Tips to Secure WordPress in 2022

Illustration showing 2022 with a lock

To protect a WordPress site you need a sophisticated and multi-layered security mechanism -- Ibad Rehman

Having a sophisticated, modern, and well-thought-out WordPress security strategy is now more important than ever!

Anything that lives and breathes inside the realms of the internet is vulnerable to cyberattacks. These cyber-attacks disrupt business operations, compromise data integrity, and at times cause irrecoverable financial damages. Above all, these attacks are evolving to become even more destructive and untraceable. Therefore, having a sophisticated, modern, and well-thought-out WordPress security strategy is now more important than ever!

Malware, Web-based attacks, and denial-of-service attacks are the main contributing factors to revenue loss.

Source: Accenture

The following article will not teach you what security plugins to install and how to recover your backup when you lose your WordPress site. It rather aims to teach you why as a business owner you need to invest in WordPress security and what solutions our experts think can help you build your own kick-ass WordPress security strategy.

Moreover, I will also walk you through some common WordPress security vulnerabilities and how hackers use them to gain access to your site? And what steps you can take as a site owner to mitigate these attacks early in the timeline.

Why is it important to have a secured WordPress site?

As a business owner, it is important to understand the significance of having a secured WordPress site. Every measure that you take towards hardening the security of your WordPress site contributes to the success of your online venture. Investing in WordPress security always pays off and it becomes more evident when the bad guys hit your site with cyberattacks.

Here are some of the obvious benefits of having a secure WordPress site.

Business Credibility

Business credibility is a hard-earned asset that is achieved over the years of hard work, good customer relationships, and building trust among all stakeholders. It is based on the principles you as a business owner set and live up to. However, even a mid-sized DDoS attack or Bruteforce attempt can make your most loyal customers question the credibility of your business. And why shouldn’t they? They rely on your services to fulfill the demand of their customers.

Your business loses its credibility when the website is crashed or compromised due to a cyberattack and is unable to serve its customers or offers a bad user experience. After every breach, your customers lose their trust in your business and begin considering other options.

Uninterrupted Operations

When your WordPress site is hit by a cyberattack it affects its efficiency and at times makes it non-operational. This is not limited to customers visiting your site but goes all the way to your internal operations such as order management, product management, and publication schedule. Now imagine the damages such interruptions can make during the holiday season or when you are running sales campaigns.

Revenue Loss

It’s a fact that no business owner in her right mind would allow any revenue losses. I don’t need to state the obvious reasons here. However, I do wish to point out that according to IBM’s Data Breach Report 2021, “ Data breach costs increased significantly year-over-year from the 2020 report to the 2021 report, increasing from $3.86 million in 2020 to $4.24 million in 2021.”

The above finding is evidence that cyberattacks are still the key players behind damaging businesses financially. Despite these heavy losses, unfortunately, a large number of online business owners don’t even realize the dire need of assessing their existing security and upgrade it to the more sophisticated technology that can withstand today’s cyber security challenges.

Now that you understand the significance of a secured site, let’s look at some of the common security vulnerabilities in the context of WordPress.

Common WordPress Security Vulnerabilities

WordPress is a major stakeholder in the web development space. It is no longer a content publication platform but has evolved into a complex ecosystem of third-party tools, plugins, and themes. All of which is great and works perfectly well for SMBs, eCommerce, and even enterprises. WordPress being open-source allows the contributors and developers to modify and use the platform as they like.

Unfortunately, this model also works in favor of notorious hackers who manipulate the open-source code to either execute the actual attack suitable for their desired target or use the victim site to attack other sites. Therefore, it is important to familiarise yourself with the following common vulnerabilities so you can identify and mitigate them early.

DDoS Attacks

DDoS is short of Distributed Denial of Service. This is similar to the DoS attack but instead of only one host hitting the victim site, hundreds and thousands of infected sites send thousands of requests per second to a single target — overwhelming the server resources and making it unusable for the actual visitors.

The DDoS attack is not a penetrating attack. It is normally executed through thousands of already compromised sites known as Botnets. These compromised sites are in control of the hacker who can paralyze the victim site by sending thousands of simultaneous requests. DDoS does not always make noise, sometimes, it hits your server discreetly just to waste its resources and to increase financial losses.

Bruteforce Attacks

Bruteforce attacks are very common on WordPress sites. The majority of the attempts are made to crack the wp-admin password which is pretty much located at the same place for the majority of the site i.e www.examplesite.com/wp-admin. In order to try out various combinations, hackers use specialized bots to start hitting the URL with words and phrases from a dictionary to guess the right username and password.

Your server gets affected when thousands of attempts are made to guess the username and password which ultimately slows down your site and puts a strain on your server resources. After successfully getting access to the site, hackers can either silently deploy a malicious script, change access credentials, steal data or simply shut the entire website down!

