Your day to day as a blogger is a constant fight against elements that want to enter your website and use it for purposes … very different from what you had thought.
Recognizing it and knowing it is the first step to improve WordPress security.
Do you want to know what I mean?
- Bots(automatic programs) that search for vulnerabilities on your website.
- Crackers, people with some knowledge of the systems, looking to enter too.
- That co-worker who hurts your success, and has figured out on Google how to use WPScan or
- The unprofessional designer who made you the web, and is resentful because you have hired a better one.
There are hundreds of cases, more than I have given you here as an example, and each of these I have lived, fought or recovered.
The last case is real. Don’t think it doesn’t happen.
A website he had worked on making changes warned me, that it had completely disappeared.
Checking the server logs, we saw that the order to delete all the files had been done by FTP, and from the IP of the original web designer. How do you know what his IP was? Because it coincides with your location, and because it is the same IP that was in the logs from when the web was created. So yes, these things happen.
And do not think that because you are starting, you do not receive attacks. You would be surprised with the speed with which your blog begins to receive these unwanted visits. And in fact, as you will see, novice blogs are the most vulnerable.
The only one I haven’t put on is the professional hacker.
Even I think that as one insists on entering my website, they succeed.
But precisely these do not come to harm. It is just overcoming the challenge. And in this case, I also think that I am not important or known enough to be a challenge, the White House website being available over there.
And what attacks can you receive or for what:
- Brute-force or dictionary attacks to find out your password (there are dictionaries with more than 100,000 possible passwords, and that are actually used by 73% of people).
- Attacks of Social Psychology(the typical email of we have detected a problem with your account, send username and password, or the call finding out our details), or even the Garbage (no, sorry, you have to read more to know what this technique is).
- Exploitation of XSS vulnerabilities, MySQL exploits, or flaws in php code. Very technical. A roll. But stick with the idea that the technology we use may be flawed, and patches need to be applied to close those security holes.
- DDoS attacks, or denial of service. This is that you receive so many requests, that they throw the server down.
- SEO Spam: They fill your articles with hidden links, to position fraudulent websites, and you will have to be blacklisted.
But do not worry.
That is why I am here, to leave you this mega-guide with pillars that you have to strengthen security on your website and turn it into the Fort Knox of WordPress.
The 5 fundamental pillars to improve WordPress security
When you have reinforced these five foundations of your project, you will sleep more peacefully.
You will also discover, that contrary to what you thought, if you are being attacked right now. But at least you already know that you put a solution and you are protected.
There is no part more important than another. Simply reinforce all 5 or the system will have a point of failure.
And once done, it is only a matter of applying logic and taking into account two or three basic measures.
Go for it?
Pillar # 1. The weakest link in the chain is us
Yes, I will start with the most basic, but somehow the one that fails the most. We are the weakest link in the security chain, and the main point of entry for attacks. So follow these tips to the letter, and become the strongest link.
Use strong passwords.
Mistake number one. Strong passwords must be used.
And strong does not mean just long, and with numbers and upper and lower case. Strong also means random.
It is useless for Luis Perez, who has a dog named Nostradamus (Nostri is what they call him in the family), to put the password Nostradamus10062013.
Yes. It is safe. And yes, a brute force attack will have a difficult time. But someone who knows it may have an easy time deciphering it.
A strong password is this: 2nFBxtjGH? TR1a
At the end I tell you the secret to remember them.
Use different passwords.
Because of course, it is useless to use a strong password, if you then register on all sites with it.
Well, you will know that not all sites save the password in an encrypted form.
And therefore that kitchen forum that you like so much, or that website where you registered while you were looking for a car, may be seeing your email and password. And therefore, have access to your Facebook, email,
Or that there is an attack of those who steal thousands of passwords, from some web service, and all your services are compromised.
So you know, strong, random, and also different for each account and website.
Do you see how you are going to need something to remember them?
Don’t give them to anyone. Never.
I repeat Never.
If a developer has to enter your website, to review a plugin, to make changes to you, etc. … create a user for him, which you can later deactivate, delete, or change the permissions for.
This way you will have control over who enters your website, and when.
And if you can’t create a user, change the password, and put a temporary one, and when the job is done, change it again.
Remember effectively and safely so many passwords
It is not worth writing them down on a post-it, or on your agenda. Or on a paper that you then wrinkle and throw in the trash.
Do you remember I was talking about the garbage?
Well, it is precisely looking at the table, or someone’s trash for this type of notes. Yes; it is a hacking technique. Incredible true?
