If you have been following our series of articles on website security, we have shared information about how and why your website is an attractive target for cyber-criminals and other bad actors. Today we will give you some specific actions to take to secure your WordPress website. This information can be used on other types of websites too, such as Joomla or Drupal.
- Secure your staff – Start with securing the people who have administrative, developmental, or editorial access to the website. Make sure they are using passwords that are long enough to be secure, 12 characters or more. Provide some cybersecurity awareness training for these people focusing on the areas of phishing, account hijacking, and passwords.
- Secure local systems – Check the cleanliness of the computers used by the web site team. Use a high quality anti-malware scanner, such as Malwarebytes, to make sure your design systems are free of key-loggers, remote access Trojans, and other malware. If these systems are infected, this will nullify the effectiveness of the security steps that follow.
- Secure User Accounts – Replace the built-in admin account with a different administrative account, and disable the default admin account. Enforce minimum 12 character password requirements for anyone with access to the website, cPanel, or hosting account. Use accounts with lower privileges, such as the Editor or Contributor account type any time admin privileges are not required.
- Two-factor authentication – Set up 2FA with a plugin such as miniOrange 2 Factor Authentication. miniOrange offers many authentication methods including phone call, SMS, email verification, QR code, push, soft token, Google Authenticator, Authy, and security questions (KBA).
- WordPress security basics – Make sure to allow WordPress and your plugins and themes to update automatically. Delete plugins and themes you aren’t using. Block pingbacks and trackbacks.
- Backup – Add a backup plugin to your website so you have a recent copy to restore in case your site is compromised. We like Updraft Plus or BackupWordPress.
- Security logs – Add a security event logging plugin, such as WP Security Audit Log.
- Security plugin – Install a security plugin. We have worked with WordFence Security, Sucuri, and Bulletproof Security. Securi has versions for Joomla, Drupal, and other platforms. Be sure to limit logon attempts to thwart brute-force attacks. If you are using your website in business, pay for the premium level of protection, because…
- Web application firewall – …when you go premium, you get the WAF included. This is a proxy service that vets your incoming and outgoing traffic and blocks malicious connections. It also protects against SQL injection, XXS, directory traversal, and other similar attacks.
This gives you a good start on properly securing your website against attack. Our next post will cover some additional advanced security procedures.
Share
23
APR
APR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com