Recall that most of the world sites are made with WordPress. Being so widespread, it is inevitably one of the favorite targets.
The more users of a product there are, the easier it will be, find a vulnerability, take control of the machine, or install malicious scripts for a large number of users.
Let’s not forget, however, that the WordPress community is a colossus , with a large workforce ready to intervene in case they are identified mainly security problems.
So it is good practice to have WordPress, themes and plugins always updated.
The last group is about the infrastructure that hosts your site, including the server.
Here you can not do us much, if not choose the right hosting.
Now that we have seen the environment in which we must move, we can move on to the activities that you will have to deal with in order to defend yourself best.
The 4 activities needed to defend themselves
If we do a search in the repository of WordPress with the keyword “Security”, we are returned about 300 pages of possible plugins.
I’d say we’re spoilt for choice.
But be careful, because before deciding which to trust, you must understand what you need , as not all plugins do the same things.
Because? Simply because ” defending oneself ” is not made up of one single activity . The aspects to take into account are many and depend mainly on the type of site you have, what it does, what features are installed, what allows users, etc …
So let’s see the complete cycle necessary to safeguard your website, consisting of:
- Answer / Action
How to make your WordPress site more secure
Making your WordPress site safer is possible, let’s see how.
Speaking of accesses we mean all the various access points for the management parts of the site.
Not only the user and password of the admin panel of WordPress, but also those of the various FTP users, the hosting service panel and the CPanel.
The advice is to have different user and password for each of them.
This is because, in the unfortunate event that someone enters the possession of one of these, we would avoid immediately giving him control of our entire structure.
The choice of password is very important.
As you have noticed almost all the authentication systems, at the time of registration, they offer a prompter of password and also the evaluation depending on whether it is “easy, medium or safe”.
Follow the tips and make it as safe as possible.
It uses different characters, numbers, punctuation elements, special characters and a length of at least 12 characters, to make life as difficult as possible to brute force attacks.
The elements to be avoided are absolutely:
- Any reference to the activity itself – if the site is called fiorirossi.it, then do not use flowers, reds or various references. I know, perhaps it is a suggestion under understood, but having come across more similar cases it is better to specify.
- Names of person, city or animal – searching social profiles for information about relatives, friends or passions is very simple, so do not link your password to any of these elements.
- Dates and numbers – do not use birth dates, anniversaries, anniversaries, etc.
As you’ll understand the presence of random elements is the best thing.
We do not forget that, at the same pace with the password, there is also the username of your administrator. Never use “admin” and, again, use “fantasy” names comes in handy.
Less references from and better.
It is a good idea to have an administrator account that you use only when you are performing operations that require this level of security.
Do not use this user for normal site management, such as writing content, articles, reply to comments etc… This is because, in most themes, it would expose the admin’s user name directly to the site.
So for normal writing and content management, create one or more users and set them as publishers (or even minor roles). You’ll be even more comfortable because you know that, using these accounts, you’ll have less chance of making distracting mistakes.
As far as access is concerned, if your site collects subscribers, make sure of the permissions and actions that your users can perform.
A plugin to be able to access and use the site as your user and User Switching.
Once you have installed it, if you go into the profile of your subscriber, you will find the link “change in”. If you press it you will be authenticated like this user.
To return to administrator, find at the bottom of the page a link “return to…”.
The first rule to have a WordPress site less at risk and to keep it always up to date.
In the end, conceptually, WordPress does not differ from your operating system. How many times are you prompted for Windows updates rather than OSX if you use the MAC?
Remember that, when a new way to penetrate a site is found, the robots that scan the network looking for victims are left loose.
The same concept, as well as for the core of WordPress, applies to plugins and themes.
WordPress security plugin
There are many security plugins that deal with security . Their features are partly free and others pay.
Finding one that does everything and also free of charge is not possible.
And for what we’ll show you two different ways.
Let’s start with the first, the recommended one especially if your site represents a value, economic or emotional.
If you’re going to invest in your budget, there’s no question. The best service you can find to protect your site “turnkey” and given by Sucuri.
This does not only rely on private or small sites, indeed. Their services are also used by hosting companies.
Their technicians will take care of all the activities we have seen and you will sleep peacefully.
You won’t have to install anything on your WordPress site, as the work will be done directly on their platform.
This is a logical advantage because your server and your site are not burdened by further work, will remain performing and fast.
Even their firewall, which is the product for which they became famous in the world,is external to the site.
This will shield all type of attacks and, by rejecting potential malicious requests, will only arrive on your server genuine ones.
It will also further improve the speed of your site, as their firewall is equipped with a caching system.
