How to secure a site? Website Security Guide

Listen to this article

Website security or how to protect a website? Some hacks happen for completely ridiculous reasons: untimely updates, weak passwords, etc. In this essential website security guide, I'll show you how to secure a website:

• Even if… you're new to website security and don't quite understand what that means;
• Even if… you have tried and failed to secure your site before;
• Even if… you are overwhelmed by the main work and do not know where to start;
• Even if... you think, "I'm no match for hackers - so why try to do anything?"

But more importantly, I'm going to talk about how we start thinking about the security of our websites in the first place. This way you have all the tools you need to make the right (security) decisions for your site. There will be as much information as possible, pour yourself a cup of tea or coffee and get ready.

The content of the article:

• What is site security?
• Why is website security important?
• How to protect your site from hackers? (Effective steps)
• Good Website Security Practices
• What should you avoid when protecting your website?
• What to do if your site is hacked?
• All In One WP Security & Firewall - WordPress site security
• Conclusion

What is site security?

While it's great that you're taking some steps to protect your website. You need to understand that site security is an ongoing process that requires periodic attention from you. Hackers are creative people, so threats are constantly evolving.

Site security is the plan to protect your website and users from hackers and their malware. This includes understanding the components of your website, how they work together, and what vulnerabilities they have.

Once this foundation is in place, you need to formulate a comprehensive security plan to protect against vulnerabilities. This includes a series of configuration steps, implementing policies, and keeping threat information up to date.

The key to securing a website is understanding that this is not a one-time thing. Security evolves because threats evolve.

You will see in the article below that a good security plugin will do most of the hard work in terms of malware, but being careful and vigilant is what keeps a website secure in the first place.

Why is website security important?

WordPress is used by millions of people, so it's probably safe, right? Yes and no.

— Yes, because the core WordPress files are protected, and even if a vulnerability is found, it is fixed very quickly.

- No, because your site is not just the core of WordPress. It is a combination of plugins and themes that help make your site more functional, interactive and attractive. These plugins and themes enhance the functionality of WordPress, but also increase the potential for vulnerabilities. Good plugin developers will fix vulnerabilities quickly. But the danger in this regard is much higher.

How to protect your site from hackers? Action Steps

To have an effective plan for protecting your website, the first step is to understand how websites get hacked. According to the following study, websites are mainly hacked in three ways:

• 90+% - Vulnerability in a WordPress plugin or theme.
• 5+% - Compromised username and/or password.
• <1% - Poor web hosting services.

This allocation should form the basis of how you plan to secure your site and where you should allocate more time and resources.

1. Protect your site from vulnerabilities

Hackers are constantly on the lookout for vulnerable websites. It doesn't matter if the site is big or small. They have many benefits from hacking almost any website. In our experience, more than 90% of all breaches are due to hackers discovering and exploiting a vulnerability.

Let's take a closer look at what vulnerabilities are. This is very important to understand so that you can consciously shape your website security strategy in the future.

What is a vulnerability?

Your website is made up of 3 main components: WordPress, plugins, and themes. It's all basically software, and like any software, it contains bugs that sometimes cause it to crash.

Errors can have various consequences: some of them slow down your website or cause an error when someone visits it. This is annoying and problematic, but the more serious ones allow unauthorized users (such as hackers) to gain access to your website. Such a bug is known as a vulnerability.

Types of vulnerabilities

Vulnerabilities can be characterized, as we did in the previous paragraph, as bugs in the code. However, there are a few specific types that occur more frequently than others:

1. Outdated software: it is important to keep core, plugins and themes up to date;
2. Poor user role management: don't give every user full administrator access;
3. Non-sanitized inputs: Input fields must validate input before saving and/or executing.

