SECURE YOUR WORDPRESS SITE IN 9 EASY STEPS
Thought it was apt to make my second blog post about something I have just done myself. Lets go over how to secure your own WordPress site in 9 easy, free steps. If you haven’t seen my first post, check it out here – https://blueteamblog.com/lets-talk-about-working-from-home-securely
Before we get into it, let me explain why this is so important. Around 90,000 WordPress sites are hacked every day. This leads to sites being taken offline, having information stolen and costing their owners large sums of money to fix. Luckily, it is easy to set up a site so that it is far more unlikely to be hacked, or have any other security issues – lets secure your WordPress site!
1. WORDFENCE SECURITY
First off, we want to install the Wordfence Security Plugin – to do this go to Plugins, Add New and search Wordfence Security, then install and activate. The tool will take you quickly through the setup process.
Wordfence provides you with a web application firewall, malware scanner and brute force protection. It checks your site for vulnerabilities, updates and scans your files to keep sure everything is secure.
2. SET UP SSL WITH SSL ZEN
Quick note – If you have already been given an SSL certificate by your hosting provider, please instead set up your SSL certificate using https://en-gb.wordpress.org/plugins/really-simple-ssl/
Next up, making your site run on HTTPS. This will ensure any data sent via your site is encrypted. SSL ZEN is a free plugin which lets you set up an SSL certificate in three easy steps. Go to Plugins, Add New and search SSL ZEN, then install and activate. Follow their step by step process and you will be done in no time.
3. STOP SPAM COMMENTS WITH ANTISPAM BEE
Spam comments can make your website or blog look messy and unprofessional. This can be fixed in a few clicks by installing Antispam Bee. Antispam Bee has a lot of in depth features which you can see on their site, but the main point of the plugin is to block any spam comments. Follow the steps as previously – Go to Plugins, Add New and search Antispam Bee, then install and activate. It requires no set up, however you can go into the settings and set up things such as stricter blocking and notifications.
4. TWO FACTOR AUTHENTICATION USING 2FAS LIGHT
The most important thing to secure on your WordPress site is your admin panel, since so many things can be changed from it. An important step to take in doing this is setting up two factor authentication when logging into the admin panel. To do this, install 2FAS Light – Google Authenticator. After installing using the same steps mentioned previously, you will also need to have google authenticator installed in your phone or browser. Once this is done, go to the plugin settings and follow the 2 easy steps, and you will have 2FA enabled on your site.
5. BRUTE FORCE PROTECTION WITH LIMIT LOGIN ATTEMPTS RELOADED
WordPress by default allows unlimited login attempts via the login page or sending specially crafted cookies. This is really bad, as it allows brute force attacks to take place easily.
I recommend installing the Limit Login Attempts Reloaded plugin as it provides great protection against brute force attacks. Other things I am mentioning here also provide this sort of protection but this plugin does it in a better, more granular fashion. There is no setup required for it to work however you can modify the thresholds if you like.
6. ITHEMES SECURITY
iThemes Security is a fantastic security plugin for WordPress. It provides many similar features to Wordfence which is already installed, however it is still important to install for it’s “Obscure” feature. This feature hides common WordPress security vulnerabilities, preventing attackers from learning too much about your site and away from sensitive areas like your site’s login, admin, etc.
7. AUDIT YOUR SECURITY USING WP HARDENING
WP Hardening is the final plugin we want to install.
This plugin does a real time security audit of your site and gives a one click option to fix any problems that it finds. After the previous 6 steps, the amount of things this plugin finds will be minimal, however it may still find some issues. Simply install it, run it and click through any changes that it recommends. Once you are done using it, this plugin can be disabled or deleted.
8. SET UP BACKUPS USING UPDRAFT PLUS
In case your site does have any issues, it is extremely important you have backups. These are easy to set up using UpdraftPlus. Install and activate this plugin and then connect it to your favourite storage medium. Google Drive provides 15 GB of storage for free and can be connected in a few clicks. Once you have done this, go into the settings of plugin and you can set how many backups you want made, when you want them made among various other options.
After completing those 8 steps, your WordPress site will now be very secure. However, there is still 1 more thing you need to do on an ongoing basis to ensure your site stays secure.
9. KEEP UPDATING REGULARLY
A lot of hacked WordPress sites find out they have been hacked due to either running on an out of date WordPress version, or out of date plugins – don’t let this be you. Earlier on we installed Wordfence – this will give you alerts within the plugin any time a plugin, or WordPress itself, needs to be updated. You can also see if plugins require updates within the plugin page itself.
Well done – your WordPress site is now secured properly. If you have followed all these steps you will now have :
- A web application firewall
- Various malware scanners
- Brute force protection
- Protection against spam comments
- A working SSL certificate
- A working backup solution
- All common WordPress vulnerabilities addressed
- Various other features to protect your site
I hope you enjoyed the post. If you have any issues with the above steps, please contact me at https://blueteamblog.com/contact-me and I will happily assist you.
If you want to be kept up to date with cyber security, subscribe to my newsletter – https://blueteamblog.com/newsletter