Preventative tips and tricks
These tips will help you avoid the headache of a hacked site Disclaimer: If you’re not comfortable dealing with codes and servers, then we recommend using a professional to do this for you.
Enforce strong passwords Enforce strong passwords – Customise the WP user options to require all users to use strong passwords. Your site is only as secure as the weakest user password. Without enforcement you are taking a gamble that all the site users will use strong passwords.Automatically ban users that attempt to login as ‘Admin’ – Hackers often try to use the username ‘Admin’ when attempting to crack your login details. For that reason you should ban them immediately once this behaviour is registered and ensure no legitimate users use the ‘Admin’ username.
Ensure plugins are updated regularly Plugin authors routinely release updates that include security patches and fixes. For this reason you must keep your plugins up to date, especially given details regarding the security updates can be used as a “how to” guide by hackers to exploit those who have failed to update their plugins. At Protect WordPress we update our client’s plugins on a daily basis to maintain total security in this area.
Use Two-Factor Authentication Two-Factor Authentication has become the gold standard in login security. The basic premise being that in addition to a strong password, a randomly generated and temporary key must also be used to gain access. This can be done through a mobile app or email account and essentially eliminates the potential for unauthorised remote login breaches.
Use 404 protection 404 detection looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 errors. 404 detection assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (presumably a vulnerability) and locks them out accordingly.
Where applicable utilise ‘Away Mode’ As most sites are only updated at certain times of the day it is not always necessary to provide access to the WordPress dashboard 24 hours a day, 7 days a week. ‘Away Mode’ allows you to disable access to the WordPress Dashboard for the specified period, therefore limiting exposure to potential attackers.
Use an IP Blacklist At Protect WordPress we developed and maintain a large blacklist of known malicious users that are blocked from accessing our sites by banning their IP addresses. This preventative measure ensures some of the most prolific and common malicious users cannot access your site in the first place.
Protect against ‘Brute Force’ attacks If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible to by default as the system doesn’t care how many attempts a user makes to login. It will always let you try again. Enabling login limits will ban the host user from attempting to login again after the specified bad login threshold has been reached.
Take regular backups Even with all the security best practices in place you are never going to be 100% safe from a committed hacker. That’s why you need regular backups so you can easily restore your site in a worst case scenario. At Protect WordPress we backup our client’s sites on a daily basis to ensure minimal data loss.
Install a file change detection system Even the best security solutions can fail. How do you know if someone gets into your site? You will know because they will change something. File Change detection will tell you what files have changed in your WordPress installation, alerting you to changes not made by yourself or other legitimate users.
Hide the WP login area By default WordPress always uses the /wp-admin/ directory for the login area. Unfortunately all WP hackers know this which leaves it open for exploitation. That’s why it’s crucial to change the login area location so the attacker cannot even find the “door” to your site, much less break through it.
Restrict your login area to specific countries Chances are your site admin will be primarily accessed from users in a handful of countries. By restricting the login area to specific countries you massively reduce the potential for a breach. The same method can also be used to ban non relevant countries from accessing the front end of your site, which in addition to being good from a security standpoint can drastically reduce spam enquiries and comments.
Use Malware Scanning Hacking infiltrations are not always obvious, sometimes small snippets of malicious code can easily go unnoticed. That’s why you must have a Malware Scanner scheduled to regularly check your site for inconsistencies. Failing to do this could result in your site being used for nefarious purposes without your knowledge, and can result in blacklisting by search engines like Google.
Lockdown important files Site configuration files rarely need to be modified and can cause catastrophic damage if accessed by a malicious user. That’s why we recommend blocking access to these files entirely once the site building process is complete.
Disable PHP in uploads If your site features a facility for uploading files then you must ensure that PHP files are disabled for the upload destination directory. Failing to do so means all kinds of malicious files can be uploaded into your site with ease, potentially gaining the hacker access to deeper directories in your site.
Use an Isolated Server If your hosting provider does not use server isolation techniques then all of the above is wasted as a hacker could theoretically gain server level access through someone else’s poorly secured site. At Protect WordPress we can take care of your hosting and ensure your site is safe even from high level infiltrations.