Possible hacks on an unsecured website

Vulnerabilities are closely related to the types of attacks they allow and are often referred to interchangeably. The most common attacks that WordPress faces are:

• Code injection: when malicious code is inserted through input fields and executed by website code or database. A common SQL injection variant of code injection that is especially egregious for database-driven applications like WordPress.
• Cross-Site Scripting Attacks: This type of vulnerability steals user cookies to impersonate them, or even hijack the session. The target user's access is then used to attack your site.
• Brute force attacks: As the name suggests, there is no trick to this type of attack. The hacker bombards your login page with username/password combinations in an attempt to find the right one.
• SEO spamA: Any spam is serious, but this attack hits what hurts a website the most: SEO. Website owners waste resources working on their SEO, only for a hacker to take undue advantage by inserting pop-ups and links to illegal or gray goods. SEO spam attacks are also difficult to detect, and often websites experience the ill effects of spam before they realize they are infected.
• Phishing attacks: In these attacks, a hacker attempts to impersonate a legitimate person in order to trick the user into voluntarily handing over their information. Phishing works in tandem with email and a hacked website to get those credentials.

What is the effect of vulnerability?

Plugins and themes are installed on several thousand sites, so the effect of this one flaw is multiplied many times over. Responsible plugin and theme developers are making efforts to close security holes in their products by releasing updates.

In fact, this is the key reason why it is recommended to choose premium plugins whenever possible. Regular software maintenance should be given maximum attention in a website security strategy. Great, that means the bug has been fixed. We're safe now, right? Well, not quite. Vulnerability discovery is a dangerous time for site owners.

What happens when a vulnerability is discovered?

Vulnerabilities are often discovered by website security researchers. They report their findings to the plugin or theme developer. As we said in the previous section, the responsible developers will be looking to fix the issue and release an update.
When the vulnerability is fixed, the site's security researcher will publish their findings. The developer released a fix to keep websites safe, right? Not really.

Hackers also read about the vulnerability and look for websites that have not updated their versions. Public vulnerabilities tend to appeal to budding hackers (also known as script kids) because they can now effortlessly use websites. They know exactly where their target is.

What should be done to protect the site from vulnerabilities?

Now I will talk about specific steps you can take to keep your website secure and safe from hackers. These steps may seem simple, but they are effective ways to keep your site secure.

1. Make backups

Backups are the most underestimated part of a site's security strategy. I can't stress enough the importance of regular backups. They are your safety net, the only thing you can rely on when things go wrong. Backups will help you quickly roll back the site to a healthy state.

2. Update plugins and themes

This may seem very obvious, especially if you've read the previous section on how important updates are. However, it's very easy to ignore the red notification on the dashboard and get on with something more urgent.

Therefore, I will repeat. Plugin developers release updates with security fixes for this. Even if you decide to delay installing updates, update the plugin at a later date, at least after reading the release notes.

3. Choose good quality plugins and themes

It is unlikely that there will ever be completely reliable software, there are key factors to consider when choosing the right plugins and themes for your website:

• The plugin is regularly updatedA: A plugin or theme that is consistently maintained by its developer is more likely to receive a security patch if a vulnerability is discovered.
• Is the plugin popular?? This is a double-edged sword. A popular plugin with millions of installs will be targeted by hackers. But plugins like this also tend to be more secure because they are controlled by many more developers.
• Is this a premium pluginA: Paid plugins support the work of developers and are therefore much less likely to be abandoned than free plugins. This does not mean that open source software is never safe, however, with a premium product, you pay for customer support and product quality.
• Never install nulled plugins and themesA: The premium free software available is problematic on many levels. Zeroed software often contains malware or backdoors that, once installed, allow hackers to gain access to your website.

4. Use a firewall

There is no reliable way to stop hackers or their bots from attacking websites like yours. However, you can greatly reduce the chance by installing a firewall.

2. Protect your username and password

About 6% of the hacked websites were vulnerable to attacks due to weak passwords. This may seem like a small number compared to direct malicious activity, but it's still significant enough to get your attention.

Losing your site administrator password is like losing your apartment or car keys. With the key, the thief has complete control over your valuable possessions. Similarly, with a password, hackers have full access to your site and its information. At the moment, not even a firewall or security plugin can stop hackers from damaging your site.