Cross-site Port Attack (XSPA)

In Cross-Site Port Attacks (XSPA), a hacker injects the malicious script to retrieve information about TCP ports and IP addresses. With XSPA, attackers can exploit functionality like XMLRPC (discussed later) which is not handled properly in most WordPress sites, and use the pingback feature to post on a target website that returns the IP address.

Cross-Site Scripting (XSS)

Cross-Site Scripting is a penetrating attack where the hacker injects the malicious scripts by exploiting the vulnerabilities in the system that allows the malicious data to be inserted through a user form without validating or encoding. A malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used by the website since it believes the script came from a trusted source.

Malicious Scripts: Themes and Plugins

Themes and plugins are very tempting to use but they often become the primary reason behind a security breach in WordPress. This happens when the developers don’t update them to match the latest security upgrades. Other times, the site owners themselves do not update to a newer version out of the fear that they might end up breaking the site. All of these actions raise red flags and give an opportunity to hackers to exploit these vulnerabilities present inside the outdated theme or plugin.

Table of Contents
About The Author
Ibad Rehman

Ibad Rehman

Community Manager at Convesio. Enthusiast about the web, AI, and Digital Marketing. Technical content creator, JavaScript advocate, educator, and lifelong learner.
Free Resource
Get Performance Tips In Your Inbox
Subscribe to our newsletter covering performance, innovation & running WordPress at scale.
Spotlight

Introducing Managed WordPress Scaling

Convesio is the only platform where you can set up a highly scalable WordPress website in under two minutes. No SysAdmin required – set up and manage scaling via an easy-to-use dashboard.

How to Secure Your WordPress Site?

To protect a WordPress site you need a sophisticated and multi-layered security mechanism. In short, you need secure fencing around everything that directly or indirectly touches your website, its assets, and its database. For most businesses, implementing and managing such protective fencing around the whole infrastructure is both technically complex and resource-intensive.

1. Have a Backup Policy

It is highly recommended to take frequent backups of your WordPress site. They serve as insurance on rainy days and reduce the downtime in case of a cyberattack. If your WordPress site is hosted with managed WordPress hosting like Convesio then your backups are fully-automated. Convesio customers can set up automated backup policies such as backup intervals and retention according to their requirements.

Alternatively, you can also use a plugin to take backups of your WordPress site. These plugins allow you to store the backups both on cloud services like DropBox, Amazon S3, etc, or let you download locally on your computer. Similarly, you can use these plugins to restore your backups via FTP or cloud services.

Some of the popular WordPress backups plugins are:

2. Encrypted Connection via SSL Certificate

This is another very important component of securing your WordPress website and enhancing its credibility. SSL secures the communication between the client and the server and encrypts the sensitive data so only the verified resource with a valid public key can decrypt it — making the data sniffing impossible. It uses HTTPS to create a secure tunnel between the user’s browser and your WordPress site through which unique keys are shared which are used for data encryption and decryption.

In order to implement HTTPS, you need an SSL certificate which can cost somewhere between $80 to $250. Luckily, there is also a free solution available — thanks to Let’s Encrypt. It is a non-profit organization that allows websites to use their SSL certificates for free. Now all you need to do is to steer through its implantation and make it work unless you are hosting with Convesio where each website gets HTTPS out of the box with no integration required.

3. Use Cloudflare for Security

Cloudflare is a renowned platform that offers a wide range of tools and services for performance and security. It offers an advanced yet easy to configure firewall feature that protects your WordPress site from external malicious traffic. For example, you can create a rule inside the Cloudflare firewall to only allow whitelist IPs to access the wp-login URL. This significantly reduces Bruteforce attempts. It also filters the incoming traffic to protect your website against DDoS attacks.

Cloudflare’s free version allows you to do all the above. For additional features, you need Cloudflare’s premium services. Customers hosting their WordPress sites with Convesio enjoy these premium features at no extra cost as we are tightly integrated with Cloudflare Enterprise features.

4. Scan for Malware

As seen in the previous section, Malware is a very common problem in WordPress sites. There are various gateways through which malicious scripts are injected. This is a serious security issue and at Convesio we deal with malware by using multiple intelligent tools like Human Presence that scan incoming traffic to identify malware and bad bots before they could hit your site.

If you are not hosting your WordPress site with Convesio, then you can use a security plugin that can scan your site for malware. Note, these plugins are only good for the traffic that has already hit your website. Some of the popular WordPress security plugins are:

5. Limit Login Attempts

The WordPress login page is a sensitive page and is targeted the most for Bruteforce attacks. A simple way to protect it from such attacks is to limit the number of login attempts and block that IP address for some time. The majority of the WordPress security plugins offer this feature. If you are using one then look for this feature and set the login attempts rules are per your requirements. You can also whitelist the selected internal IPs if you wish and block the rest of a certain number of failed attempts are made.

