“Security is not an add-on, it’s essential”
As a web developer, we always have to deal with security issues and being one of the most popular CMSs most of the time it’s WordPress.
Today I thought to share some of the key points to secure your WordPress site. This could be beneficial for both the programmers and non-programmers.
- Install SSL: Right after you install your WordPress site on the server, this should be the first step before you even install your theme as the part of your basic setup. It not only fulfills the latest Google norms for SEO but also ensures that all your user communication with the server is encrypted and secure. You can purchase an SSL certificate from many vendors out there, however, always try to choose the reputed one.
- Securing XMLRPC: In my experience, XML remote procedure call attack is very common in WordPress and hence, in my case I always prefer to disable it from the server side itself. But note that, if you really need RPC service for your application, make sure you apply other types of security mechanism for your scenario. If you don’t have a programming background, you can contact us as well.
- Install Wordfence Plugin: I really like this plugin as it gives us a lot of functionalities to secure the site. Some of the key features which I like the most are Malware scan, Login security, and IP blocking. Its login security feature can help you identify the brute force attacks on your site and take appropriate action against it. Usually, we block those IP addresses for some time but don’t forget to explore it on your own and see what security rules suites you best.
“Nothing is 100% secure if it’s on the internet!”
- Secure Uploads Directory: In Spite of all the efforts we do to secure our site, we can’t prevent the attacks and uploads directory is the most vulnerable directory where any malicious file can be uploaded. As an extremely important security step, we must adjust the permissions for this directory and remove the execute permission. So, even if the attacker managed to upload any malicious file, this step will prevent the malicious file from being executed and I would highly recommend it.
- Install the WPS Hide Plugin: This plugin changes the WordPress login URL and while it doesn’t help you secure the site directly, it prevents brute force attacks heavily. Ideally, if your website is built with WordPress, the attacker will know the admin URL where they can plan their activities but if the URL is changed, it would be extremely difficult for them to do anything from the login screen.
- Implement CAPTCHA: Implementing CAPTCHA is very important to prevent spamming. While it’s important to have it installed for all the forms, I would highly recommend it installed for the admin login form. Attackers don’t do the brute force attacks manually but they set up the bots which continuously keep hitting the site on a regular interval and they set up several bots from different IP addresses but if we have CAPTCHA set up on our form, it will prevent any bot attacks from consuming all your bandwidth.
- Login From Private IP: It could be costly but if you can afford, it’s a wise idea to prevent login from the public IP addresses and it can solve a lot of security problems. To know more about this option, you will need professional help so it won’t be possible to explain it here.
Although we have tried our best to explain some of the key points to secure your WordPress site if you still need professional WordPress services, we are here to help you manage and secure your website.