The need for strong passwords is still actively promoted, but due to the difficulties involved, website users often ignore it. Before I get into the mechanics of getting a good reputation, let's answer some common questions people have about them.

How can a password be stolen?

The answer may come as a surprise: the hacker is trying to guess the password. By that I mean they try different passwords manually, but that's what bots are for. This is also known as a brute-force attack or, if the bot guesses the words, a dictionary attack.

These attacks work very well for several reasons.:

• Easy to guess passwords: common words, short words, the word "password" itself in various combinations.
• Data from previous hacks: There is a reason why people recommend using different passwords for different services and sites.

How to protect yourself from password theft

1. Use a strong password - Strong passwords use a random combination of letters, numbers, and symbols because they are hard to crack. It can take years for hacker bots to find the right password. You can try creating a strong password yourself or use a password generator.

2. Limit the number of login attempts - A good way to prevent a brute-force attack is to block intruders after several failed login attempts. This is an effective mechanism, as this type of attack consists of hacker bots repeatedly trying different passwords.

3. Implement two-factor authentication - Some services use two-factor authentication during the login process, which essentially means you need to have two (ideally) separate tokens to access your account. It is most often a combination of passwords and an expiration token, such as a pin or QR code, sent to your email or device.

4. Implement CAPTCHA protection - CAPTCHAs can only be solved by humans. They are designed to prevent hacker bots from accessing an account. You can use it to secure your site.

5. Use a firewall - Some website security firewalls also monitor malicious IP addresses globally. The firewall learns on all sites with the plugin installed. It then automatically blocks bad IPs before they try to crack your password. This, combined with the ability to restrict logins, can protect your site from hackers trying to break into your site's admin area.

3. Choose a good hosting provider

There is a tendency to blame the web host for everything that goes wrong with a website. While web hosts are usually responsible for many aspects of a website, they are rarely at fault when a website is hacked. In fact, the opposite is generally true: web hosts improve the security of websites.

Of course, there are some web hosts that play a role in compromising websites hosted on their server. This rarely happens, but when it does, it is a major incident that puts thousands of websites at risk.

4. Install an SSL certificate

Secure Sockets Layer, better known as SSL, is a security protocol that encrypts all connections to a website. Once installed, it appears as a padlock at the beginning of your site's URL.

The benefits of using an SSL certificate are as follows:

• All data transmitted to and from your site is encrypted.
• This is a sign of trust in your site. In fact, most browsers will mark non-SSL sites as "Insecure" in the address bar.
• Google loves websites with an SSL certificate and even rewards them with higher rankings.

Good Website Security Practices

As I said at the beginning, website security is an ongoing practice. In this section, I will list techniques that are useful to incorporate into your overall website security strategy. Once you get into the habit of doing this, the small investment of your time and effort will pay off many times over with a secure website.

1. Change your password often — I understand that setting hard-to-guess passwords is tricky, especially since they are often synonymous with hard-to-remember passwords. We can also imagine the anxiety caused by being asked to regularly change our excellent password.

The reason is that passwords are the weakest link in security, especially if you use the same passwords for multiple accounts. Even if one site gets hacked, you can safely assume that all of your accounts are potentially compromised. Regular can also mean different things to different people. Some financial institutions, such as banks, require passwords to be changed every 90 days.

2. Check website users, track new admin users — hackers often leave administrator users so that they can regain access to the site. Therefore, regularly checking administrator users can increase the security of a website.

Secondly, the co-authors of the site may change. If a user no longer needs access, it's best to remove their access to the site. The reason is twofold:

1. you do not want the user to make any changes to your site;
2. their inactive accounts can be compromised by hackers.

Over time, as we build our site with new content and designs, we continue to add new users to our site. You should check these users periodically. You can follow the security rules yourself, but another user compromised will affect your site. When adding users, whenever possible, give them only the required access levels. For example, if someone only writes articles, don't give them admin rights.