So in order for you to remember a strong, random and different password for each account or website, it is best to use a password manager:
- LastPass: with versions for all the usual operating systems, mobile app and browser extensions. Free and with a premium version. What I don’t like is that passwords are stored encrypted on your servers.
- 1Password: Multiplatform too, but only in a paid version. It’s the one I use, because it works great, and the passwords are stored in my own Dropbox in an encrypted file.
- Dashlane: Version for Mac, Windows and apps for smartphones, and completely free. For me newly discovered, but it looks good. If I had found it earlier I might not have bought 1Password. Passwords are also stored locally.
With these systems you only have to remember a password. The one for accessing the password database. The rest will be encrypted and secure. So safe, that if you forget that password … you will lose them forever! (And now don’t go pointing this one on the post-it sticking to your monitor …)
The difference between being stored locally or remotely, is that if the company’s servers are compromised, your passwords will be exposed. I am more in control of myself, but surely they invest more in security than I do.
Pillar # 2. Your computer and systems always safe
It is useless to use strong passwords and put a thousand security measures, if then a simple keylogger (a program that captures what we write on the keyboard) captures your access data.
Therefore, it is an essential part that you give vitamins to your computer, to protect it from viruses and malware.
That is done with a good antivirus, and a lot of logical sense.
For me the best antivirus would be Karpesky, Avast and BitDefender. Should you exclusively use one of these? No, if the one you have is going well, you don’t have to change. But if you don’t use any, you have a choice. Essential if you use Windows.
If you are a Mac or Linux user, do not trust yourself. Don’t believe the urban legend that there are no viruses or malware for these systems. It is not true. But you don’t need an antivirus either. Their permission systems, and being less extensive systems, makes them less palatable to attack. If you need to use your common sense a lot.
Tips applicable to all systems (computers or mobiles):
- Do not install suspiciously sourced apps. A few euros saved by using a pirated app can cost you dearly. Or install free “weird” apps on your work team. “Don’t download from Softonic (curiously, the free version of avast sends you to download it from softonic…).
- Only generally use proven and reputable tools that have independent blogger reviews.
- Don’t open email attachments from strangers. And from acquaintances if you do not expect anything, watch it with caution.
- Only use your passwords on websites that you have written the URL yourself.
And some extra tips, related to communications:
- To save you a few euros, do not share the Internet connection with neighbors or strangers. Much less, you “steal” the connection from anyone.
- Do not use public WiFis in shopping malls or hotels.
The reason for this is that it is very easy for someone to “sniff” or extract all the information that circulates through that network, and then calmly analyze it. This recommendation is especially important if the admin panel of your WordPress does not use https. It is basic advice to improve security.
Pillar # 3. The security of your WordPress is the foundation of your online business
I am clear that you would not open a bar in an old, or poorly built, building, which you think could collapse at any time.
Or that thieves can sneak in by making a simple hole in the wall for how weak it is.
So why do you use low quality servers for your online business?
I personally recommend all my Ionos (1&1) clients. For security, support, and performance.
The safety of Ionos (1&1) is exceptional:
- Pro-active security measures, so that even if you do not update you are not affected.
- Passive security measures, such as blocking for repeated failed login attempts.
- I block all non-Spanish speaking countries from admin on your website. You can’t imagine what this takes from you!
Another server that works very well for me in terms of security for WordPress, and where my blog is currently hosted, is WPEngine. Much more expensive, but you simply forget to manage security or performance, since it is a managed hosting for WordPress.
In this case, again, wanting to save some money can really cost you later.
There is no more science here. If you want security in your WordPress, invest in a real server.
As an example, tell you that one of the most famous, Hostgator, I do not know why lately I have found numerous clients who used it, with the blog infected by SEO Spam.
It is simply better to choose something that gives you good support, and more than being very famous, knowing that you manage your resources very well.
There is no greater complication to have a good security pillar in this regard.
Pillar # 4. WordPress security is not to be forgotten
We cannot be talking about security in WordPress, and not talking about what needs to be done, so that it is unbeatable.
Basically it is based on reinforcing several aspects:
- Force users to use strong passwords(this is done by default WordPress since version 4.3, but it is worth asking).
- Limit login attempts, thereby blocking brute force attacks.
- Perform a periodic search for malware, so that it alerts us in case of unexpected changes, and we can solve it efficiently and quickly.
- Eliminate possible vulnerabilities or weaknesses of the plugins or themes that we have installed.
- Block bots(automatic programs) in search of these vulnerabilities.
In order to do all this, we will have plugins that will help us, and periodic maintenance tasks that must be done yes or yes.
Most important: Keep WordPress updated
As I have explained to you, one of the most frequent forms of attack is taking advantage of the vulnerabilities in plugins, themes, or WordPress itself. That is why sometimes updates come out, which correct these weaknesses, and it is extremely apply them.
