Have you heard about the latest website breach? Yes, of course you have, but I won’t describe it – doing so would quickly date this article. Hacks, malware, DDoS attacks and online crime in general seem like an epidemic, and everyone from the European Central Bank to your local mom n’ pop shop have been victimized. As a site owner this fact likely makes you cringe — it makes us cringe, too. But there’s no real need to fear if you are prepared.
As the most popular platform on the Internet, WordPress is not immune to hacks; its popularity makes it a popular target, in fact. The flip side? There is a huge demand for products and services to protect WordPress — and a community of developers who meet this demand. As a result, the platform is constantly evolving to close vulnerabilities and address threats; it has become the easiest CMS to harden against hackers.
You can follow a few steps to protect your online investment.
Make sure that you always have a recent backup of your site on hand, and that you know how to use it to restore your site. Not only does this allow you to recover your site should it become infected with malware, it also allows you to recover should the site fail during a software update or server failure. Several popular and effective backup plugins are available that create backups automatically on a schedule that you define. The backups can be stored either on your local server (and manually downloaded) or sent to a remote location such as a dropbox.
Now that you have a reliable backup of your website on hand, it’s time to update your website’s software. This is likely the most important part of WordPress site security; whenever a vulnerability or bug is discovered, or when a feature is developed or refined, an updated version of the software is introduced. These changes are announced to site owners in the form of update alerts on their dashboard, and installing them is an easy matter. This is the easiest way to take advantage of the work of WordPress developers interested in keeping your site safe and secure.
WordPress security software packages, such as Wordfence, offer a number of ways to manage your site’s safety, including:
- Blocking and rate limiting. If a site visitor’s behaviour on your site looks suspicious (that is, if they cause too many 404 errors or try to log in with the wrong password too many times), the Wordfence can either block them or limit their access to the site. It can also block malicious IP addresses, or entire countries, from your site.
- Two-factor authentication. Wordfence can require administrators to enter two passwords, or to be at a certain IP address, to sign in.
- Site scan and monitoring. Wordfence can monitor changes to files on your site and notify you about suspicious file changes, and periodically scan your site to compare your WordPress and plugin files against official copies stored on WordPress servers.
- Sign in notifications. Wordfence can notify you when an administrator signs in to your site.
This is just a partial list of available features. Wordfence’s basic features are free, but it offers a premium version on an annual license that offers a range of benefits. Check out Wordfence’s listing for more details!
Cloudflare is an intermediary between your website and the public. It compares the IP address of visitors to your site against a listing of suspect and known problem IPs, and filters out unwelcome traffic. It also acts as a cache that can speed up delivery of your site content. The basic Cloudflare package is free, and the paid version is sufficient for most users.
Finally, ensure that your site is sitting on a secure, up-to-date server running the latest server software. Sites running old, out-of-date versions of PHP, the language that WordPress (and much of the web) is written in, are extremely vulnerable. Unfortunately, as of July 30, 2019, a full 61% of WordPress sites were still running PHP 5.x, an ancient branch of the language that has not received security updates for years. This means that security features available in the current version of PHP are not available to these plugins; in some cases, software will simply not run on old PHP.
Want Some Help with Your Security Checkup?
If you would like to have your WordPress site checked for security, let us know. We have experience cleaning up hacked sites and subsequently hardening them against future incursions.
TLDR: If you just skipped to the end without reading 80% of what was written above you really need us! You don’t have to know how to best maintain your site – you just have to know David Strand at Holy Cow does!