When it comes to website content management systems (CMS), WordPress is one of the most popular. This means there are plugins for almost anything and near enough every question has been asked and answered.
This does come with downsides, a key one being that it is a platform often targeted by individuals looking to either steal data, use the website for malicious purposes (e.g. sending spam) or both.
These attacks are typically done automatically. Essentially a program scans websites to see if they have certain vulnerabilities and reports back to the person who started the program.
We defend against such attacks on a daily basis and they come from all over the world. From Turkey and Russia to China and beyond! If you see any of the developers pulling one of the following faces...
or
or
...it’s likely they are looking at the intrusion logs.
We thought we would share our top tips to help you stay safe and help make sure your WordPress website remains safe and sound.
1. Install a security plugin
The plugin we recommend is Wordfence. This plugin protects websites from a wide variety of vulnerabilities that are typically introduced by plugins and, on occasion, WordPress itself.
What’s particularly impressive about this plugin is that it aggregates information between all the plugin’s users to help provide a better defence. It’s free, easy to use and helps provide peace of mind.
2. Install a firewall
This can prove a little tricky depending on your hosting. However, we block all ports apart from the http (80) and https (443). And open up any others (e.g. SSH) as and when needed.
These are like doors to the server running your website. So the fewer doors there are, the less of a risk of a break in.
3. Isolate your site
At Thrive, each website has its own dedicated virtual server that scales according to the website’s needs. So there is no way a user from one website can access another, as they are on completely different systems.
It’s worth bearing in mind that the servers should be kept up to date and secure.
A way of visualising it is that each website is in its very own fortress...
4. Disable XML-RPC
If your WordPress site does not use the XML-RPC API, it’s worth considering disabling it. It’s particularly vulnerable to brute force attacks which can overload servers and bring websites to a standstill.
It’s quite simple to do and if you’re using Nginx, the following configuration code will block it off.
## block any attempted XML-RPC requests
location = /xmlrpc.php {
deny all;
}
For more information, please see this Wordfence blog post.
5. Add SSL
SSL is particularly important in protecting your visitors as it encrypts data between your site and the visitor’s computer. It’s vital for things like online shopping and securely delivering contact forms so all sites should have one.
Eventually, Google Chrome is going to flag sites that do not have SSL certificates in the following way:
6. Take Backups
Murphy’s Law is a popular adage that in essence means “Whatever can go wrong, will go wrong”. So if everything fails, make sure you have a backup plan. A backup plan is to have an offsite backup that you can restore.
Hopefully, this provides an overview of some ways to help keep your site and visitors safe. The easiest to do is add the Wordfence plugin. However, if you’ve had a look and are not 100% sure, just let us know and the developers can double check for you...
