September 2, 2023

WordPress security 101

WordPress Website Security Essentials for Small Businesses
Share

You can imagine them, can't you? In a dark room, sweaty, a leather trench coat with long greasy hair... sounds a bit like my teenage years but I'm actually referring to hackers. Hackers and automated systems controlled by hackers, called Bots, are unfortunately a very real and everyday threat to websites.

For an actual hacker to take it upon themselves to hack into your website, it takes some man power and effort on their part. You'll either have to have something they want to steal such as data, money or digital assets, or they have a vested interest in modifying your website i.e. to put out a message or gain publicity. For your average website hackers aren't an everyday problem, whereas bots and malware are.

Bots are systems which are created to automatically scan the internet for vulnerable websites and then to exploit those vulnerabilities. They will usually install some malware - code which will do something nefarious. They could install some kind of ransomware onto your website, insert adverts, add in spyware to spy people or simply break the site so it goes down. Again they are usually looking to gain something, however, some have been created purely to be destructive for the hell of it.

Whilst I can advise on how to secure your website as best as possible, a persistent expert hacker, or even worse a group of hackers, isn't likely to be stopped - if they can hack governments and mega corporations, your WordPress website isn't going to be a huge challenge. However, we can stop 99% of bots, malware and chancers by following three simple steps.

Users

People are usually the weakest link. A crap, easy to guess password, with no numbers or symbols in it is a common route in for what is known as Brute Force attack. Ensure your password is a random string of lowercase letters, upper case letters, numbers and symbols instead of your dog's name, for example: jb4%^2d@L!d7B£ - ain't nobody guessing that easily. Users should also change their passwords at least every 6 months, in case their password has been reused somewhere else and/or leaked.

For usernames do not use the name of the company, for example I wouldn't use Lewis or Lewis Edward as my username, nor a name from your staff/team page or email which is publicly available on your site or LinkedIn, because once somebody has the username they already have one half of the equation. Often a hacker will go to your site, checkout the team page for the IT guy or someone likely to have access to the website, then they can easily guess their email based on publicly available information. Email works as well as a username to get into WordPress, so that's the first part discovered in less than ten minutes. Then they would check out the persons's Twitter, LinkedIn, Facebook or somewhere else to find family names, pet names, favourite sports teams, birthday, etc. all commonly used in passwords.

Limited the number of users with an 'Administrator' role in WordPress, to purely those who actively need to be administrators on the site, the fewer the better. Remove any users who do not need to access the site, or who have left the organisation. Force users to use 2-factor authentication for logging into the site. So even with a username and password, they need another factor such as a code sent to their phone to gain access. Create a procedure in place to handle all of the above and write up a policy which all staff with access to the website must follow.

Never click on a link in an email. Whether it's asking you to update your password, update WordPress, about an error, or something else... simply go to the website yourself, login and take a look. Fake emails are notorious through some really high profile hacks, for giving hackers access to the site. Can I repeat, NEVER CLICK A LINK IN AN EMAIL.

Updates

Do you have a pending WordPress or dare I say it, lots of pending Plugin updates on your website? If the answer is yes, you will likely have a vulnerability on your site. As the developer of a plugin finds bugs and vulnerabilities they fix them and then release the fixes as updates. So if you're not updating your plugins you will potentially be leaving a weakness on your site. If a hacker scans your site and finds you're using a particular version of a plugin which has vulnerabilities in it, they will know exactly how to exploit the site.

The same goes for WordPress, as an open source CMS when a vulnerability is found everyone knows about it, so if you don't update WordPress you're asking for trouble. You can see more specifics on WordPress security releases on their site. I'd recommend backing up your website before you update WordPress or plugins though as this can also be risky in its own right.

Firewall

Use a firewall such as Wordfence or Cloudflare to block unwanted traffic from bots automatically. It can also block suspicious actions and visitors - most importantly those trying to carry out a Brute Force Attack. This is where they'll try hundreds or if not thousands of usernames and passwords hoping that eventually somebody's password is guessed. Your date of birth backwards, favourite football team, etc. are all easy pickings for this type of attack. You can configure a firewall to automatically block an IP address after a number, I recommend 3, of unsuccessful password attempts. Also you can block an IP who tries to use an username which does not exist on the site. The attacker can then change their IP and try again, however, it really puts the breaks on their operation.

A system such as Cloudflare can also help to drastically improve security. It will act as a man in the middle between your site and the visitor. You can configure it to block various types of attack and if it gets suspicious it can even cover your site with a Google Recaptcha which only a human could fill in to unlock the site. I've used Cloudflare in the past to successfully defend a global charity's site from daily bombardments from hackers and bots. You can also use it to block whole countries, such as IPs in Russia, if visitors from those countries are no use to you anyway.

In summary

Those are my top three things to bear in mind when considering the security of your site. There are quite a few other things to think about such as backups, web hosting, training and more, however, I've focussed on the top 3 above which most website administrators could carry out themselves without necessarily needing a techy to help. If you would like my help with securing your website though, I can get it thoroughly locked down and give you peace of mind quickly. Get in touch if you'd like to discuss this further and I'll be happy to assist.

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

Drag
VIEW