Securing Your WordPress Installation

WordPress Security 101

Roughly 37,000 websites are breached daily. Considering WordPress powers at least 53% of all websites, you can bet a lot of bloggers have to deal with a website hijacking situation. So, don’t leave anything to chance – your blog is only as secure as you make it by following security best practices.

CMS WordPress security

(Source: Builtwith)

We’re launching a 5 part series of articles covering wordpress security in the cloud to educate and have a dialogue about security best practices that are doable, regardless of whether you are a beginner or a seasoned WP blogger.

Without further ado, here are the first steps to establishing a solid foundation to your WordPress security 101.

Securing Your WordPress Installation

#1. Change Your admin Username

cybersecurity expert Brian Krebs recently discovered that Equifax’ Argentina website that lets its employees manage credit report disputes from consumers had admin/admin used as its login and password. That, ladies and gentlemen, is how you should NOT manage security.

So, the first thing you should do when setting up your WordPress installation is to change the admin username. Here’s how you can do it:

  1. Go to your admin Dashboard → click Users → see the list of users where you currently appear as admin.
  2. Click Add New → fill out the necessary details → select the role of Administrator → confirm by clicking on Add New User.
  3. Now, go back to the old admin user, hover over it and select Delete → confirm selection.

Tip: you don’t want to display your new admin username to the public. So, click on your new admin name, scroll down to change the nickname and select “Display name publicly as” and select the nickname.

#2. Enable Two-Step Authentication

Don’t underestimate the persistence that hackers apply to hijack WordPress blogs. Adding two-factor authentication is just as important as changing your admin username, so, by all means, do that.

The easiest way to enable two-factor authentication in WordPress is through MiniOrange Google Authenticator plug-in. Alternatively, you can use Sucuri, which is a comprehensive solution for WordPress blogs.

#3. Install CAPTCHA

To prevent bots from breaching your blog’s security, over-taxing your website, slowing down connections and resulting in denied traffic, you need a captcha solution.

The CAPTCHA WordPress Plugin is one of the easiest ways to enable captcha for registration, login, comment, contact and other forms. This plug-in offers granular controls, so you can white-list people and IPs, as well as choose the type of captcha code.

#4. Install Spam Protection for Comments

Spam comments aren’t just annoying; they can bog down your website with excess traffic, or contain malicious links. So, by all means, protect your blog from spam comments. Luckily, Akismet plugin lets you do that for free.

#5. Hide Your WordPress Version Number

You should always update your WordPress installation to the latest version whenever it’s released. However, you should also hide your blog’s version number from public display because it makes it too easy for hackers to identify which exploits will work best for your WordPress version.

To hide your WordPress version number from public display, you’ll need to backup your blog first. Once you have the current backup:

  1. Go to Appearance → Editor → Theme Functions → type the following:

“add_filter(‘the_generator’,”);

  1. Click Update File.

This filter will prevent your WordPress blog from displaying its number for everyone to see.

#6. Turn Off WordPress API

WordPress API is a useful functionality for developers who build custom applications for their blogs. However, it is also a serious security issue because it can be exploited to bypass WordPress authentication system, even the multi-factor authentication.

So, unless you actively deploy custom applications for your blog, you are better off disabling WordPress API. Fortunately, it is as easy as installing Disable REST API plug-in.

#7. Turn Off XML-RPC

By default, WordPress comes with XML-RPC enabled, which allows you to access your blog remotely. The bad news it also opens a possible attack vector, so if you do not intend to publish posts remotely – disable XML-RPC on your blog.

The easiest way to do so without having to modify the code is through the Disable XML-RPC plug-in.

Bonus Tip: How to Choose Secure PlugIns

WordPress Security

WordPress repository is a treasure trove of free and relatively inexpensive plugins and themes that let you create truly impressive websites without profound technical skills. However, plug-ins are built by people, and people make mistakes. So, a lot of WordPress breaches – 55.9% – are attributed to Vulnerabilities in plugins.

Even though all plug-ins in the WordPress library are vetted, it’s always wise to apply common sense when installing new ones. Here are three tips that should help you choose robust and secure plug-ins:

  1. Always read user reviews – install plug-ins with positive user feedback and high rating. Avoid plug-ins that have been recently published, as they may have vulnerabilities that haven’t been discovered, yet. Also, steer clear of plug-ins that appear barely used, or out-of-date.
  2. Read the accompanying documentation – polished and thorough documentation is a sign of a mindful, detail-oriented and conscientious developer.
  3. Research the developer – developers with a positive track record of releasing popular plug-ins are more likely to produce a solid and secure product than newcomers.

In the next WordPress security 101 roundup, we’ll discuss the following topics:

Since there’s never any one step to securing the entirety of your WordPress blog, we’ll be covering the essential topics step-by-step. Hope you find these tips helpful!

Protecting Against Insider Threats

A recent Breach Level Index report by Gemalto, a global cyber security solutions provider, is titled “Poor Internal Security Practices Take A Toll” for a reason. The insider threat is the biggest source of stolen – or lost – records in the first half of 2017, according to the report. Accidental loss accounts for a whopping 86% of all stolen records, with over 1.6 billion records compromised in just six months.

Users prefer convenience over security because it’s in human nature to look for easy ways to get a job done. So, if you want to boost your WordPress security, there is one potential threat that you can’t afford to overlook – yourself and your users.

(Infographic Source: Breachlevelindex)

contributors who have access to your WordPress back end can be a part of your defense, or your weakest link (without ever realizing it). Let’s see how you can safeguard your blog against internal threats.

