Say Security and WordPress in the same sentence.
They’ve seen at least one (or more) hacked sites in their time. For good reason. It happens a lot. They might even look like they need a squish ball for the stress you’ve just brought upon them.
But why? Is it because WordPress isn’t secure? Not exactly.
Surprised? Most Security professionals have barely used WordPress, if at all.
Why would they have any idea how to secure it?
I’m not over here bashing my own kind. There’s no way for everyone to know everything.
We can’t know all the OS’s in depth, all the Applications, Databases, Networking Devices, Tunneling and Encryption protocols. We tend to specialize.
It’s not inherently any less secure than anything else. Everything built for the Internet was not built with Security in mind. WordPress is no exception.
It’s easy to use. Anyone can throw up a WordPress blog. Which is great, until it’s not.
I wouldn’t present an issue without a solution. Tips tips and more tips!
#1 – The obvious. Update your plugins. Set it to auto-update. If you have Cpanel on your webhost (namecheap.com is great about this) you can click the button when you install your instance with Softaculous (or whatever they have).
Boom. Always updated. It also updates your WordPress version.
If your host doesn’t provide this. Look for another host! Or look for a plugin update helper. There are tons. Make sure it’s used by a lot of people. Those tend to be vetted better.
#2 – On that note. Don’t install a bunch of plugins like a kid in a candy shop whose grandpa just handed them a $50 bill for their birthday. Keep it clean.
#3 – Debating that this may need to be #1. Wordfence. It’s literally a firewall, scanner, monitor, login brute force protection, for free (with paid being more awesome). Configure it. And go here, free, to learn how to really use WordPress. She’s amazing.
#4 – Change your wp-admin login username to something other than admin. Preferably something weird. AlienSally, SugarPumpkin, whatever you’re into, my friend. Bots and scanners can’t find it as easily.
Check the box in Wordfence that says to immediately block the IP of users who try to sign in as these usernames and put what’s below. This means admin attempts will be whisked away almost like internet magic. You’re welcome.
#5 – Use Cloudflare for DNS (free!) and their SSL if your provider is literally insane and for some reason doesn’t offer a free one (namecheap does , for the first year). Install and configure the plugin too.
#6 – Use BBQ plugin – Block Bad Queries – “BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like
base64_, and excessively long request-strings.”
If you’re still scoffing at the idea of doing “all this”. Think about when people just plugged stuff into hubs. Yeah. That was real secure too, wasn’t it?
And there was FTP, then SFTP, then …all the wide open, non secure protocols that were made.
People were all like Oh…uhh.. right..maybe we need security because someone hacked us (e.g., literally everything)
Really not that different.
How do you get it to go faster? Cloudflare and W3 total cache. It’s a start, but that’s another post for another day.