How to maintain a security routine on your WordPress site

On another occasion, we wrote here at RD’s blog about the advantages and features of WordPress . And while there is no doubt that this CMS has brought much convenience to its users, there are also problems – especially with regard to security.

Not that WordPress is an insecure platform – in fact, it has many possibilities for prevention, which can be used in mere clicks.

But before we enter the actions you should take to ensure the security of your site, it is interesting to understand what makes WordPress is more frequent way to the target of attacks than other CMS on the web.

Therefore, it is good to know that “27% of the internet works with WordPress.” This number makes it the most popular CMS in the market.

Of course, hackers aim to infect as many environments as possible, so look for security holes in WordPress, since, to infect a website, will naturally infect many others that also contain the security hole found.

In this article, we present some of the dangers to which we are exposed, as well as actions needed to ensure the security of online environments.

What are the main types of attacks on websites in WordPress?

When a WordPress site is attacked, there are several possible entry points. Check out the most common forms of attack:

• Login page: this is the most common form of attack on WordPress. This is where occur the attacks known as “brute force” where robots or bots try to guess the site password repeating several possible combinations. All this happens in the WordPress login session;
• PHP code on your site: this is the second most common form of attack on WordPress. In it, cyber criminals try to exploit vulnerabilities in PHP code running on your site. This includes any visible flaw in the core WordPress code, as well as its themes, plugins and any other application that is run by the CMS;
• Climbing privileges: another popular form of hacking sites is making an unprivileged user account, through sites-enabled user registry. Using any software flaw, the hacker can get a higher level of access as ‘admin’ and master access;
• Old or outdated applications: an attacker can also search other applications of older and outdated web, that are integrated into your site as a gateway. If they can access through these applications may change your WordPress files and infect your site, even if you have kept your WordPress installation itself safe.

These are just four forms of attacks, a large list of possibilities.

But that does not mean you have to abandon WordPress. The most important is to stay well informed and protect yourself by applying the tips below.

6 steps to maintain a secure site in WordPress

1. Security of two factors at login

We all work with many online accounts, whether they are communication tools, project management or organizations. The probability of using the same password across multiple environments is great.

Even if it is not the case, as we have seen, brute force attacks are the most common in WordPress. Therefore, hinder unauthorized access to the page is a great way to protect yourself.

The two-step verification involves checking your login from another element, using your mobile phone for example, in addition to your password.

Ideally, this authentication is done through an application installed on your smartphone, or any other extra device to being used to login. This factor authentication adds an extra layer of protection by preventing access to the account by hackers or bots.

One tip is to install the plugin Google Authenticator – Two Factor Authentication and use secure access to two factors in your WordPress site.

2. Update ever day of core installation, plugins and theme

This is a very simple tip: just keep your website up to date with everything, absolutely everything on time.

Both plugins and themes as the core WordPress installation should not become outdated because in this situation they become one of the main factors of vulnerability to hacker attacks.

In the CMS control panel you will find alerts that warn of the need for updates. Thus, with a simple click, you can keep the “home day.”

3. Host Security

When choosing your hosting , consider the care that the host shows about security.

A caution example of the part of the host, which can prevent a lot of customer headache, is blocking access to the administrative area of ​​WordPress (/ wp-admin) from international IPs. This blockage ends up being very useful because many attacks on WordPress sites are started international IPs.

Other benefits of security that your hosting provider should offer are: antivirus, antispam, monitoring, protection against attacks, daily backups and automatic updates.

4. Strong Password: especially important for the hosting environment

This tip is valid especially for those who host their websites on shared environment. By using a weak password to the server, it puts at risk not only the site itself, but also of other users.

Aiming at safety, the composition of FTP access passwords should keep the following pattern:

• Contain at least 6 characters;
• Contain at least one letter;
• Contain at least one number;
• You can not begin or end with special characters;
• It may not contain user or domain name;
• You may not appear on lists of known passwords available on the Internet, as they are considered weak / frequently-used passwords;
• You should preferably have special characters available: @ ^? ~ *. # $! – = & () _.

5. Google Search Console Installation

The Google Search Console is a Google tool that can help in many ways. One is the prevention to hacker attacks.

To ensure access, make an account with an email address that does not belong to your site’s domain. The reason is very simple: if your access is hacked and if the e-mail is the same as the domain associated with the account cybercriminals can disable the alert sent via email.

Pay attention to the email alerts you receive from Google Webmaster Tools and check regularly on the panel the situation of your pages.

6. Installation of security plugins

In WordPress you basically find 4 classes of security plugins :

• audit;
• hardening (hardening);
• scanning;
• recovery.

Audit plugins provide logs and alerts to any routine and irregular behavior in the access to your site or files.

Meanwhile, hardening plugins provide tips and automated tools that block your instances of WordPress attacks.

The malware scan (scan) is like a virus: it offers the ability to find hacks and vulnerabilities before they cause any damage to your site.

As for the repair or recover plugins provide scripts that remove or reverse the results of invasions. It’s worth installing at least one plug of each of these classes.

Below we indicate four security plugins for WordPress:

• Sucuri Security : protects your site against the DOS type attacks, day zero vulnerability, brute force attacks and other attempts. It also keeps the log of all activities, keeping these records safe in the cloud. Thus, if an attacker is able to bypass the security controls, your security logs will be available on site Sucuri ;
• iThemes Security : scans the entire site and try to find potential vulnerabilities. It also prevents brute force attacks and prohibits access to come from IP addresses known for trying to brute force. It forces users to use strong passwords. In addition, it integrates Google reCAPTCHA to prevent spam comments;
• Wordfence : locks the brute force attack and can add two – factor authentication via SMS. Through it, you can block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners, and sweep your hosting, preventing malware attacks. If the plugin finds something strange, immediately sends a notification to the registered email. It also checks posts and comments to find malicious code. To complete, integrated Google reCAPTCHA to prevent spam comments on your site.
• BulletProof Security : this plugin limit login attempts, blocking bots that benefit from the use of weak passwords, for example. It checks the code WordPress core files, themes and plugins. If any infection happens, it immediately notifies the administrator user. In addition to increasing security, optimizes the performance of your site by adding cache to navigation.

To benefit your site, it is very important to keep updated plugins. New vulnerabilities are discovered every day by the developers responsible for plugins and the only way to benefit from these findings is performing the update plugin.

Conclusion

To recap, here are some important rules that must be observed to keep your site safe:

• Use strong passwords for all user accounts, both for access to the panel of your hosting and to the access panel to the WordPress;
• Install the two-factor authentication on your WordPress dashboard;
• Install Google Search Console and check periodically;
• Install security plugins;
• Keep the core WordPress installation, its themes and plugins up to date;
• Use a system of detection and prevention of interference Wordfence as to have an extra layer of security;
• Remove all web applications that are not being used and therefore are not being kept;
• Have SSL enabled in the field .

The popularity that this CMS has a safety routine ends up being very important to WordPress.

Despite the need for special care, this software delivers so much convenience in the daily lives of those who need a flexible environment that ends up being worth every effort. The use of the services themselves, as a specialized hosting on WordPress , streamline and facilitate this care to safety.

We hope this article has served as an introduction to start the routine of security that is indispensable for WordPress users. If you want to know more content on the CMS, follow the KingHost blog .