6. Add Two-factor-authentication

Another way to secure your WordPress login. You can combine the limited login feature with two-factor authentication. All you need is a plugin that verifies the user on two different platforms before logging in successfully. Implementing 2FA is pretty straightforward. All you need is a plugin and there are many options to choose from including the Google Authenticator plugin.

7. Disallow IPs from accessing wp-admin

Wp-admin is the operational area of your WordPress site and adding a security layer to protect it against bad guys is always important. This method involves modifying the .htaccess file so make sure you know what you are doing. The steps are simple All you need is the IP address that you wish to allow as this rule will ban all the other IP addresses from accessing the wp-admin area. To do so, download your .htaccess file via FTP or File Manager.

You will probably see the .htaccess file as:

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>

Modify the “Allow from” line by adding your IP address/addresses. Save the file and replace it with the existing one. All done!

8. Disable File Editing

Another very useful method is to protect your WordPress site from any possible internal malicious activities. Disabling file editing features prevents unauthorized users to modify themes and plugins files. To do so, you need to access the wp-config.php file. Again, this is a sensitive file so please make sure that you understand it before making any changes.

After downloading the file, search for “define(‘DISALLOW_FILE_EDIT’)” and set it to true.

define(‘DISALLOW_FILE_EDIT’, true);

9. Disable XML-RPC

XML-RPC (Remote Procedure Call) was created for cross-platform communication long before WP Rest API. The idea was to connect WordPress with other platforms via HTTP as transport and XML as the encoder. Due to the lack of modern security features, XML-RPC has been exploited widely for various cyberattacks such as Bruteforce, DDoS, and Cross-site Port Attacks.

Handling XML-RPC properly is important. One can argue that why not completely remove the file. Well, you can do that but this will make your server start throwing 404 errors at anyone trying to access it. You can, however, disable the file by simply adding a piece of code inside your .htaccess file.

<Files xmlrpc.php>
order allow,deny
deny from all
</Files>

This will disable the xmlrpc.php file for every application or service that uses it. In case you still wish to access your WordPress site via XMLRPC, you can whitelist a certain IP address. For that, you need to add the following command:

<Files xmlrpc.php>
<RequireAny>
Require ip 2.2.2.2
Require ip 2001:db8::/32
</RequireAny>
</Files>

10. Managed WordPress Hosting

The best advice to secure a WordPress website is to choose a hosting provider that guarantees you a multi-layered security policy along with support. The term “managed hosting” has been around for decades and unfortunately various companies abused it to make quick bucks and failed to offer a true managed WordPress hosting experience.

In the following sections, I attempted to cover a few very important security features of a true managed WordPress hosting like Convesio offers to its customers.

Managed Enterprise-grade Security
At Convesio, security is a crucial element from infrastructure to server and application levels. Our containerized architecture enables us to isolate every website from others which are further protected via a comprehensive security plan that involves both software and human expertise.

All the incoming traffic before hitting your site is scanned and filtered for malware and bad bots traffic. This allows us to mitigate potential threats early in the timeline and save precious server resources. Other features are HTTPS enforcement and seamless configuration with some of the industry-leading front-end tools like Wordfence and WebARX.

Security via Patchman
Patchman is a malware scanning tool that runs on your server. It is a part of our hosting stack that scans for vulnerabilities and fixes them without customer intervention.

Bot Protection
Bot traffic is inevitable as many useful operations including site ranking are carried out by these bots. However, there are also bad bots roaming the internet for malicious activities. These bots include spam bots, web scrapers, DDoS networks, click fraud bots, etc.

At Convesio, we handle the bad bot situation by proactively scanning and monitoring the incoming traffic and by using Human Presence which analyses the behavior of bot traffic and filters the bad bots. It protects your WordPress site from spam promotional comments and reviews as well as from data scraping.

11. Frequent Updates: Core, Themes, Plugins

Updating the core, theme, and plugins is vital for a secured WordPress site. If you are using a plugin or theme that is no longer supported by its developers then instead of keep using the outdated version, look for better alternatives — there are literally thousands of themes and plugins out there.

Similarly, if you are reluctant to update due to the possibility of breaking the site then I suggest using a staging site. This way you can test the new features and revert if something does not feel right.

Final Thoughts

WordPress security is paramount for the credibility and growth of your online business and as a business owner, you should discuss the possibilities with experts and invest in the solution that is built for serious WordPress-based websites like Convesio.

Related Info
About The Author
Ibad Rehman

Ibad Rehman

Community Manager at Convesio. Enthusiast about the web, AI, and Digital Marketing. Technical content creator, JavaScript advocate, educator, and lifelong learner.
Free Resource

Sign up for our newsletter

Focusing on WordPress performance, scalability and innovation.
Share This Post
Leave a Reply

Your email address will not be published.

Get WordPress Performance Tips
Subscribe to our monthly newsletter covering performance, innovation & running WordPress at scale.