In 2021 we’re bound to see heightened online activity around the world, thanks to the restrictions that have been imposed on offline gatherings and travel. Shopping and banking, for example, are a couple of activities that have manifested increased online activity than usual. While it’s incredibly convenient to be able to access shopping and banking channels online in such a time of need, unfortunately this makes them more susceptible to cyber threats. And because both these activities involve finances and sensitive customer data, e-commerce and banking sites are juicy targets for hackers and cyber thieves. Even if you’re not running a shopping or banking website it’s still a good idea to stay updated with security measures to keep your website safe. So we’ve put together a set of guidelines for you to secure your WordPress site in 2021.
If you’re hosting your WordPress site with us you can also go ahead and check out the ithemes security pro plugin that we offer for FREE.
Table of contents
#1 Why you should secure your WordPress site
#2 Security tips to keep your WordPress site safe in 2021
#3 Brute force attacks: Secure your WordPress login page
#4 Securing your WordPress against backdoors
#5 Preventing Cross-site scripting (XSS) on your WordPress
#6 Securing your WordPress site from DDoS attacks
#7 General WordPress security tips
#8 Curious to learn more? Check out these amazing related posts
Why you should secure your WordPress site
Statistics reveal that 8% of WordPress sites fall victim to hackers thanks to weak passwords, while 61% get infected because they’re out of date. In addition to this, 52% of attacks also occur due to fake and risky plugins. While these are some of the most popular WordPress security threats there are a lot of others that can victimize your website. You can also get a real time view of all the website attacks happening around the world with this live cyber threat map or Fortinet’s Threat Map. For now we’ll dive a little deeper into some of the most common WordPress attacks.
#1 Brute force
Most amateur hackers use brute force login attempts to exploit your WordPress password and break into your site. This is a very basic breaching attack but a lot of website owners fail to secure their login page sufficiently. So it’s also a very common threat that manages to pray on quite a number of new website owners. In this blog post we’ve discussed multiple ways in which you can secure your login page to avoid these attacks.
Backdoor vulnerability is a WordPress security threat which gives hackers the ability to bypass encryptions and enter your website through hidden passages. Through backdoors, hackers are able to cause harm to your server with cross-site contamination which endangers all sites hosted on the same server. 2019 statistics revealed that backdoors have been found on two-thirds of all hacked WordPress sites. Backdoors typically try to enter WordPress databases by exploiting faults and bugs. So it’s important to keep your WordPress updated.
#3 Cross-site scripting
This attack involves an attacker injecting malicious script into your website or web application. Through this attack, they can send malicious code to the end-user in order to steal browser session data. According to statistics in 2019 around 40% of all cyber attacks in companies across Europe and North America were cross-site scripting attacks.
#4 DDoS attacks
DDoS attacks are the most dangerous when it comes to WordPress security threats. Hackers exploit nulled themes/plugins, bad SQL queries etc. to overwhelm the website with traffic and cause the server to eventually crash. These attacks are carried out with the intention of rendering a website useless and disrupting its services.
Security tips to keep your WordPress site safe in 2021
There are many methods by which you can secure your WordPress site. In this blog post we’ll be outlining how you can defend your website against each of the above threats. In addition to this, we will also be talking about a few reliable free and paid plugins to be used instead of suspicious and risky ones.
#1 Secure your WordPress login page from brute force attacks.
1- Use WPS hide login
WPS Hide Login is a plugin that can be used to create a hidden secret login page so that hackers won’t be able to hack into your WordPress site with password guessing attacks. Password guessing, or brute force attacks are among the most popular WordPress hacking attacks and hence hiding your login page is a smart way to prevent hackers from trying to force their way into your WordPress site. Here’s how this works as an effective protection against brute force attacks:
Usually the login page of your WordPress comes under the same subdomain which is your website’s name followed by “/login” at the end of the URL. This is why it’s easy for common hackers to uncover your login page with minimal effort. And that makes it an easy target to password guessing. But when your page is hidden with a different subdomain most amateur hackers would find it next to impossible to discover your admin login page. But there are other more complicated defenses that you can put up to ward off more experienced hackers from entering your website.
2- Use Login Lockdown plugin
What login lockdown does is record each and every failed login attempt with their corresponding IP address and timestamp. When a specified number of login fails have been detected within a short period of time from the same IP range, the plugin recognizes that and blocks all IP addresses within that range. Using the options menu of the plugin, you can customize and change the time duration of the IP block, the number of failed login attempts, and the timespan within which these failed login attempts should be recognized. The default is set to, 3 failed logins within 5 minutes lead to a 1 hour lockdown. As the admin, you can manually whitelist any blocked IP ranges.
3- Use Two-factor authentication
Two-factor authentication is a popular security measure that is being taken by websites, platforms, and apps around the world. This technique uses two points of login authentication which when verified together only will let the user in. And it’s generally hailed as a strong security measure that is very important to have. Luckily you can implement this method of authentication on your WordPress login page.
4- Change your login credentials regularly
While it’s important to configure strong defenses on your WordPress login page it’s equally important that you don’t keep these login credentials around for too long. If any hackers do manage to break into your account using password guessing, this method could kick them off your site as soon as possible.
5- Use a good password manager to create strong passwords
Another way to avoid brute force attacks is to create strong passwords that can’t be breached. And as we mentioned earlier it is also advisable to change them constantly so that password guessing becomes even harder for hackers. However it can get quite difficult for you to create and remember these passwords on your own. This is why it’s important to use a password manager. A password manager helps you generate passwords that are incredibly difficult to guess while also storing and managing them for you when you want to login. Bitwarden is a great free and open source password manager that you can download from our one click applications.
