WordPress is still the tool of choice, especially for newbies, to quickly create a respectable website.
Everything nice KlickiBunti, so without expertise 😉
Unfortunately, #InfoSec almost always falls by the wayside and the “admins” wonder about the new Russian language packs and additional AdminAccounts.
Securing a WordPress website is not rocket science, so I will explain in the following how to take the fun out of attackers in 30 minutes 😉
Not a quarter goes by without an update for WordPress being released. In addition to performance and usability, security vulnerabilities are also patched. Miss an important update, as many admins did in February 2017, and you’ll quickly have uninvited guests on the backend.
#2 Theme and plugin choice (updates)
If possible installed plugins and themes only directly from the WP backend, from the so-called repository. Similar to the Google, Microsoft or Apple Store, these are checked superficially. If you install software from other sources, there is always the danger of installing additional “features”.
Also pay attention to the update cycle of the desired theme or plugin. If a plugin doesn’t get any updates for 3 years, better leave it alone (see #1)
To do this, first identify a theme that you like and search for it on WordPress.
Then check the details for download numbers and timeliness. The more users a theme has, the more likely security vulnerabilities will be detected, reported, and fixed.
The same should be controlled for plugins.
#3 Security Plugin
There are numerous security plugins for WordPress. I decided to go with “iThemes Security”. All the operations that these plugins perform could also be done manually. However, the target audience of this post will be happy to know that we don’t start via putty and vi now 😉
After installing the plugin, important security settings are already set by default. Please enter a valid e-mail address here and activate the BruteForce protection, so that you will be informed about possible security events in a timely manner.
Additional settings that can be activated without hesitation and increase the security of your blog:
- 404 detection
Makes it difficult for attackers to use automated tools.
- Absence mode
If you are asleep (and other states are just starting), your backend does not need to be accessible.
- File change detection!
Should an attacker successfully change or add a file to your site, you will immediately receive an information mail.
- Hide backend!
Security tools first scan for default settings and search for “/wp-login.php”, for example, to find your login. With this setting it will be more difficult to find your login. Before you can enable these settings, you need to go into your WordPress settings (under “Tools” on the right) and select Permalinks e.g. Post Name. Afterwards this function can be activated in iThemes.
- further optimisationsSystem Optimization:
- Non-English characters
- Long URL strings
- Suspicious query strings
- Search directories
- System filesWordPress optimization
- Comment spam
- XML-RPC (usually deactivate according to the note)
- Logon error messages
- Deactivate extra user archives
Make backups after your first setup or after major changes. That means WordPress AND database.
This backup can save our lives in two situations.
- An update or incorrect configuration work destroy the site.
- An assailant has entered.
#5 The password
The most secure system won’t help if the credentials are bad (admin:password01?). Either you use a password manager (post to follow ) or you use my password help😉
Invest the 20 euros a year for an SSL/TLS certificate. This has several advantages
- If your access data is not sent over the network in clear text.
- Does Google rank https pages better
- Does this look more professional to clients
At this point, any number of other measures and especially ServerSite-Security could be listed. However, these should be chosen depending on a risk analysis. With the explained steps you can protect your blog from 90% of the automated attacks or make life more difficult for attackers 😉 If there is a need for further protection, if you use a lot of dynamic content or a different or no CMS, don’t hesitate to contact me!
Have fun curing!