3. Set up an activity log on your site Hackers do not use the core WordPress APIs to modify the website, so many of the changes they make will not be reflected in the activity log. However, they may leave traces, such as creating administrator accounts for themselves to access the site. These unexpected activities can help detect a breach. Conversely, if changes are being made by a collaborator, activity logs can help avoid unnecessary panic when you see changes made to your site.

4. Block PHP in your Downloads folder - A whole class of vulnerabilities (to be precise, Remote Code Execution) allows hackers to upload malicious PHP files to the Uploads folder. The hacker can then use it to execute any code on your site. In other words, they have complete control over your site.

The attack can be effectively mitigated if you block the execution of the PHP files in the Uploads folder. Don't worry. Blocking PHP files in the Downloads folder is safe because they shouldn't be there at all. The Uploads folder is where you store your media files, not scripts.

What should you avoid when protecting your website?

A quick Google search will give you plenty of tips and strategies to secure your site. Several security plugins will also provide several options to protect your site from password crackers. Protecting your website is something you should be doing, however there are some things you should avoid.

The reasons vary for each of the points I discuss below, but at their core, your measures should provide tangible security benefits, especially if you're asking your users to overcome additional security barriers. For example, if you use both captcha and two-factor authentication, getting to your site becomes difficult, with little added benefit.

You can get an extra sense of security by applying all available options, but in terms of cost-benefit analysis, they don't cut the line.

1. Hide wp login page - You will see this in many forums: change the wp-login page to your site's own URL. The logic is that if hackers can't find the login page, they can't use brute force attacks to gain access to your site. This has several disadvantages:

• WordPress also allows you to login using XML-RPC.
• This will make your site difficult to use. If you forget the special URL you created for yourself in place of wp-login, recovery from this can be difficult.
• If you use the generic URL or the default URL that comes with the security plug-in, it's still easy for hackers to guess which will completely defeat your purpose.
• Hiding this page requires complex settings to be applied to your site, which can have other unexpected side effects.

2. Geoblocking Another commonly recommended security measure is geo-blocking. You may not need or expect legitimate traffic from certain countries and therefore choose to restrict access.

• IP addresses for regions are not ideal and may have errors.
• If you block yourself by mistake, it will be difficult to undo it.
• You may end up blocking good bots like Google that can't harm your site.

A good firewall can and will protect your site from malicious bots and unwanted traffic. I covered the benefits of firewalls in the previous section.

3. Password protect the wp-admin directory - The wp-admin folder is one of the most important folders on your site. Naturally, it attracts a lot of attention from hackers. Therefore, protecting it with a password may seem like a brilliant move, but counterproductive.

The password protecting your wp-admin directory breaks the AJAX functionality on your WordPress website. AJAX is an encoding technique that downloads parts of your website from the server without changing the currently displayed page.

If that sounds like gibberish, what it essentially means is that it makes your site dynamic without constantly reloading users every time something changes.

Think about scrolling through your social media feed. New stories or tweets load while you're still reading the ones already on your screen, and you can refresh your news feed whenever you want to load new content.

4. Hide WordPress Version - The logic behind hiding the version of your WordPress site is due to security updates. If your website is not running the latest version of WordPress, a hacker could exploit a vulnerability that exists in an older version. However, hiding your version of WordPress is of no use. There are several ways to determine the WordPress version of a website: checking the site's external code, checking the RSS feed, etc. All of them are legal, by the way.

The way to deal with WordPress vulnerabilities in older versions is to update your version to the latest. Many website administrators fear that updating a live site can break it. So it's best to do it on a test site first.

What to do if your site is hacked?

If your site has recently been hacked, it is even more important for you to be extremely attentive to the security of your site. If not done correctly, it can lead to repeated site hacks, and the whole situation turns into a complete nightmare.

