Protecting Content Management Systems (CMS) installed on a hosting server is crucial in today’s ever-growing world wide web, but how to I protect my WordPress website on a tight budget?
There are tons of options available on this front, but it can be overwhelming to make the right decision in website protection that fits into your budget. In this article, however, we’ll be covering the basics of efficiently securing your WordPress website at no cost.
Malware & Vulnerability Scanners
Finding the right scanner for your website can seem a bit overwhelming at first given how many options are available. In one of our recent articles, we discuss how to choose a Security Plugin that’s right for your website. The bells and whistles for scanners that are available on the web will vary, so it should deem beneficial in covering the basics first. You should at least schedule regular scans to complete and alert you of any suspicious behavior.
With our free WordPress scanner, for example, you’ll be able to schedule a specific timeframe these scanners run. Consider how much resources these scans are also producing.
In regards to vulnerability scans, it’s important to ensure a scanner has optimal detection in regards to outdated themes, plugins, and software. Ensuring updates occur regularly is crucial for website security. Updating a plugin may cause issues to a site if not locally tested first.
However, creating backups will be helpful in case anything goes south.
Login Protection
Protecting your administrator login panel remains imperative for any website. First-time website users’ first mistake is utilizing the same weak passwords across multiple platforms. Sure it’s simple to remember, but let’s say one of those many sites you registered under has an infamous data breach. Your password is now released into the wild for any hacker to obtain.
Strong generated passwords will help curb the risks of one of these hackers from using these weaker, reoccurring passwords, ultimately preventing any risks of phishing campaigns, spoofing, social engineering, etc. Keeping track of a bunch of generated passwords can be tedious to do by hand.
Installing a password manager and storing the master key somewhere safe & private will be your best friend, however.
Setting up IP addresses under allowlists/blocklists for your login panel will help prevent questionable IPs from accessing your administrator dashboard. The administrator dashboard by default is /wp-admin however, which hackers will usually attempt to Brute Force into first. Changing your WordPress login URL to something more specific to your brand will help avoid these attempts.
Depending on the level of privileges of the WordPress user, adding 2FA to these accounts will ensure nobody is attempting to log in under their identity. Adding security questions is helpful too. The primary administrator shouldn’t use “admin” as the username by default because hackers will usually predict this when Brute Force attacks occur.
Limiting login attempts helps prevent these attacks as well. Ensure additional users only need the privileges absolutely necessary, and remove any unused ones.
Configuring a CAPTCHA for sections on the site that include forms and login panels will ensure bots aren’t injecting malicious code. Make sure any CAPTCHA plugins installed are reliable and trustworthy however, like any other plugin, theme, or extension.
Keeping a backup prior to installing these additional things is helpful too of course. Make sure these installations are kept to a minimum though, you don’t want to use up too many resources which can slow down a site exponentially.
SSL Certificates
Protecting data that’s in transit to your site remains imperative for any ecommerce site. Installing an SSL certificate can be quite simple actually, as we provide the steps in our post How to Add SSL & Move WordPress from HTTP to HTTPS. In fact, an SSL certificate has been so crucial in today’s online environment that a site’s SEO ranking can be impacted by solely using HTTP instead.
Monitoring User Activity
Regularly keeping tabs on user activity on your website is important, and there’s plenty of free options out there that will do this for you and send alerts of anything found suspicious. Of course monitoring is only the initial step. If you’re noticing malicious traffic come through that’s associated with a Distributed Denial of Service (DDoS) or Brute Force Attack, it’s highly recommended you invest in a firewall protection service.
Hosting Revisions
We’ve now covered the basis of scanning the site, protecting the login section, ensuring data transmitted is encrypted, and monitoring user activity. Although there’s still tweaks on the back-end that can be made. Here’s a list of some of the following revisions recommended:
- Avoid vulnerable JS libraries
- Disable PHP Reporting
- Turn off File Editing
- Limit access to .htaccess
- Revise wp_ prefix in database
- Disable XML-RPC
- Conceal WordPress version
- Manage File perms
- Disable Directory Indexing and Browsing
In Conclusion
These suggestions and tips provided should hopefully give you a better, overall insight into the basics of website security, before digging into your wallet. It’s important to remember, nothing is 100% secure. Zero day exploits pop up from time to time, but remaining on top of any bug fixes and alerts that come through will be useful.
You can also check out our guide on basic WordPress hardening for some more options to secure your website, free of charge!
If you’re currently experiencing an attack needing to be remediated however, please don’t hesitate to have us take care of it for you.
Sucuri Malware Research Team
Juliana Lewis
Krasimir Konov
Bruno Zanelato
Luke Leal
Estevao Avillez
Rodrigo Escobar
Stephen Johnston