10 Steps To Secure Your WordPress Site and Server
10 Steps to Avoid Your WordPress Site being Hacked includes security protocols, processes, programs and platforms we are using driven by experience and recommendations. It is important to know that although your websites may be hosted on a server, at home, in your office or remotely, the security of your desktop computers, laptops, tablets as well as your phones are just as important. Nowadays, more than ever, all devices are interconnected and as the saying goes "A chain is no stronger than its weakest link", it is crucial to keep ALL devices secure, not just the computers, or phones or websites. One device gets hacked, the risk that all other devices will be hacked is high.
The next steps outline a list of things to do to secure your WordPress Websites, computers and Phones.
Most suggestions are based on our experience with the WordPress sites, Windows Computers and Android and Iphone phones.
Should you need help with any of this feel free to contact us by clicking here.
If you want to ensure the traffic and communication from and to your website is secure and encrypted, you MUST install your Wordpress site using SSL. By installing your WordPress site on a secure server with an SSL certificate, you can show your website URL as "HTTPS:" instead of "HTTP:" signaling to your visitors that your website (communication) is safe. If you use Inmotionhosting as your web hosting platform your can click here to learn how to install your WordPress site on a secure server with SSL. If you are a BlueHost customer click here to do so.
To learn more details on how to install WordPress SSL on Inmotionhosting.com please click here. To learn more on how to install SSL on BlueHost hosted WordPress sites click here.
To secure your WordPress site and files (I'll talk more about your webhost's home directory safety later) I start by implementing and activating the following plugins:
- Antispam Bee: Antispam plugin with a sophisticated toolset for effective day to day comment and trackback spam-fighting. Built with data protection and privacy in mind.
- Blackhole for bad Bots: Protects your site against bad bots by trapping them in a blackhole.
- iThemes Security: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin. My favorite feature is the most important "door lock" on your WordPress website, namely "Change/Hide your login URL from the standard "WP-Login" to something else. Something anyone, especially bad bots and hackers don't know.
- Loginizer: Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer.
- Wordfence Security: Wordfence Security - Anti-virus, Firewall and Malware Scan
- Wordfence Login Security: Login Security with Captcha as well as @ factor Authorization (2FA)
- Sucuri Security: The Sucuri plugin provides the website owner the best Activity Auditing, SiteCheck Remote Malware Scanning, Effective Security Hardening and Post-Hack features. SiteCheck will check for malware, spam, blocklisting and other security issues like .htaccess redirects, hidden eval code, etc. The best thing about it is it's completely free.
See below for any full-blown security firm like Sucuri. If you start using a malware, ransomware, virus and hacking expert like Sucuri, some of the above plugins may be redundant or even conflicting.
To make sure your WordPress website, your files and your server upon which your website runs is safe, Cpanel has various areas to activate to make sure your environment is secure.
- SSH Access: SSH allows secure file transfer and remote logins over the internet. Your connection via SSH is encrypted allowing the secure connection. In this section you can manage your SSH keys to allow automation when logging in via SSH. Using public key authentication is an alternative to password authentication. Since the private key must be held to authenticate, it is virtually impossible to brute force.
- IP Blocker: This feature will allow you to block a range of IP addresses to prevent them from accessing your site. You can also enter a fully qualified domain name, and the IP Deny Manager will attempt to resolve it to an IP address for you.
- SSL/TLS: The SSL/TLS Manager will allow you to generate SSL certificates, certificate signing requests, and private keys. These are all parts of using SSL to secure your website. SSL allows you to secure pages on your site so that information such as logins, credit card numbers, etc are sent encrypted instead of plain text. It is important to secure your site’s login areas, shopping areas, and other pages where sensitive information could be sent over the web.
- Hotlink Protection: Hotlink protection prevents other websites from directly linking to files (as specified below) on your website. Other sites will still be able to link to any file type that you don’t specify below (ie. html files). An example of hotlinking would be using a tag to display an image from your site from somewhere else on the net. The end result is that the other site is stealing your bandwidth. List all sites below from which you wish to allow direct links. This system attempts to add all sites it knows you own to the list; however, you may need to add others.
- Leech Protection: Leech Protect allows you to prevent your users from giving out or publicly posting their passwords to a restricted area of your site. This feature will redirect accounts which have been compromised to a URL of your choice (and suspend them, if you choose).
- ModSecurity: ModSecurity is server software for Apache that comes bundled with cPanel. ModSecurity helps protect your site from brute force attacks and, by default, automatically runs on all new accounts. ModSecurity should usually remain on. When installing a WordPress website make sure your ModSecurity is activated!
No matter whether it is for security reasons or for "version" reasons, it is good to create backups on a regular basis. Our sites are hosted by Inmotionhosting who offer various ways of backing up your sites.
- Server Snapshot: Inmotionhosting automatically creates server snapshots on a regular basis. You can purchase additional snapshots if you deem necessary.
- Softaculous Backups - On Your Server: You can create backups on your server either automatically or every time you deem necessary. The downside of creating Softaculous backups of your WordPress website on your server is the fact that it takes space and if you're not careful starts filling up your server, possibly forcing you to upgrade your plan for more space. This would increase your monthly web hosting expense.
- Softaculous Remote backups: In Softaculous "user Settings" you can add a Remote backup Location to make sure your web host server does not fill up with backups.
