15 June 2020|Hacking, WordPress
WordPress is one of the most popular CMS platforms in use today, powering 34% of all websites. Organisations of all sizes have come to rely on the easy to use interface, large theme and plugin support and general ability to create great looking websites.
One of the issues that comes with this popularity is the target WordPress sites become for continued and persistent attacks from human and non human traffic.
It does not take much time at all, to search and find examples of large scale attacks.
Almost a million WordPress websites targeted in massive campaign
Hackers are actively exploiting zero-days in several WordPress plugins
Added to this popularity is the fact that the majority of WordPress site administrators are not security experts and nor should they be. They should be focusing on their sites, which are often the lifeblood of the business
A simple search for security plugins in the WordPress plugin store will return a huge number of plugins to use. This landscape can become very confusing very quickly if you are not sure of how or why you want to secure you site in the first place.
Brand reputation is everything in the online world, if we are to achieve anything through our websites, consumer confidence through a secure site should be at the top of the list.
Before we go further, it is a good point to comment that a secure WordPress is a great tool. If secured correctly you will have a great experience using it. Don’t be put off by all of the poor examples making the headlines. Onwards!
Securing your Site – Where do we begin?
The million dollar question for every WordPress administrator new to security. This list can be quite long, although it is a well documented route should the manual route be preferred.
- Run the latest WordPress Core code (and maintain)
- Run an up to date PHP installation (and maintain)
- Host running latest operating system updates and patches (and maintain)
- Use strong usernames and password (simple but effective)
- Rename wp-admin
- Secure the filesystem
- Secure XMLRPC.php
- Secure wp-login.php
- Deploy two factor authentication
- Secure sites using IP reputation and IP intelligence
- Detect human and non-human traffic (react to the patterns)
- Secure sites using Geo IP
- Detect and react to unsolicited GET/POST activity
- Alert on unusual access patterns
- Secure contact forms using real time email validation
- Use the latest versions of plugins and themes ( and maintain)
- Keep up to date with WordPress security advice
- Always use TLS 1.2/1.3 – goes without saying!
- Harden the database! Often overlooked – the data is a goldmine for attackers
- Disable file editing in the WordPress dashboard
- Only use secure file transfer mechanisms
- Hide your WordPress version
- Prevent scans of your site leaking information
- Take regular backups!
As the list above details, there is a lot to consider. As a WordPress site administrator, it maybe that a number of the above are not areas you have experience in and it can be daunting to put some of the changes into practice.
One of the issues with the above is expecting plugins to solve all of the issues. Ok, you install a security plugin and expect it to protect your site. How do you know if it is functioning? How do you know the site is not still exposed? We have seen time and time again sites using well known plugins suffer from exposures caused by other issues that remain unsecured. It’s one thing to detect security issues, it’s another to react and mitigate.
With that in mind, many hosting provides now offer the ability to secure and maintain your WordPress sites for you as part of the hosting contract. This can provide huge peace of mind for an administrator and site creator. Allowing them time to focus on what matters to them, a great looking and functioning website.
For the simple reason that the security landscape changes and evolves at such a pace, it make sense to engage with security experts who constantly monitor and adapt the protection and methods used, based on the changing landscape.
The ThreatPoint security team provide secure WordPress hosting and will take care of all the security aspects so you can focus on your business. Best practice approaches are taken alongside the wishes of the customer to provide the most secure and performant web site.
Once the website is up and running and secure, the daily tasks of maintaining the security and stability of the site can also be trusted to the ThreatPoint team. Daily watering and feeding tasks that ensure the site is kept secure and available.
If securing your WordPress site is not your thing, leave it to the experts as part of the WordPress hosting offering provided by ThreatPoint UK.
Our hosting packages are very favourable, providing Http2 environments with dedicated hardware for optimum performance.
For more details email email@example.com
We look forward to hearing from you.
For some nice WordPress stats, look at the link below, which illustrate success stories and just how popular WordPress is!