5 free and simple steps to secure WordPress web sites

It is necessary to take measures to strengthen security of websites - this is an axiom.

To begin with, throw out ideas like ‘no one else knows about my site’ or ‘my site is not interesting to hackers’.

Even before the first visitors came to your web site, your site falls into the field of vision of all sorts of automatic scanners, which may or may not have been specifically searched for your site; they stumbled upon it by scanning the IP ranges by examining the list of sites on the same IP. It is like germs - you do not see them, but they are ubiquitous. They are in the air, on the door handle, on the clothes. That is why we wash our hands each time before eating, even if they are not seemingly dirty.

The more popular your web site becomes, the more attention it attracts. It can be examined and scanned by audit tools by both professional researchers and newbie hackers. Someone out of curiosity, someone with evil intentions.

Do not panic and break a piggy bank to order a professional security audit of the site. I will tell you about services that will check your website for vulnerabilities for FREE, as well as about a wonderful plug-in that will also help to prevent many security threats free of charge.

Scanning WordPress for vulnerabilities

WordPress is one of the most popular, and perhaps the most popular content management system. Based on WordPress there is a huge number of sites around the world.

WordPress source code is open; therefore, many professional security auditors have researched and investigated it, finding and fixing vulnerabilities. We do not have such special knowledge; does it make sense for us to take care of the security of our site?

Yes, we need to check our site for vulnerabilities, even if it runs under WordPress. The fact is that besides WordPress itself, many sites use third-party plug-ins and themes. These plug-ins and themes may contain vulnerabilities. Moreover, these vulnerabilities could already be found and fixed, but you did not update your plug-in - and now your site is vulnerable to hacker attacks. Even if you regularly update your web site, the theme may be vulnerable, but the creator of the theme could have abandoned the development and support of his themes a long time ago. So you have no other way to find out about your problem, except by performing a scan.

In addition to WordPress, security issues can be, for example, on the web server itself, especially if you are using VPS.

The following methods of protecting web sites on WordPress are very simple, but they are very effective against most attacks. From time to time, check your site to make sure everything is all right. By the way, it is all absolutely free!

1. WordPress password security

Even a web site without vulnerabilities is vulnerable to brute-force attacks against password. A revealed password compromises the site and depreciates all the other protection levels. Therefore, pay extra attention to the password security.

In order not to give an attacker even a chance to guess a password, follow the next recommendations:

• never, again, NEVER use the same passwords on different sites. This is very fraught.
• the password should not be one word that can be found in a dictionary. Also, it should not be a phrase composed of words that can be found in a dictionary. Make complicated, meaningless and long passwords.
• use big, small letters, numbers and special characters in your passwords. In this case, if a password is long and meaningless - attackers will never be able to crack it.
• watch out for the security of your computer. Use and regularly update your antivirus, do not use pirated software (it often contains backdoors). If a virus has appeared on your computer, it can easily steal and forward all passwords from your computer, including from web sites.
• in case of threat of compromise of the password (if other people could get access to it), for example, if a virus is detected on your computer, if you became a victim of a phishing attack (you thought that you enter a password on your site or your mail, and it turned out to be some other site) - then immediately change passwords!

In fact, there is nothing particularly complicated in these rules. This should become a habit, as, for example, washing hands before eating.

2. WordPress Online Check for Vulnerability

You can free check your WordPress site for vulnerabilities online, the address of the WPScan service: https://suip.biz/?act=wpscan

Enter the URL address of your web site and wait for the results (this can take quite some time).

At the very beginning, information about the version of WordPress is displayed, as well as interesting items and records, for example, in the robots.txt file. This does not mean that there is a problem! This only allows you to see what hackers see: folders hidden for indexing (they usually inspect them more thoroughly), outdated server software (may contain vulnerabilities).

Then the theme name is displayed:

By the way, if you liked a theme of another web site, but you do not know its name, this is a way to find out (although there are easier ways). Most importantly, if the theme contains vulnerabilities, then here it will be talked about.

Then the list of used plugins comes:

The red inscriptions deserve special attention. But if you have a red inscription, do not rush to worry, read carefully.