You shouldn’t be afraid to update, if you do it right, and don’t let updates accumulate.
- Never update WordPress after exiting the update. Or if you do, make sure you have a backup that you know how to restore. Normally it is expected two or three days, to discover possible failures or incompatibilities that it may give. As soon as the grace period passes, don’t even think about it. Update.
- If you have multiple pending plugin updates, don’t do them all at once. It is better to go one by one, even if it takes longer. That way if any fails, you will know exactly what it was, and you can fix it.
- Also update themes or plugins that you have disabled. Although I will talk about this later.
- Always make a backup before updating just in case.
I enter many websites that still have WordPress 3.9 or similar. That nobody who reads Citizen 2.0 is one of these please. Get down to work, which is very simple.
Be especially careful with updating the themes, because if you do not use a system based on a Child Theme it is easy that when updating you lose changes and customizations made. For that, the best thing is to use a system, like when you install Genesis Framework + a Child Theme. If this is your case, and you don’t want to change the subject, talk to a professional so they can make you a Child Theme.
Install an all-in-one plugin
The first thing is to install a plugin that helps us perform various functions. Here I will give you two choices, already proven:
Wordfence Security is the plugin that I usually use to protect my installations outside of WPEngine, and those of my clients. It is easy to use, and practically from its activation you are already protected without having configured anything.
Another option that I use in some of my clients is the iThemes Security plugin (also known as Better WP Security).
Use only one of them. Although there are people who use both combined, I think that if you do not know what you do it can give you more problems than solutions.
Any one of them will help you limit login attempts, block bots and attacks, and generally strengthen WordPress security.
Just use the one that catches your attention the most.
Let’s add an extra security
With the two previous measures, you already have your WordPress safe enough. But I like to add an extra measure.
The Sucuri Security plugin helps you scan for malware and quickly notify you if it has found something or is blacklisted.
It also keeps a log of the activities in WordPress (logins, etc. …) and you can receive these notifications in your email.
Warning: Do not be saturated with notifications, because there will come a time when you do not notice, and it will not help you improve security. Deactivate the ones you create will not be useful to you.
Pillar # 5. There is nothing foolproof. Have a Backup handy
Everything can fail. Even if you have the most optimized website in the world.
One day you can delete your entire website yourself.
Or one day you neglect and use a public Wi-Fi and your password is compromised, and they enter your website.
In the end what you feared has happened. You have lost all your work.
But if you carry out a correct backup policy, nothing has to happen.
To make the backups you can use the UpdraftPlus plugin. I like it because it is easy to use, it serves everything we need, and it allows for easy restorations.
Keep these tips in mind:
- Backups should always be made in an external repository, in the cloud, such as Dropbox or similar. It doesn’t help if they stay on your server.
- Copies must be scheduled and automatic. Whenever you can, schedule them at night.
- It is not necessary to have a daily copy of your files. What can you lose, the latest images uploaded? So you can do it weekly, and keep at least 4 copies (one month of backups?
- The databases do change every day(comments, post updates, etc. …), so schedule a daily copy, and keep at least 7 (one week).
- Finally, a backup is useless, if from time to time you do not look in the folder that is being made, and you check that they are indeed made, they are updated, and you can restore the files.
Apart from having them programmed, don’t forget to make one by hand before updating, or after making major design changes on your website.
Do not worry! The plugin that I recommend does all this that I have told you.
In safety, if one of the pillars fails, the house falls
As you see, and surely you have noticed, if one of the pillars fails, everything falls.
- It is useless to have a strong password, if it is obtained by a virus from your computer.
- It is useless for your computer to be a fortress, if you then do not update WordPress and fix that very serious vulnerability they found recently.
- It is useless to keep WordPress updated and shielded, if they come later due to server vulnerabilities.
- It is useless to have a large server, so that they can enter you via FTP for having a weak password.
It is the whiting that bites its tail. Either you reinforce the 4 peripheral pillars, or there is nothing to do.
And the fifth comes to the aid, reinforcing from the center. The backups that are always there to help us get up fast if we fall.
These are the 5 basic measures that I apply on the websites I design, and none have yet fallen. Join the community of bloggers who rest easy knowing that WordPress is safe.
I was not able to do a step by step with all the instructions.
There are almost 3000 words to explain 5 things you have to keep in mind to avoid being hacked.
It is the only thing you have to apply. And you have linked tutorials with explanations of the tools.
Make them useful. Apply them and sleep peacefully.
Have you had any unpleasant experiences with your website? Do you think knowing this before would have helped you?