All websites are prone to cyber-attacks from hackers attempting to control website resources and users' data. The reason for most attacks is financial gains where hackers either attempt to gain access to people's banking details or make website owners pay for ransomware.
This underlying cyber security threat calls for drastic measures to protect websites and their users from unscrupulous web users. One of the most attacked web resources is WordPress. WordPress is an open-source content management system –CMS– suitable for hosting and building websites. It is a free CMS written in PHP combined with MySQL or MariaDB that supports HTTPS.
According to HubSpot, WordPress accounts for 43.2% of all websites on the internet. This marks an increase from the over 455 million websites reportedly using WordPress in 2021 at 39.5%. In 2021, Wordfence blocked billions of password attacks and reported hundreds of weaknesses. These attacks and weaknesses don't mean WordPress is becoming less secure; it simply gave an insight into how some users are negligent and not security conscious in their usage.
A hacked WordPress website enables hackers to steal users' log-in IDs and passwords and causes significant damage to businesses and their reputations. Aside from human error, WordPress has always been a target for a series of exploits like the attack involving GoDaddy-managed WordPress users, where the attacker was able to remain operational for two months undetected.
There are various security measures to safeguard a WordPress site; below are a few tips that could protect your WordPress website:
Use Reliable, Safe, and Quality Hosting
Most people think their hosting is reliable until proven otherwise; you don't have to wait for a security breach before hosting your websites on reliable hosting companies. Hosting companies do not offer equal services regarding hosting qualities like reliability, speed, security, etc. Some hosts don't offer much when it comes to security, and this could ease cyber-attacks, resulting in poor performance and perpetual downtime. Since you can't rectify your host to offer quality service, your safest option is to move to a more secure host. Good hosting usually comes at a higher cost with ranges that are pocket-friendly.
Restrict all Hotlinking
Hotlinking means linking a file hosted on another website instead of downloading and hosting it on your website with proper reference. Images are usually hotlinked, but other digital files like animations, audios, and so on can also be hotlinked. This is done using the file's URL to host the digital file on your website. In such a case, you're displaying the file on your site while it is hosted on another website's server.
This scenario could play out on your website too. The problem is that hotlinking digital files from your website steals your server's bandwidth, resulting in sluggish loading speed and possibly expensive server costs. So, to safeguard your WordPress website, consider restricting or preventing all forms of hotlinking.
Secure your wp-config.php File
Your wp-config.php file stores essential information about your WordPress installation; this is why it is the most critical file in your web's root directory. So, securing it entails safeguarding your WordPress web basis and makes it difficult for hackers to breach your website's security since they can't access the file.
To secure this file, you can move it to a more secure higher level than just your root directory, where WordPress will still see it. This is possible with the current WordPress framework, where the configuration file settings top the priority list.
Block File Editing
Any user with admin access to your WordPress dashboard can edit all files associated with your WordPress installation. But if you block or disallow file editing, including plugins and themes, no one will be able to change or edit any file on your dashboard. Not even a hacker.
To do this, include the following at the end of the wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
Carefully configure your directory permissions
When using a shared hosting environment, poor directory permissions can be disastrous. To secure your website at the hosting level in such a situation, adjusting your files and directory permissions is a wise approach. The entire file system, including directories, subdirectories, and individual files, is protected by configuring the directory permissions to "755" and the file permissions to "644".
This can either be configured via the terminal using the "chmod" command (connected through SSH) or manually using the File Manager in your hosting control panel.
Use .htaccess to disable directory listing. Suppose you create a new directory on your website without putting the index.html file. In that case, you might be stunned to discover that your visitors can see a complete directory listing everything in the newly created directory.
To see everything in a directory named "statistics," your visitors can enter the address: http://www.instance.com/statistics/ into their browser. No password is required for this. This can be forestalled by including the following code in your .htaccess file: Options All -Indexes
Recognize DDoS attacks and take precautions against them
A DDoS –Distributed denial-of-service– attack is a malicious attack used to interrupt the regular traffic of a network resource or machine by making it unavailable to users or intended users. It is usually done by flooding the target with internet traffic.
In order to compromise your website, a DDoS attack employs numerous programs and systems to attack your server bandwidth. Although it poses no threat to your website's file but it can crash your website if not taken care of. DDoS attacks are not limited to large companies alone; they threaten the entire web space. Meanwhile, there are web applications that repel such attacks if you can subscribe to their premium plans for maximum security against DDoS.
Use 2FA for your WordPress security
A 2FA –two-factor authentication– on your log-in page helps protect your website. 2FA allows you to provide your log-in password via two options you can define. Your 2FA might be an average password couple with a secret code or question, set of characters, or the Google authentication app.
Use your email address to log in instead of your username
Since a WordPress user account is created with an email address, using your email address to log into your WordPress account is more secure than using a username. This is because usernames can be predicted easily by attackers, unlike emails.
Rename your Log-in URL to safeguard your website
Now that you've switched your log-in username to email to forestall log-in attempts with Guess Work Database–GWDb– you can also change your log-in URL to lessen the susceptibility of brute force attacks. WordPress log-in pages are easily accessed by adding wp-login.php or wp-admin to the site's main URL. This can also make cybercriminals to brute force.
Only you or whoever has the correct URL can access your log-in page if you change your URL. You can change your URL with reliable plugins by installing, activating, and configuring your choice of plugins. The iThemes Security Pro and WPS Hide Login are notable, among others.
Change your password at random intervals and use a password manager
Another way of safeguarding your WordPress website is to change your password at random intervals. As you're doing so, endeavor to improve their strength by adding more words, numbers, or characters to increase the password length.
This will increase your password sample space and widen your password entropy by making it harder and taking longer to crack. Changing passwords randomly and remembering the genuine one out of the pool of old or used passwords can be arduous; using reliable password managers will come in handy in this case. Password managers can generate safe passwords for you and also secure them in their vault to save you from the trouble of remembering the correct password.
Examples of reliable password managers are RoboForm, 1password, LastPass, Keeper, Bitwarden, NordPass, Dashlane, and so on.
Create a lockdown for failed log-in attempts and ban users
Persistent brute force attempts can be repelled with a lockdown feature for failed log-in attempts from attackers. So, whenever they attempt to log in with the wrong passwords consistently, they'll be locked out, and you'll be alerted of such activity. iThemes Security offers this feature, allowing you to configure a particular number of failed attempts before the attacker's IP address is banned.
Log out idle users from your website automatically
A considerable threat to the security of WordPress can come from users who leave the wp-admin page of your website open on their devices. Any passers-by can modify user accounts, alter information on your website, or even crash your website. This can be forestalled by ensuring that your site locks users out after a specified time of being idle.
This can be achieved with the Bulletproof Security plugin, which enables you to configure a time limit after which idle users will be promptly logged out.
Conclusion
Safeguarding your WordPress website shouldn't be underestimated. No proactive measure is too much when keeping your web safe. Aside from the above-highlighted standards, there are other ways you can safeguard your website via your admin dashboard, which attackers always seek after. Examples of such measures include:
Safeguard the wp-admin directory with two passwords; one for the log-in page and the other for the WordPress admin section.
Use a secure socket layer –SSL– to encrypt your data during data transfer between a user browser and the server.
Back up your website regularly.
Update your WordPress with the latest version.
Scrutinize your audit logs for changes without approval.
Use a strong password to secure your database.
Change your WordPress database prefix to something unique from the usual wp-.