#1. Good Password Hygiene

WordPress – and common sense – requires that you use strong passwords, but what is a strong password? A WordPress expert Alex Grant says a strong password is complex and easy-to-memorize at the same time.

Password management programs do a great job of generating and storing your passwords in an orderly manner. This option is feasible if you have multiple blogs since you want to avoid re-using one password across multiple accounts.

Even though automatically generated passwords are secure, they are also impossible to memorize. So, many bloggers just default to weak passwords that are easy to crack.

One simple way of creating strong passwords you can memorize is to use a passphrase based on logic known to you alone, for Instance:

My_goal_is_2_weigh_50_kilo$

The longer the passphrase, the harder it is to crack, and the easier it is to memorize. Use this technique not only for passwords but also for answers to your security questions.

Tips:

  • Don’t use the names of your favorite sports teams and music bands, or anything that hackers can mine from your Facebook profile.
  • Don’t store your passwords in a Notepad or Word file in plain text. If you need to store them in an electronic format, use encryption programs or password managers.
  • Don’t re-cycle your passwords across multiple accounts.
  • Don’t share your passwords with anyone since you never know how laid-back other people may be about cybersecurity.

#2. Protecting Your Password From Unauthorized Reset

One particular vulnerability that revolves around passwords is you can reset them. If someone gains access to your email, they can reset your WordPress password. If someone can guess – or research – the answers to your security questions, they can reset your password.

So, your password is just a part of the equation, where security of your administrative email account and reasonable complexity of your security answers are equally important.

#3. Locking Out Multiple Sign-On Attempts

As of now, WordPress doesn’t offer the functionality to block multiple sign-on attempts. This creates a risk for someone persistent enough to just try different username/password combinations for hours on end. So, you want to limit sign-on attempts to a certain number you deem acceptable.

Tips:

  • The WP Limit Login plugin lets you set the number of login attempts, define the lockdown time during which the user won’t be able to log in, and enable captcha.
  • Sucuri is a comprehensive suite that also allows you to tweak multiple sign-on settings to your liking.

#4. Restricting User Permissions

For blogs with multiple contributors, it’s best if the contributors only have privileges they need to do their work. You need to create the lowest risk environment, where user permissions are restricted to only the necessary minimum.

Otherwise, one user can mess up intentionally or accidentally, and delete someone else’s post, or mishandle their login credentials and expose them.

If a contributor’s account with minimum permissions gets compromised, the malicious party can only mingle with a very limited amount of content on your blog. If malicious actors access the administrative account, you’re in for trouble.

Tip:

  • Don’t assign temporary permissions to users making some technical adjustments to your blog. Chances are you can forget to restrict that account later on when the job is completed.

#5. Enforce The Use Of Strong Passwords

If your contributors use weak passwords, your WordPress backend is vulnerable. Don’t just leave your users to their own devices – set up restrictions that would only allow them to use strong passwords.

The current version of WordPress enforces the use of strong passwords. But if you run an older version, you can add this functionality via the Force Strong Passwords plugin.

Tips:

  • Passwords must be long and contain at least one number, and at least one special character.
  • Don’t enforce overly restrictive password rules, as this will result in passwords that are hard to memorize. You’d be into frequent password reset requests.

#6. Logging Out Idle Users

One more security vulnerability that comes from users is they forget to log out. When they do, your blog is exposed to great risks. Anyone with access to your contributor’s computer can tamper with your dashboard. So, security best practices suggest that you log out idle users.

Tip:

  • The Idle User Logout plugin lets you choose which user roles get to be logged out automatically after they’ve been idle for a set time. That way, your contributors won’t be losing any data, but your blog would be safe against yet another security vulnerability.

That’s it for today! The next WordPress security roundup will focus on:

  • Internal monitoring systems – WordPress Security, Sucuri, and Wordfence.
  • Security of your web hosting account.

Stay tuned for more security tips from the WordPress guru Alex Grant.

Gartner Predicts Public Cloud Services Market Will Reach $397.4B by 2022

Gartner Predicts Public Cloud Services Market Will Reach $397.4B by 2022

Public Cloud Services Market Will Reach $397.4B Worldwide end-user spending on public cloud services is forecast to grow 23.1% in 2021 to total $332.3 billion, up from $270 billion in 2020. Garter predicts worldwide end-user ...
Alex Brisbourne

Industrial IoT Cyberattacks Continue To Rise

IoT Industrial Security The Internet of Things (IoT) includes both traditional electronics and everyday ‘things’ embedded with sensors, computing, and networking capabilities. From smart coffee makers and smart homes to smart lighting and smart cities, ...
Derrek Schutman

Implementing Digital Capabilities Successfully to Boost NPS and Maximize Value Realization

Implementing Digital Capabilities Successfully Building robust digital capabilities can deliver huge benefits to Digital Service Providers (DSPs). A recent TMForum survey shows that building digital capabilities (including digitization of customer experience and operations), is the ...
Gary Taylor

5 Reasons Why Virtual Desktop Infrastructure Will Go Mainstream Post 2020

Virtual Desktop Infrastructure Growth Virtual Desktop Infrastructure (VDI) technology enables remote users to access their desktop from anywhere using an internet connection. This technology has been around for a couple of decades but never received ...
Ronald van Loon

The Secrets to a Successful Desktop-as-a-Service Approach

The Secrets to a Successful Desktop-as-a-Service Approach Organizations are under pressure to reinvent their business models and adopt new technologies and digital capabilities to manage challenging conditions and adapt to new remote work scenarios. By ...

PROXY SERVICES

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Smartproxy

    Smartproxy

    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks

    Rsocks

    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.