1. Clean up malware firstA: Use a good security plugin to automatically remove malware without leaving a trace.
2. Update everythingA: Like I said, software updates are vital. Make sure you have the latest versions of WordPress, themes, and plugins installed. If you don't, there's a good chance that this is the reason your site was hacked in the first place.
3. View each admin user: Take a close look at each administrator account. We've already talked about this in this article, but hackers create administrator accounts to regain access to a hacked website if malware is found.
4. Change all passwords. Suppose your credentials have been compromised, change your passwords. I hope you do not use the same password for different products and services, otherwise you should also change the rest of the passwords.
5. Change database credentials (if possible): The wp-config.php file contains the credentials that the WordPress site uses to connect to the site's database. In many cases, access to the database is restricted even if the database credentials are compromised. However, on some hosts, hackers can use this information to directly modify the database. This can lead to re-infection of the site.
6. Change security keysA: WordPress uses security keys to manage sessions for registered users.
7. Set up your WordPress firewall: I have already covered this in detail in this article. The WordPress firewall is your best defense against malicious bots and bad traffic.

All In One WP Security & Firewall - WordPress site security

In short: The easiest way to protect your site is to install a site security plugin such as: All In One WP Security & Firewall is a comprehensive, easy to use, stable and well maintained WordPress security plugin.
All In One WP Security & Firewall has the following features:

1. User account security

• Determine if a user account exists with the default username "admin" and easily change the username to a value of your choice.
• The plugin will also detect if you have WordPress user accounts with the same logins and display names. Having an account that has the same display name as the login is bad security practice because you create a login for hackers that is already ready on the 50% because they already know the login.
• A password strength tool that allows you to create very strong passwords.
• Stop listing users. Thus, users/bots cannot discover user information through the author's permalink.

2. Login security for the user

• Defend against "Brute Force Login Attack" with the login blocking feature. Users with a specific IP address or range will be banned from the system for a predetermined period of time depending on the configuration settings, and you may also receive notifications.
  via email whenever someone is blocked due to too many login attempts.
• As an administrator, you can view a list of all blocked users, which is displayed in an easy-to-read and easy-to-navigate table that also allows you to unblock individual or group IP addresses with the click of a button.
• Force logout of all users after a configurable time period.
• Track/view failed login attempts, which shows the user's IP address, user ID/username, and the date/time of the failed login attempt.
• Track/view account activity of all user accounts on your system by tracking username, IP address, login date/time and logout date/time.
• Ability to automatically block ranges of IP addresses that try to log in with an invalid username.
• Ability to see a list of all users who are currently logged into your site.
• Allows you to specify one or more IP addresses in a special white list. Whitelisted IPs will have access to your WP login page.
• Add Google reCaptcha or a simple math captcha to your WordPress login form.
• Add Google reCaptcha or a simple math captcha to the forgotten password form of your WP login system.

3. User registration security

• Enable manual verification of WordPress user accounts. If your site allows people to create their own accounts through the WordPress registration form, you can minimize SPAM or fake registrations by manually confirming each registration.
• Ability to add Google reCaptcha or simple math captcha to your WordPress user registration page to protect you from spam user registration.
• The ability to add a Honeypot to the WordPress user registration form to reduce the number of registration attempts from bots.

4. Protecting the WordPress Database

• Easily set the default WP prefix to a value of your choice with the click of a button.
• Schedule automatic backups and email notifications, or take instant DB backups anytime with just one click.

5. File system security of a WordPress site

• Identify files or folders with insecure permission settings and set permissions to recommended safe values with the click of a button.
• Protect your PHP code by disabling file editing in the WordPress admin area.
• Easily view and monitor all host system logs from a single menu page and stay up to date on any issues or issues that occur on your server so you can resolve them quickly.
• Prevent people from accessing the readme.html, license.txt, and wp-config-sample.php files of your WordPress site.

6. Backup and restore htaccess and wp-config.php files

• Easily back up your original .htaccess and wp-config.php files in case you need them to restore broken functionality.
• Change the contents of currently active .htaccess or wp-config.php files from the admin panel with just a few clicks.

