Secure Your Website Against Attack

If you have been following our series of articles on website security, we have shared information about how and why your website is an attractive target for cyber-criminals and other bad actors.  Today we will give you some specific actions to take to secure your WordPress website.  This information can be used on other types of websites too, such as Joomla or Drupal.

  • Secure your staff – Start with securing the people who have administrative, developmental, or editorial access to the website.  Make sure they are using passwords that are long enough to be secure, 12 characters or more.  Provide some cybersecurity awareness training for these people focusing on the areas of phishing, account hijacking, and passwords.
  • Secure local systems – Check the cleanliness of the computers used by the web site team.  Use a high quality anti-malware scanner, such as Malwarebytes, to make sure your design systems are free of key-loggers, remote access Trojans, and other malware.  If these systems are infected, this will nullify the effectiveness of the security steps that follow.
  • Secure User Accounts – Replace the built-in admin account with a different administrative account, and disable the default admin account.  Enforce minimum 12 character password requirements for anyone with access to the website, cPanel, or hosting account.  Use accounts with lower privileges, such as the Editor or Contributor account type any time admin privileges are not required.
  • Two-factor authentication – Set up 2FA with a plugin such as miniOrange 2 Factor Authentication.  miniOrange offers many authentication methods including phone call, SMS, email verification, QR code, push, soft token, Google Authenticator, Authy, and security questions (KBA).
  • WordPress security basics – Make sure to allow WordPress and your plugins and themes to update automatically.  Delete plugins and themes you aren’t using.  Block pingbacks and trackbacks.
  • Backup – Add a backup plugin to your website so you have a recent copy to restore in case your site is compromised.  We like Updraft Plus or BackupWordPress.
  • Security logs – Add a security event logging plugin, such as WP Security Audit Log.
  • Security plugin – Install a security plugin.  We have worked with WordFence Security, Sucuri, and Bulletproof Security.  Securi has versions for Joomla, Drupal, and other platforms.  Be sure to limit logon attempts to thwart brute-force attacks. If you are using your website in business, pay for the premium level of protection, because…
  • Web application firewall – …when you go premium, you get the WAF included.  This is a proxy service that vets your incoming and outgoing traffic and blocks malicious connections. It also protects against SQL injection, XXS, directory traversal, and other similar attacks.

This gives you a good start on properly securing your website against attack.  Our next post will cover some additional advanced security procedures.


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.