In the digital age, a new type of crime has appeared, the digital crime. You never know when a misintented fellow decides to make your life harder by breaking into your website, stealing or deleting your data and hurting your business for no reason whatsoever. You don’t need to be a large player in the industry to be targeted by hackers. Your competition might be trying to sabotage you and your services. It pays to be on the safe side, especially when you don’t need to spend a dime (with the exception of the SSL certificate) to increase the security of your WordPress website.
Basic Principles of WordPress Security
- The first and most important rule is to have a very strong password. All other security methods are useless if the hacker can just guess or brute force your password.
- Buy a SSL certificate. When working with personal information a SSL certificate is a great assurance that no one will have access to your customers data.
- Limit the login attempts and block malicious IPs. Once someone has failed to log in into your website for more than 5 times, it’s a good idea block their IP. Worst case scenario you will get an email asking for white-listing.
- Limit the rate at which data is retrieved from the server in order to prevent DDoS attacks.
- Scan for malware and code injections regularly. Various plugins can do this for you. Good hosting provides have antivirus solutions installed, but you should not count on them.
- Always update WordPress to the latest version and always update the plugins you are using to prevent or fix potential exploits.
- Place captcha verifications on all of your forms and even on your login page.
- Assign the proper role to your website users. Don’t give administrative access to anyone you don’t fully trust.
- Backup everything and backup often.
Installing and Configuring Wordfence
As overwhelming as the above list could seem, most of the points can be checked by using a single plugin: Wordfence. The free version, which is all you need, provides a firewall, brute force defense, malware scanner and login limiter among other things.
From your dashboard, go to Plugins, Add New, search for Wordfence and then Install and Activate the plugin.
All the important options are turned one by default, however, the rate limiting is disable. You might want to enable that. To do so, hover the mouse over the new sidebar entry named Wordfence and click Options.
Scroll until you reach Rate Limiting Rules. Check Immediately block fake Google crawlers and then set all of the options to 60 per minute. This should take care of any DDoS attempts without hindering your visitors. Save the changes.
Enforcing connection through SSL
To obtain and install a SSL certificate, refer to your service provider. If you buy the certificate after you have finished your website, things become a bit problematic as you will have to replace all of your links from HTTP to HTTPS. And even so, user could manually switch to the unsecured version. To take care of this matter, we are going to use a plugin called WordPress Force HTTPS.
From your dashboard, go to Plugins, Add New, search for WordPress Force HTTPS and then Install and Activate the plugin.
Now your visitors will be automatically redirected to HTTPS version of your website. No further configuration is required.
Changing the Login address
We have already limited the number of login attempts and we ensured we have a strong password. Let’s bring it a step further by changing the Login address altogether.
From your dashboard, go to Plugins, Add New, search for Custom Login URL, scroll until you find it and then Install and Activate the plugin.
Now head to Settings and then Permalinks. Scroll to the Authentication Permalinks. Change your Login URL to something you will remember such as /user/admin/login. Click Save Changes when finished. Now only people with the exact address can attempt to login.
Disable directory listing
If you go to www.your-website.com/wp-content/uploads you will see that the contents of your uploads folder are displayed. Because of this, malicious code can be inserted, so you need to disable the directory listing.
Go to the root of your WordPress installation and look for a file called .htaccess.
Open it with a text editor and add the following line at the bottom of the file: Options All -Indexes. Save the file and close it.
This should keep you well protected against any malicious attempt at your website.