#2 Securing your WordPress against backdoors
Backdoors are created by hackers in websites they’ve infected. If you’re website has been hacked it’s important to look out for backdoor vulnerabilities.
For the following method a certain amount of familiarity with CLI is required along with shell access to your server. To get started, search your WordPress content directory for backdoors. To do this, you can search for suspicious ‘eval’ command usages and delete them. For good measure it is recommended that you delete all your plugins and reinstall in the case of a hack. Next you can also delete any suspicious .php files from the uploads directory. The uploads directory need not contain .php files, to begin with, so any that you find are suspicious. Other than this, hackers can install backdoors in your inactive WordPress themes as well. So you can look for the ones that you don’t use and delete them. It is also advised to look for any files that have been modified recently that you personally do not remember updating. Go back and investigate these as well. In addition to these, it is also recommended to scan your WordPress database, and if you want to eliminate the risk of having backdoors, completely, then erase and recreate your .htaccess file from scratch.
#3 Preventing Cross-site scripting (XSS) on your WordPress
Most modern websites use Content Security Policy to mitigate XSS attacks. A Content Security Policy or a CSP is a security layer that has been designed specifically to detect and handle injection attacks such as cross-site scripting attacks. What a CSP does is it makes it possible for you to whitelist all the resources (codes and scripts) that are necessary to run your website and block all others. You can also control your CSP with different directives, block inline scripts and eval commands, as well as control style attributes, since CSS can also be exploited to create XSS attacks.
#4 Securing your WordPress site from DDoS attacks
We’ve published a complete blog post covering some important protective measures against DDoS attacks. To prevent becoming a victim to DDoS attacks, you can also purchase a DDoS protected IP from us to deploy your server. As mentioned in our blog post you can prevent DDoS by following these security measures:
1- Use a VPN
A VPN or Virtual Private Network hides IP addresses and makes it almost impossible for hackers and attackers to find you. This is a good strategy because to carry out DDoS attacks, the attackers rely a lot on your IP address. A VPN enables you to hide from attackers and “sniffer” programs that they use to spot potential victims. You can deploy a powerful VPN with us such as WireGuard or OpenVPN on our one-click applications.
2- Creating a null route or Blackhole route
A null route or Blackhole route can be used to divert unnecessary, excess traffic away from your website. This prevents DDoS traffic from overwhelming your website services and steer them away from your website’s usual traffic.
3- Use an Anycast network
An Anycast is able to diffuse all your traffic to multiple nodes depending on the size of the requests and the capacity of the nodes to process these requests efficiently. What an Anycast network does is channel a request to the closest node that has the capacity to process this request. You can configure an Anycast DNS network with us for free.
#5 General WordPress security tips
If you’re looking for a more comprehensive approach to securing your WordPress site we’ve got some general safety measures in handy for you. These measures will instruct you on protecting your WordPress admin, themes, plugins, and databases.
1- Protect your WordPress admin panel
In order to protect your WordPress admin panel it’s important to protect your directory. You can start by securing the admin panel with a password. In order to create a password all you’ve got to do is choose the directory you want to use the password on and enable password protection. After that you can go ahead and create a username and a password. Moving forward, you’d also want to keep your WordPress updated as regularly as possible.
There are other strategies you can try like assigning user roles. There are a lot of user roles that you as the admin can assign to those who have access to your dashboard. They include Super Administration, Administration, Editor, Author, Contributor, Subscriber. This way you don’t have to have a bunch of users with admin access to your WordPress dashboard. Make sure to also use SSL certificates on your WordPress site. This can help your website’s details be safe from malicious parties.
2- Protect WordPress plugins
When it comes to WordPress security, plugins can both be of help and risk. According to statistics 52% of WordPress security risks are due to bad plugins. So it’s super important to install trustworthy plugins as well as keep your current plugins safe. To ensure that your plugins don’t contain any malicious code in them which can disrupt your quality of services as well as hurt the security of your WordPress site, keep your plugins constantly updated. If there are any plugins that you don’t used, make sure you delete them. If there are any old plugins without updates consider replacing them for new trustworthy plugins. Make sure that all your plugins are from trustworthy resources. And keep in mind that while plugins are helpful, it’s not necessary to install a large number of plugins for each and every function of your website. We’ve published a blog post regarding a few good plugins that you can install on your WordPress. Select the ones that match your website’s services and functions and install them.
3- Protect your WordPress themes
The situation with themes is similar to that of plugins. Both plugins and themes are easy doorway for attackers. So just like with plugins it’s important to keep your themes updated. And it’s also important to download themes from reliable sources that constantly published updates such as WordPress.org or ThemeForest. Ideally you should look for a provider with a good support team so that you can keep in touch as the theme evolves.
4- Protect your WordPress databases
WordPress databases are generally a popular target for hackers. This is because databases contain a lot of sensitive information on your WordPress site. In order to protect your WordPress databases, one step that you can take is to change your table prefixes. By default in WordPress your tables will contain the prefix wp_. However you can change this to a different prefix of your liking.
5- Backup your databases
There can be instances where malicious acts of attackers can cause you to lose your valuable databases. This is where backups come in handy. You can go ahead and check out our Automated Backups feature. This feature allows you to backup all your server data including WordPress databases.
Curious to learn more? Check out these amazing related posts:
We just launched our VPS Reseller Platform. This is a 100% white labeled platform which comes with WHMCS integration compatibility, and a feature-rich control panel. Find out all you need to know about this brand new product on our blog post.
Future-proof your server and cloud projects with cloud native technologies. But what is cloud nativity? How can you implement it? Find out all you need to know on our blog post.