For example, this entry:

[!] We could not determine a version so all vulnerabilities are printed out

says that the scanner just could not determine the version of the installed plug-in, so it brought out information about the vulnerabilities in all versions. If you have already updated to the latest version, then you have nothing to worry about.

Continue reading about WPScan ‘How to check WordPress sites for vulnerabilities’.

3. iThemes Security plug-in for protecting against hacker attacks

iThemes Security is a free WordPress plugin that has many useful features that greatly enhance the protection of your web site. Although the plug-in has a paid version, most users will have enough of what is available in the standard version.

After installation, get free API key, it is not obligatory, but the API key is useful and gives the extra security feature.

When you look at the plugin settings page, the aircraft control panel comes to mind:

This is reasonable, because security is a multifaceted process.

Security Check - Enable recommended security settings with one button.

Basic settings – It is not necessary to change anything, since the settings are balanced.

Notification Center - About what and to whom to report, if the plug-in took action (for example, blocked the user by IP because of too many attempts to request files that do not exist - this is a sure sign of using scanners)

404 Detection - This means blocking users who access  non-existing files too often - It must be enabled. To do this, click the Enable button

Away Mode - Disable access to the WordPress admin area on a schedule

Banned Users - here you can see already blocked IP, as well as add new ones. Click ‘Configure Settings’ and in the ‘Ban User Agents’ area add:

HTTrack
sqlmap
wpscan
text
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT;
-
CyotekWebCopy
Wget
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801
WebCruiser
yacybot
Opera/9.27
MauiBot

• HTTrack - makes a clone of websites on the local computer. I am blocking due to an excessive load on the web server. And the local mirror site is not necessary to most normal people in our days.
• sqlmap - searches for SQL-injection vulnerability. For WordPress, it is not a threat, but it can stress the server.
• wpscan is the main WordPress scanner. If you are scanning your site - it's good. If your site is scanned by an attacker, that is bad.
• text - this bot loads servers heavily .
• MauiBot - this bot loads servers heavily .

Database Backups - Create backups of your site's database. The backups can be created manually and on a schedule. I am using another plugin, so I have this option disabled.

File Change Detection - Ensures that no files change unexpectedly. This is important, because a file change may indicate a hacking or unauthorized access.

File Permissions - Checks file permissions.

Local Brute Force Protection - protects against brute-force credentials, it is recommended to enable.

Network Brute Force Protection - Using the database of IP addresses of those who tried to brute-force other sites, forbids them access.

Password Requirements - If enabled, then only strong passwords will be required from all users.

SSL - Use only HTTPS connections. In fact, you should already have an SSL certificate installed for you can use this option. This option only makes a forced redirect from HTTP to HTTPS.

System Tweaks - Different settings.

WordPress Salts - It makes the stored password hash even more reliable.

WordPress Tweaks - WordPress settings that affect security, but when you disable it, some functions of WordPress can be turned off. There cannot be unambiguous recommendations - read the description and act according to your needs.

4. Checking web server security

The content management system runs on the server. If the server has security problems, then the site automatically has the same problems.

The problem may be that older programs that contain vulnerabilities are used. Or, for example, you made a backup copy of the site to a folder from which the archive file can be downloaded via web access. As a result, an attacker will receive credentials that are contained in the source code (for WordPress, this is the login and password for connecting to MySQL).

To find similar problems, use this Nikto scanner: https://suip.biz/?act=nikto

If you have configured the server by yourself, then check to see if there are any extra open ports. Find out which ports are visible to the hacker using online Nmap here: https://suip.biz/?act=nmap

5. Verify the installation and configuration of the SSL certificate

This verification is necessary for those who use the HTTPS protocol and configured the server by yourself.

There are many different checks:

If you have a serious problem (a vulnerability or an incorrect configuration), they will be indicated by red entries.

Service address: https://suip.biz/?act=testssl

Conclusion

New vulnerabilities in plug-ins are found regularly and scanner’s databases constantly (almost every day) are updated. Therefore, it is recommended that you check your site with WPScan every few months.

In general, the initial security measures to protect your site are fairly simple. And yet, they will help to avoid a lot of problems.