Secure Your Website Against Attack

If you have been following our series of articles on website security, we have shared information about how and why your website is an attractive target for cyber-criminals and other bad actors.  Today we will give you some specific actions to take to secure your WordPress website.  This information can be used on other types of websites too, such as Joomla or Drupal.

  • Secure your staff – Start with securing the people who have administrative, developmental, or editorial access to the website.  Make sure they are using passwords that are long enough to be secure, 12 characters or more.  Provide some cybersecurity awareness training for these people focusing on the areas of phishing, account hijacking, and passwords.
  • Secure local systems – Check the cleanliness of the computers used by the web site team.  Use a high quality anti-malware scanner, such as Malwarebytes, to make sure your design systems are free of key-loggers, remote access Trojans, and other malware.  If these systems are infected, this will nullify the effectiveness of the security steps that follow.
  • Secure User Accounts – Replace the built-in admin account with a different administrative account, and disable the default admin account.  Enforce minimum 12 character password requirements for anyone with access to the website, cPanel, or hosting account.  Use accounts with lower privileges, such as the Editor or Contributor account type any time admin privileges are not required.
  • Two-factor authentication – Set up 2FA with a plugin such as miniOrange 2 Factor Authentication.  miniOrange offers many authentication methods including phone call, SMS, email verification, QR code, push, soft token, Google Authenticator, Authy, and security questions (KBA).
  • WordPress security basics – Make sure to allow WordPress and your plugins and themes to update automatically.  Delete plugins and themes you aren’t using.  Block pingbacks and trackbacks.
  • Backup – Add a backup plugin to your website so you have a recent copy to restore in case your site is compromised.  We like Updraft Plus or BackupWordPress.
  • Security logs – Add a security event logging plugin, such as WP Security Audit Log.
  • Security plugin – Install a security plugin.  We have worked with WordFence Security, Sucuri, and Bulletproof Security.  Securi has versions for Joomla, Drupal, and other platforms.  Be sure to limit logon attempts to thwart brute-force attacks. If you are using your website in business, pay for the premium level of protection, because…
  • Web application firewall – …when you go premium, you get the WAF included.  This is a proxy service that vets your incoming and outgoing traffic and blocks malicious connections. It also protects against SQL injection, XXS, directory traversal, and other similar attacks.

This gives you a good start on properly securing your website against attack.  Our next post will cover some additional advanced security procedures.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.