Why Security Is Important
1. There’s Always a Risk
Your website can never be 100% secure. Hackers are always trying new things and discovering new vulnerabilities to exploit. The online world changes quickly and the same is true of security. Good security is about minimizing risk. If anybody tries to sell you a 100% secure solution, they’re scamming you. You’ll never be completely safe, but there’s a lot you can do to minimize your risk.
2. Don’t Blame WordPress
The haters like to say that WordPress isn’t secure. That’s not necessarily true—it depends on how you set up and use WordPress. If you’re not keeping it updated or following bad practices, then no, it’s not secure. The reality is that over 20% of the world’s websites are using WordPress, which makes it a huge target. So you need to be smart. You need to keep things updated and follow the best practices to lock your site down.
Many security issues have little to do with WordPress and more to do with server vulnerabilities, cross-contamination and poor passwords. Bad decisions can undermine your site, and that’s true whether you’re using WordPress or any other solution. So don’t blame your security woes on WordPress.
3. Security vs. Usability
There’s a fine balance between security and usability. Sometimes locking down your site makes it secure, but it’s hard to use. Sometimes making your site easier to use makes it less secure. You’ll have to find the balance.
3 Kinds of Security Your Website Needs
There are three phases to security: protection, detection and restoration. If you truly want to protect your site, you need to do all three.
First and foremost you need to lock down your site and keep it safe. You’ve got to raise the drawbridge, lower the gate, ignite the flammable moat and do whatever else you can to stop attacks before they start. This is the obvious first step and kind of hard to ignore: protect your site.
No matter how good your protection is, the bad guys might find a way to hurt your site. And you need to know when an attack is happening.
The attack won’t always be a full frontal assault that makes it painfully obvious your site has been hacked. Sometimes they’re sneaky and bots will put a bunch of hidden code into your site. It’s no good to have all kinds of protection but then not know when some malicious virus found a weak spot and broke through. Malicious bots and hackers may have already infiltrated your site. You’ll never know without detection.
Finally, you need a plan to get your site up and running again after it’s been knocked down. These things happen. The best protection and detection strategies can still be foiled and you need to be prepared. Why worry about the worst-case scenario when a little preparation will have you covered? Plus, a good backup is important for other reasons besides security. We recommend backing up your site with us so you’re prepared for anything.
4 Best Security Practices
1. Keep It Current
One of the biggest security vulnerabilities in WordPress is old software. WordPress is updated fairly often and whenever there’s a new security issue, they roll out an update immediately. But that doesn’t do you any good if you’re not keeping your installation up to date. You also need to keep your themes and plugins up to date—they can have security issues as well.
Sometimes developers put off updates for fear of breaking their site, but you’d rather break your site with an update than risk a break-in.
2. Strong Passwords
Your security is only as good as your password. If you’ve got a simple password, you’ve got a simple site to hack. You need to use strong passwords. Your password should have numbers, capitals, special characters (@, #, *, etc.) and be long and unique. Your WordPress password can even include spaces and be a passphrase.
Don’t use the same password in multiple places. Yes, remembering different passwords for different sites is tough, but a hacked site is worse.
3. Manage Users
Your own strong password is useless if another admin has a weak one. You need to manage your users. Not everybody needs admin access. The more people with admin access, the more chances to hack your site. Make sure you’re only giving admin access to the people who truly need it. And make sure those few admins are following good security practices. Remember to update or remove users when you have staff transitions.
4. Back It Up
If anything ever goes wrong with your site, you want to be able to get it back up quickly. That means you need a backup plan. In order for backup to work, it needs to be complete and automatic. Backing up your database isn’t enough. That will save your content, but you’ll still have to rebuild your entire site, including theme tweaks and plugin settings. And if your backup isn’t automatic, you’ll forget about it.
Defend Your Site From Attacks You Never Knew Existed
Brute Force Protection
Limit the number of failed login attempts allowed per user. If someone is trying to guess your password, they’ll get locked out after a few tries. You can even whitelist your own IP, so you’re allowed more login attempts.
File Change Detection
If someone manages to get into your site, they’ll probably add, remove or change a file. Get email alerts showing any file changes so you know if you’ve been hacked.
If a bot is scanning your site for vulnerabilities, it will generate a lot of 404 errors. LIME Security will lock out that IP after the limit you set (20 errors in 5 minutes by default).
Strong Password Enforcement
Set which level of users on your site (admins, editors, users, etc.) need to have strong passwords. This is one of the best ways to secure your site.
Lock Out Bad Users
Keep bad users away from your site if they have too many failed login attempts, a lot of 404 errors or if they’re on a bot blacklist.
Not making changes to your site 24 hours a day? Make the admin area inaccessible during specific hours so no one else can sneak in.
Hide Login & Admin
You can change the URL of your login area and admin area so attackers won’t know where to look. This feature is also great to help you remember your login link.
Schedule database backups and have them emailed to you. Or you can get LIME to step up your backup game. Make complete backups and send them to off-site storage destinations.
Get email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.
Strong passwords not enough? Use 2-Factor Authentication to send a custom code to your phone when you log in. This extra layer of protection verifies it’s you logging in (and not someone who guessed your password).
Getting a lot of spam or brute force attacks from a specific, obscure country? Block IP addresses by country with Geo-IP banning.
More than 30 Ways to Secure Your Site
- Remove the meta “Generator” tag
- Change the urls for WordPress dashboard including login, admin, and more
- Completely turn off the ability to login for a given time period (away mode)
- Remove theme, plugin, and core update notifications from users who do not have permission to update them
- Remove Windows Live Write header information
- Remove RSD header information
- Rename “admin” account
- Change the ID on the user with ID 1
- Change the WordPress database table prefix
- Change wp-content path
- Removes login error messages
- Display a random version number to non administrative users anywhere version is used
- Scan your site to instantly tell where vulnerabilities are and fix them in seconds
- Ban troublesome bots and other hosts
- Ban troublesome user agents
- Prevent brute force attacks by banning hosts and users with too many invalid login attempts
- Strengthen server security
- Enforce strong passwords for all accounts of a configurable minimum role
- Force SSL for admin pages (on supporting servers)
- Force SSL for any page or post (on supporting servers)
- Turn off file editing from within WordPress admin area
- Detect and block numerous attacks to your filesystem and database
- Detect bots and other attempts to search for vulnerabilities
- Monitor filesystem for unauthorized changes
- Create and email database backups on a customizable schedule
- Make it easier for users to log into a site by giving them login and admin URLs that make more sense to someone not accustomed to WordPress
- Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.
- Works on multi-site (network) and single site installations
- Works with Apache, LiteSpeed or NGINX
- Remove the existing jQuery version used and replace it with a safe version (the version that comes default with WordPress).
- Disable PHP execution in Uploads
- Force users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user’s login usernames from the code on author pages.
- Disable a user’s author page if their post count is 0, making it harder for bots to determine usernames of users that don’t post to your site.
Know Your Site is Safe with Scheduled Malware Scanning
Malware is often disguised or embedded in non-malicious files, so you may not know your site is infected. Hackers use malware to gather sensitive information and get unauthorized access to your site.
Know your site is malware-free with scheduled malware scanning. The malware scanning works to analyze your site and identify malicious content, phishing software and suspicious code detected by a reliable network of antivirus engines and website scanners.
With LIME Security, you can set weekly scheduled scans of URLs and files so you know you have ongoing protection.