24 hours a day you will have their technicians at your disposal, who are ready to answer any questions or solve any problem.
Also, if you yourself to Sucuri, if something happens, you won’t have to take care of anything: they’ll fix your site.
Thinking about the only hourly cost of an expert in computer security, the amount they ask to take care of you and have a consultant available throughout the year, and a deal.
And that’s why we at Webipedia also decided to “make sure” and protect our site through their services.
If you prefer DIY then you can install Wordfence, one of the plugins (partly free) most used by users of WordPress.
Since this article was very long, we decided to subdivide the “operational” part of the plugins into two different articles.
How to secure your site through Sucuri
Where we show you the process of buying, their platform, tools etc…
How to secure your site through Wordfence
Where we show you the installation and the basic configuration of this plugin.
If you have chosen the way of the FAI dates via Wordfence, once you have done the process described in the article that you find above, proceed until the end of this article.
If instead you have chosen to entrust the security of your WordPress site to Sucuri, you do not have to do anything, because if an attack were to compromise the site, will be their technicians to intervene.
What to do if your WordPress site has been hacked
The best advice we can give you, if your site is source of income and you realize that the situation could be serious, and to entrust you to professionals specialized in this field.
You can always rely on Sucuri or other industry professionals you know.
That said the first thing to do and definitely “stay calm”.
The problems, as we have seen, can be different:
- Do you have links to pages you have not entered?
- Is your site tagged by Google as infected and you can no longer view it?
- The scanning system has detected possible anomalies, etc …?
If Google warns you about malware or spam detection, then the problem is certain and you have to promptly get to work.
If instead you are given a warning from the plugin scan, then before you think of a real attack, try to understand better if it is not a false positive:
- Which file has been reported to you?
- Do you know him?
- You do not know him?
- Is it part of the theme? Of a plugin?
- If you try to open it with a text editor, see some strange code?
- What does the scanner say about this file?
Remember that since many of these attacks are known, doing research on the net trying different keywords (file name, plugin, location theme or whatever), is always useful.
Also, if the file is within a plugin or theme, you can always send a support request to the developers. They are the first to wish that their products are not possible victims of attacks.
Finally you can try to remove the infected files manually.
If the files are located within non-activated themes or plugins (those who do not leave plugins disabled on their site), then proceed to the physical deletion of the folders containing them.
The less useless files are present, the less places there are where to enter the infected code.
If instead the files are the original ones of WordPress, plugins or themes, you can replace them with new files downloaded from the repository of WordPress or from the site where you made the purchase.
Done this proceed with a new scan and evaluate the results.
Access to the compromised site
If you’re in the situation where Google warned you or users can not browse the site by receiving a red dot, then immediately go to the administration panel and verify that you can sign in.
If yes, then change the administrator’s password as well as those of the other access points to your activity, then FTP, CPanel etc…
And the first thing to do because in this way we try to block access immediately without giving the possibility to do further damage.
Also contact the support of your hosting company. When such an event happens, they also want a sudden resolution.
Think of using a backup
If the problem persists and you are unable to free yourself from the alerts, the next step is to restore the site through backup.
But you have to know that the first thing that hackers do when they have the possibility, is to upload a backdoor on the server.
Through a backdoor, the next time they have to log in to the machine, they do not switch from the normal authentication system , but they have the possibility of access unnoticed through this ” back door “.
What does this mean? It means that if you do the restore with a backup using a copy of the site already infected, then your project will not be cured.
So if you assume a date when your site was definitely “clean”, you can think about using this backup, knowing that you will lose all the recent data, such as articles, comments and, in the case of an eCommerce, even the registered orders.
After the restore, repeat the site scan again to verify that you have eradicated the virus.
Then enter the admin again and begin to check the different functionalities.
One of the first things and check the site administrators. Make sure there aren’t any new ones.
After restoring the backup, change all your WordPress and database passwords again because with the restore you have rehabilitated the old ones.
Download the file WP-CONFIG. php and update the new database password.
Always in the wp-CONFIG. PHP also updates Unique Authentication Keys.
The change of these keys will force all users to login again, so if the unwanted is still authenticated in your site from the previous session will have to login again (but you have already changed the password).
After you have fixed it all, if the warning came to you from the Search Console, then enter the Security section and ask to be reconsidered.
Here is the official Google guide about the topic.
We got to the end of this article about security.
Logically our goal was not to make you an expert in computer security, also because it is one of the most complex subjects of this branch.
But surely, if you were never interested in this topic, now you have knowledge to be able to move andimprove the security level of your WordPress site.