How To Secure WordPress?

In this article, we won’t dive into technical details, but try to address a common misconception instead. We will explain what website security is in general and how to secure WordPress.

As per calculations, approximately 380 new websites are created every minute. However, the actual number of new websites being created every day is probably a little more than 500 000. In a perfect world, security should be kept in mind from the beginning of the development process, but this, unfortunately, is always not the case.

Unfortunately, people usually get acquainted with website security when a website is experiencing an attack which results in being defaced, stuffed with SEO spam, being blacklisted, or spreading malware.

There are hundreds of WordPress security providers out there who all claim their plugin to be “the best”, “most complete” and the “only thing you need”. We understand the marketing efforts, but there are concerns in this kind of message.

Why is WordPress security important?

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target.

Whether it’s your customers’ data such as emails, shipping details, and credentials or just the server resources (processing power and storage), it’s all something that hackers can monetize or use for their own good.

It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. Your website will be scanned on a daily basis for vulnerabilities and outdated software, configuration errors and it will most definitely be actively brute-forced.

Even if you don’t keep any visitor data such as emails, your website is still perfect for conducting a watering hole attack or to just host malware and redirect traffic to malicious sources.

WordPress security is not plug-and-play

WordPress security cannot be plug-and-play. Never trust services that promise 100% security, because security is a process and should be considered more like continuous risk management.

Paying a company so that you don’t have to worry or think about security creates opposite results in the long term.

Why using multiple security plugins is not a good idea?

When it comes to WordPress security (or any other CMS) site security, the owners and developers load their sites with multiple security plugins, because the more is better right? Unfortunately, this can cause more harm than good.

WordPress security plugins also need to be updated, and they too can have vulnerabilities. (e.q WordFence XSS vulnerability). Security plugins, especially the ones that connect the site with a web application firewall or some simpler filtering engine can create conflicts and the traffic might not be properly monitored and filtered.

Some also change the settings on a hosting environment via .htaccess and nginx.conf file. When multiple plugins try to push their own changes, you can end up with an unstable site with questionable security configurations.

Why should you question “one-click malware removal” tools and services?

We often see service providers that offer “daily malware removal”, “one-click malware removal” and similar services that seem to be working well for website owners because every time they do it, a report shows that the website is clean. And it seems to be good because it does it often.

Instead of throwing out the bad guys on a regular basis, maybe it’s time to make a real effort and instead of investing in a fancy bucket to throw water out of a sinking ship, invest in tools to keep the water out.

Malware infection is the result of a problem. Does it really make sense to focus on the consequences? As far as you don’t solve the problem, you will end up in a dead circle of infections and cleanups.

How to secure WordPress? How should security be approached?

Monitoring actionable insights

When it comes to content management systems like WordPress, it’s highly important to have a proper overview of every single component your website uses. If you’re an agency or a developer, it’s important to be able to set alerts and receive the information from a single place.

Whether it’s a vulnerable PHP version, a vulnerable plugin version, or a buggy theme, you want to know this information immediately. It’s not only about the internals, but the external information as well.

You should always know and be alerted about:

• Is the website blacklisted?
• Is the website mentioned in defacement databases or hacking forums?
• What kind of information can be enumerated from your site with the use of simple tools?
• Is the SSL certificate properly set up and when is it expiring?
• Is the domain expiration date around the corner?

Comprehensive website monitoring is essential, it’s not just about up-time, it’s about the integrity and about knowing where to look at. If you know where to look and what to improve, it will be much easier to keep pace with the latest and modern security practices.

Focus on prevention

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Web Application Firewall will monitor traffic your website receives and will take action on malicious or suspicious traffic. Web application firewalls are of critical importance to block exploitation attempts when a vulnerability is present which is yet to be patched.

For example. WebARX web application firewall is managed and virtual patches will be distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

What to do when a website is hacked?

First of all, we have offered remediation services and malware removal since 2014 and have tested a lot of different tools. Many of them claimed to find malware on 100% accuracy. This has never happened.

Scanners are either heuristic or pattern-based and malware is always engineered to be invisible from scanners. Some scanners find malware better, some struggle with false positives, and many just don’t work at all.

Over the years of experience, we have stayed to supervised remediation. It means that we use different techniques to clean up the site and make sure that not a single backdoor remains on the site.

After double-checking, we install and configure a web application firewall and monitoring on the site. We have written a tutorial which is considered to be the most comprehensive malware removal guide available for WordPress.

Remember, WordPress Security is a process!

WordPress security is much more than just a security plugin and strong passwords. It’s a process.

We tend to get lost and confused in the world of ads and marketing messages without really knowing what is good for us. If you have the proper tools, sometimes the most effective way is to just take an hour per week to look at what could be improved.

Keep in mind, security is a process, not a plugin you can install.