- WordPress Backup Plugins: There are many WordPress plugins that can do backups, some good, some bad, some easy and some complicated. The one that seem to be recommended the most, and the one I can recommend as well is UpDraft Plus. This plugin is easy to install and set up. It backs up everything, i.e. database, plugins, themes, uploads and other files. Restoring your site is a one click operation. Updraft Plus can backup on your web hosting server or on a remote location. In case your whole site is compromised and unrecoverable, the remote option would be my recommendation.
No matter what your setting are with regard to backups and/or malware and virus security, it is always good to run the native CPanel virus scan. You can run the Virus Scanner manually or you can set up a Cron Job for the ClamV virus scanner. When running the virus scanner, you can set it to run just the Public_HTML folder, just the FTP Folder or the entire home directory. Any malware or viruses found can be quarantined and/or deleted.
Although our WordPress websites were well protected, one of our contacts was massively and extensively hacked. His mobile phone, laptop and desktop were all hacked and compromised. almost 8 weeks later he is still trying to recover. I will dedicate another blog post to explaining what happened and how we cleaned up, secured everything and planned for a secure WordPress future. The moment it happened, we did not know the full scope of the hack and with ID's and passwords on the devices that were hacked, we could not determine fast enough whether our CPanel and our WordPress websites were clean and safe.
Sucury Security partners with Inmotionhosting so we hired them to scan and clean up our sites if necessary. We also retained them on a monthly basis to continue to secure and scan all our sites on an ongoing basis. If you use BlueHost or any other web hosting platform they may use other website security firms.
By securing your computers you reduce the risk of being hacked, and thus the risk of any hacker using ID's and Passwords for your WordPress sites being used to hack those sites and install malware or ransomware. Your virtual world, or as Facebook's Mark Zuckerberg started calling it, "Meta" and Metaverse" is all interconnected. Which is both the good news and the bad news. Interconnection makes our lives easier on the one hand, and the process faster, but on the other hand the easy fast process can overwhelm us and once one section or device is hacked, can open the flood gates to the next device and next device until your ID has been stolen and all your important accounts are highjacked.
We cannot stress enough to have all devices that communicate with each other be tested for security.
As per the previous item on the list it is paramount that you secure all your devices. That includes your phone, which, so I've read and heard is the easiest to hack. Our contact who was hacked not only had his computers hacked but also his phone. That escalated into his ID being stolen and as of this writing, 8 weeks after the initial hack, him still trying to recover various accounts as well as getting a safe, new cell phone.
As we found out during this hack, if both your computers and your phone are hacked, incl. emails, you have a massive 2FA, 2 Factor Authorization problem. Which makes it 10+ times harder to recover any account, whether Amazon, your bank or credit card accounts. More on that in a future blog post.
Whether your websites are hosted on your own server or elsewhere, it is crucial, if you use one, to secure your wireless router with WPA or WPA2 WIFI Protected Access protocols. Additionally ensure your computer operating system is in sync with the wireless router settings and vice versa. If you are local and on your own network your operating system can be more open and share files. If you are in a public environment like an airport, your operating system settings should be more secure closing off the file sharing. If needed use a VPN.
Although the list of measures suggested in this blog post is comprehensive it is by no means 100% complete. There are always extra measures that can be taken, but it is a good foundation. If, despite all the security measures you still get hacked it would be good to have insurance in place. ID Theft Insurance will be able to pay for cleanup of your sites, your computers and help with recovering your ID and accounts.
The suggestions in this blog post are just that, merely suggestions, based on our own experience. The decision to use or not use any of these suggested platforms lies fully with you. WorldWide Local Connect Inc. and any of its associates cannot be held liable for any consequences resulting from the use of the suggested platforms, programs, protocols and services in this blog post.
Here is a list of recent client testimonials. Our Digital marketing Division also handles the WordPress Website Security:
You can see the latest reviews on Clutch.co by clicking here.
Here are a few:
“The knowledgeable suggestions made by WorldWide Local Connect Inc. have helped grow the client’s business, also improving the contracts and benefits their employees get.” Read more…
-Artful Life Counseling Center and Studio
“Exhibiting unmatched development skills, WorldWide Local Connect Inc. successfully created a functional website. As a result, the client generated traffic and orders in just a few months. Moreover, the end client also commended the site positively. The team was communicative, responsive, and skilled.” Read more…
-Babico's Cafe and Grill
“WorldWide Local Connect Inc.’ contributions have been integral to the client’s success. They continue to provide a ton of value to the partnership by remaining accessible, constantly bringing new ideas to the table, and helping the client resolve strategic issues beyond the scope.” Read more…
“Thanks to Worldwide Local Connect Inc.’s efforts, the traffic increased significantly. The team communicated excellently, keeping the client updated with the project’s progress. Overall, they were responsive and proactive.” Read more…
Digital Artist and Marketer | Business Consultant & Advisor.
Specialties – Business Planning | Web Design | Digital Marketing|
Hans van Putten owner of 40parkLane,llc ran operations of his food manufacturing company for 17+ years building the Carolyn’s Handmade brand under the umbrella of 40ParkLane,llc.
After the successful sale of the food business, he took advantage of the years of business planning, operations management, web design, digital marketing and photography experience , to help startups, small businesses and home businesses and has been involved in a number of start-up ventures since.
Prior to founding 40parkLane,llc Hans worked for the Gillette Company for 10 years in various financial roles of increasingly bigger responsibility, leaving as Director of Business Planning for The International Group at Gillette HQ, Boston. Hans has an MBA (Marketing & International Business) from Aston University, and a BA in Business Administration from IHBO de Maere.