A WordPress website is usually less secure as it is an open-source project. A single plugin like iThemes Security (or any other plugin) is even not enough for your website security.
How can a single plugin cover for an obvious username, a poor password, a poor hosting service or an outdated version of WordPress, themes & plugins?
When it comes to making our website secure, there are a couple of things that we must be proactive about. Here are some areas that definitely deserve some attention even with a premium security plugin.
WordPress site owners feel crushed even at the mention of automatic updates. This is sad as every new version covers the security loopholes form the previous versions. As a version becomes old, several of its vulnerabilities are exposed. Each new version introduces an advanced layer of security, covering all the lapses from the previous versions.
And unless you take the precaution of hiding your WordPress version, it can be found out easily by viewing your page source. An old version has known vulnerabilities and therefore using an old version is equal to inviting security breaches.
This doesn’t apply to the WordPress core only. This applies to all the plugins and themes that you use on your site. If you can’t update them yourself, you can go in for a managed hosting like the one offered by GoDaddy. With managed hosting, you don’t have to update manually. It is the hosting provider’s concern. Also, if certain plugins or themes seem dicey, you just can’t install them.
It’s convenient to think that updating each time a major version is released is enough. But minor releases are the ones that contribute to your site’s security and some bugs. Major versions generally introduce more functions while the minor releases often cover the vulnerabilities introduced in the major release or any others that come to the surface.
What about the zero day vulnerability?
A zero day vulnerability is a security loophole in a program that the programmer/vendor does not know about.
Remember the infamous episode of Sucuri exposing the recent MailPoet Security Lapse? This happens once in many cases, updating as soon as a new release is introduced is still the best option. And responsible authors immediately ship in a safe and secured version. MailPoet got especially lucky as no breaches were reported.
Your security plugin can seriously not do anything about this. I would like to mention the 2012 LinkedIn story. Remember how lots of LinkedIn accounts got hacked.
If you guessed that the top hacked password was the password “link”, then you are 100% right! Imagine so many people not doing any better than this for securing their most important professional profile. Some other interesting passwords included 123456 and the reverse of this string too!
Hackers are smart. Besides, with such out of the world and unimaginable passwords, I’m sure they may be having a really nice laugh about their victory!
I will admit that the password policies are definitely more strict now. You are now required to use numbers, special characters, mixed cases and more. But I am sure some of us will still find scope to be lazy with creating difficult passwords.
And I also wish that we were a tad more appreciative of the password strength meter that most responsible signup services use. Remember people, it’s not there for nothing.
While researching for this article, I came across a cool tool in a post by Christopher Ross. It is a nice password checker tool by Microsoft. You can feed your password to the tool and the tool will return its strength.
Obvious Login URLs
WordPress, by default, comes with login URLs like site.com/wp-admin.php or site.com/wp-login.php. Retaining the same URLs makes the hackers’ lives easy as they know exactly which page to attack.
Rename wp-login.php is a handy plugin that will help you cover this concern. Hiding the login page makes perfect sense as the hacker would have no idea about where to log in. This is an easy security measure and can really create cause some pains for hackers.
Limiting the number of login attempts
There’ s no point in allowing the unlimited number of login attempts. Not limiting the number of login attempts encourages Brute Force attacks as the hacker can try until he gets lucky. You must install a plugin like Login LockDown that helps in restricting the number of login attempts.
You can decide the period for which an IP should be blocked after a certain number of attempts.
If you want to further secure entering your website, then two-step authentication plugins can help you with this. You can use Google Authenticator on your site. With this plugin, each time a user tries to log in, a key is delivered over his phone. This ensures that only the legitimate and the doubly authenticated users can log in.
I think that the most popular keyword for hosting providers would be “cheapest hosting”.Because that’s what most people search for while selecting a hosting provider. Such hosting often provides poor or no security. If you have bought a shared hosting plan, then you have to share it with several other websites. If even one of them gets infected, there’s a complete probability of your site getting affected too.
Ideally, security should be one of the most important factors while selecting a hosting solution. You should also check if your hosting provider supports the latest PHP and MySQL versions. You must also understand your hosting provider’s capability in getting your site up and running in case of a breach.
Reputed hosting services backup your data regularly but this shouldn’t stop you from maintaining your own backup files.
Themes and Plugins
We absolutely love the WordPress repository for its free themes and plugins. But we often ignore the need to dig any information about the development team behind them. You must ensure that the theme or plugin that you are downloading and using on your site comes from a reputed developer. It is understood if you can’t manually look and scan through the complete code but there’s no excuse to not running it through some code scanners.
It’s best to stay away from plugins and themes that have not been updated for a long time. In the WordPress repository, you will see a notification if a product has not been updated for a significantly long period. Using such products is dangerous as they may contain several known security lapses.
To perform an even more exhaustive check over your complete site, you can use the Sucuri SiteCheck scanner. It checks your site for several things like malware, injected spam, blacklisting, and firewall settings.
To log into a site, you just need a username and a password. Unfortunately, we fall in love with the default user name “admin”. It’s no wonder that one of the most highly recommended security practices is to change the default user name. You must set it to something else.
Removing the admin account altogether is just as good.
On many occasions, we expose our user names unknowingly. Like if I post using my admin account, then my author page will show my user name.
With the exact user name, the hacker has only to get your password and then he’s all set.
You’ll eventually be sending and receiving files through your site. Switching from the standard FTP (File Transfer Protocol) to SFTP (Secured File Transfer Protocol) will make such transfers safer as your passwords will not be carried or stored in plain text. Using the SFTP protocol enables the encryption of your sensitive data.
Removing unwanted themes and plugins
You should check your site once in a while for disabled themes and plugins. There’s no point in retaining them since you are clearly not using them. Hackers often exploit the vulnerabilities present in your disabled themes and plugins.
People often ignore security audits. Security audit logs are the easiest ways to skim out all the unusual activities from within your site. WP Security Audit Log is a great plugin to maintain such log files. It monitors everything from user activities to your WordPress version. It also keeps a check on your plugins, widgets, and themes. Any modification in a user’s role is also reported.
It comes around as a handy security monitoring solution.