Over the last couple of weeks we have been taking a deeper dive into website security. If you have been using our articles to improve the security of your website, we are gratified.
Today we are adding some advanced security techniques to your defensive arsenal. Many of these solutions are specific to WordPress websites, but there are some that apply more globally. Some of these ideas may require some outside professional help to implement, but if your business relies on your website, they are probably worth the extra expense.
- Google Search Console – Formerly known as Google Webmaster tools, this is a free Google service that yo may already be subscribed to. If SEO and page rank, are important to you, or if you are using Adsense or Adwords, you should be using the Search Console too. Logon to your Google account, navigate to Search Console, and update your site information. Create a new listing if necessary. Among other things, Google will notify you if they detect malicious activity on your website.
- WordPress security keys – You can use a plugin like Salt Shaker to change your WordPress security keys, or generate your own keys at WordPress.org. Make sure to modify your wp-config.php file with the new key information.
- Use .htaccess – Create your own .htaccess file or use a plugin, making sure to protect the WP admin area, password protect the WP admin folder, disable directory browsing, disable PHP execution in certain directories, and protect your wp-config.php file
- Disable XML-RPC – Delete the xmlrpc.php file to prevent an avenue for password guessing attacks.
- Disable PHP error reporting – PHP error reporting is used by developers for de-bugging. But showing PHP errors to site visitors can reveal version information and possibly exploitable code. Change the php.ini or wp-config.php file.
- Use HTTPS – By July Google will begin telling Chrome web browser users that HTTP sites are insecure. Adding a security certificate to your site to encrypt communications between your site and your site visitors is becoming an industry standard. Costs have dropped, and free certificates are available from Let’s Encrypt.
Many of these items have lengthy and detailed procedures, and I have included links to the details below. Our next post looks at how to clean a site that has been infected or compromised, and wraps up this series.
More information:
- WordPress Security Learning Center
- How To Secure WordPress
- WordPress Security Wizard: Lock Down Your WordPress Site From Hackers by Rolland Dhar
- WordPress Security: An Introduction to Hardening WordPress
- Google Search Console
- How to use .htaccess
- 9 Most Useful htaccess Tricks for WordPress
- Editing wp-config.php
- Change WP security keys
- Disable PHP error reporting
APR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com