7. Blacklist functionality

• Block users by specifying IP addresses, or use a wildcard to specify ranges of IP addresses.
• Deny users by specifying user agents.

8. Firewall functionality

This plugin allows you to easily add many firewall protection elements to your website via htaccess file. The htaccess file is processed by your web server before any other code on your site.
So these firewall rules will stop the malicious script(s) before it has a chance to get to the WordPress code on your site.

• Access control object.
• Instantly activate a set of firewall settings ranging from basic, intermediate and advanced.
• Enable the famous "6G Blacklist" firewall rules courtesy of Perishable Press.
• Disable posting comments through a proxy.
• Block access to the debug log file.
• Disable tracing and tracking.
• Deny invalid or malicious query strings.
• Protect yourself from cross-site scripting (XSS) by activating a comprehensive advanced character string filter.
  or malicious bots that do not have a special cookie in their browser. You (the site administrator) will know how to set this special cookie and will be able to log into your site.
• WordPress PingBack vulnerability protection feature. This firewall feature allows the user to deny access to the xmlrpc.php file to protect against certain vulnerabilities in the ping feature. This is also useful for blocking bots from constantly accessing the xmlrpc.php file and wasting your server resources.
• The ability to block fake Googlebots from crawling your site.
• Ability to prevent image hotlinking. Use this to prevent others from hotlinking your images.
• Ability to log all 404 events on your site. You can also automatically block IP addresses that get too many 404 errors.
• The ability to add your own rules to block access to various resources on your site.

9. Prevent login brute force attack

• Block brute force attacks instantly with our custom cookie-based login brute force prevention feature. This firewall feature blocks all login attempts from humans and bots.
• Ability to add simple math captcha to WordPress login form to protect against brute force attacks.
• Ability to hide the admin login page. Rename your WordPress login page URL to prevent bots and hackers from accessing your real WordPress login URL. This feature allows you to change the default login page (wp-login.php) to something you customize.
• The ability to use the Login Honeypot, which will help reduce the number of login attempts through brute force from robots.

10. Website File Security Scanner

• The File Change Detection Scanner can alert you if any files have been modified on your WordPress system. You can then investigate and see if it was a legitimate change or if some bad code was introduced.

11. Comment Spam Protection

• Track the most active IPs that consistently produce the most spam comments and block them instantly with the click of a button.
• Prevent comments from being sent if they are not from your domain (this should reduce the number of comments posted by spam bots on your site).
• Add a captcha to your WordPress comment form to improve your protection against comment spam.
• Automatically and permanently block IP addresses that exceed a certain number of comments marked as SPAM.

12. Front copy protection text

• Ability to disable right click, text selection and copy option for your frontend.

13. Additional features of the plugin

• Ability to remove WordPress generator meta information from your site's HTML source code.
• Ability to remove WordPress version information from your site's JS and CSS files.
• Ability to prevent people from accessing readme.html, license.txt and wp-config-sample.php files.
• The ability to temporarily block the front of your site from regular visitors while you perform various internal tasks (investigating site security attacks, performing site updates, maintenance, etc.)
• Ability to export / import security settings.
• Prevent other sites from displaying your content through a frame or iframe.

It is ideal for those who just don't have time to deal with website security. Just install and forget the plugin. But if you can afford the extra time to tighten up your security, I highly recommend that you implement all of the above measures.

Conclusion

I started this article on how to secure a website with a clear pointer: the first step is to get your site's security right. This is an ongoing process. It is a good standard practice in any organization to conduct periodic audits to allow maximum control over the security of the site. The threat landscape is constantly changing, and hackers will find more creative ways to break through security. Security experts remain constantly vigilant, and this is the main conclusion of everything: do not relax.

Reading this article:

• What is the difference between malware and virus? (explanation)
• 10 Essential Steps to Improve Your Website Security

Thanks for reading: SEO HELPER | NICOLA.TOP