Advanced Website Security

Over the last couple of weeks we have been taking a deeper dive into website security.  If you have been using our articles to improve the security of your website, we are gratified.

Today we are adding some advanced security techniques to your defensive arsenal.  Many of these solutions are specific to WordPress websites, but there are some that apply more globally.  Some of these ideas may require some outside professional help to implement, but if your business relies on your website, they are probably worth the extra expense.

  • Google Search Console – Formerly known as Google Webmaster tools, this is a free Google service that yo may already be subscribed to.  If SEO and page rank, are important to you, or if you are using Adsense or Adwords, you should be using the Search Console too.  Logon to your Google account, navigate to Search Console, and update your site information.  Create a new listing if necessary.  Among other things, Google will notify you if they detect malicious activity on your website.
  • WordPress security keys – You can use a plugin like Salt Shaker to change your WordPress security keys, or generate your own keys at  Make sure to modify your wp-config.php file with the new key information.
  • Use .htaccess – Create your own .htaccess file or use a plugin, making sure to protect the WP admin area, password protect the WP admin folder, disable directory browsing, disable PHP execution in certain directories, and protect your wp-config.php file
  • Disable XML-RPC – Delete the xmlrpc.php file to prevent an avenue for password guessing attacks.
  • Disable PHP error reporting – PHP error reporting is used by developers for de-bugging.  But showing PHP errors to site visitors can reveal version information and possibly exploitable code.  Change the php.ini or wp-config.php file.
  • Use HTTPSBy July Google will begin telling Chrome web browser users that HTTP sites are insecure.  Adding a security certificate to your site to encrypt communications between your site and your site visitors is becoming an industry standard.  Costs have dropped, and free certificates are available from Let’s Encrypt.

Many of these items have lengthy and detailed procedures, and I have included links to the details below.  Our next post looks at how to clean a site that has been infected or compromised, and wraps up this series.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.