Top WordPress website security tips and trends in 2020

Did you know Google quarantines over 10,000 sites everyday that it deems harmful or suspicious? So, you can be running an honest shop but if an evil-doer comes along and adds malware to your site, then Google may flag you.

And, once you’ve been added to a Google blacklist, it’s pretty much game over. Search engines and anti-virus companies will send all kinds of warning signs to future site visitors. Needless to say, this will kill your traffic, overall SEO strategy, and ages of hard work.

So, let’s stop with all the doom and gloom and get right to the heart of the matter. Website security is an achievable task and we’re here to walk you through the best WordPress security tips. With these safeguards in place, evildoers will have such a tough task ahead of them, they’ll (hopefully) just move on.  

Do your updates

We’re all guilty of this from time to time. A new smartphone update comes along and we roll our eyes. What could they possibly be patching now? What’s really happening behind the scenes are efforts to increase your security protection. As the hackers get updated in their ways, so must we adapt. 

WordPress works just the same. Whenever minor updates come along, WordPress will install them automatically. Larger updates, however, require your permission and we absolutely recommend them. Typically, these updates strengthen firewalls and tackle WordPress security issues, as well as increase processing speeds. 

Within WordPress, we also have all those lovely themes and plugins maintained by third-party developers. We need to keep an eye on their updates as well by doing the housekeeping when these updates come along. A clean, tidy, and secure house is top priority. 

Use your WAFs

The term “firewall” sounds pretty militant, doesn’t it? That’s why this is precisely what you need to prevent an unwarranted data breach. A web application firewall (WAF) will block malicious traffic even before it reaches your site. Keeping track by turning on notifications in case of such attack is also recommended.

As you get ready to enable these defences, you may come across two different types: DNS firewalls and application firewalls. We recommend you go in at the DNS level.

These firewalls only permit genuine traffic to hit your server. Meanwhile, application firewalls examine the integrity of your site visitors once they’ve arrived. You’re better off nipping things in the bud before they hit your server. 

Invest in an SSL Certificate

You may have noticed this in some of your web browsing: https:// in lieu of http://. That teeny, tiny “s” actually makes quite a difference. It means you have an SSL (Secure Sockets Layer) certificate which will encrypt data between your website and your site visitor’s browser. 

Data security (for credit card numbers, telephone numbers, and home addresses) makes it more difficult for villains to steal personal information. The cost of an SSL certificate ranges from $0 to hundreds of dollars per year. Here, it is crucial that SSL is implemented right and that all pages will be accessible only through SSL.

So, do your due diligence and shop around a bit. Keep in mind the amount of data you’ll be exchanging on your site and how much you want to protect your customers. Never let Google catch you with malware on your site, otherwise warnings could be shown on Google Search and other browsers, which could affect your SEO in the long run. 

 

Use multi-factor authentication

Like https://, you may be seeing more multi-factor authentications wherever you go. This simply means that, if you’d like to log on to a site, your username and password won’t be enough anymore. You’ll also need a security code emailed or texted to you. 

Take WordPress up on their offer for web application security. It may seem like a tedious task, but just remember: every time you’re using a multi-factor authentication code, it becomes harder for a hacker to bypass the code.

You can do email or text, but we recommend a text to your mobile. What are the odds a hacker is holding your phone in their hand? Meanwhile, if they can hack your WordPress site, they can probably hack your email. 

 

Protecting website forms

ReCAPTCHA is a Google-owned API that helps you detect abusive traffic on your website without user interaction. On WordPress, a reCAPTCHA plugin can be installed as a security solution for WordPress website forms such as login, registration, comments, password recovery, etc. 

In addition, it is also wise to moderate the comments section to avoid any junk links that would immediately go live on the website.

Limit login attempts

While we’re on the subject of logins, let’s go one step further. A multi-factor authentication to your cell phone is pretty locked and loaded. It wouldn’t hurt to also limit the number of login attempts. (Your WAF will also take care of this, but let’s lock and bolt the doors.)

This requires a plugin and there are a wealth of options available to you. With the plugin in place, once someone tries to log in multiple times with the wrong passwords, the site will get locked down, and you’ll be notified of this nefarious activity. 

Disable file editing

Let’s discuss a little bit of coding before we wrap things up here. WordPress allows users to edit your theme and plugin right from the admin area. This is nifty because it makes adding or removing code quite seamless. 

With that said, we recommend disabling this feature. If someone manages to make it all the way through to your site, they, too, can edit your plugins (and there goes your security plugin). Pop on over to the “Edit Themes” section within your dashboard and add this code to your wp-config.php file: 

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

In addition, adding appropriate permissions to folders in the server is also needed so that only users who are allowed to make changes can implement changes. Otherwise, users can directly access any sort of file in the website.

 

Disable directory browsing

You never want to leave your directory open for anyone to browse and then index to their own liking. By sniffing around your directory, they can tell which files are vulnerable to an easy attack. 

While they’re there, they’re also free to copy data, images, and other important files. But, if you turn off directory browsing and indexing, then they’ll have to move on to another victim.

What you’ll need to do is head on over to your website using cPanel’s file manager. Then, pinpoint the .htaccess file on your root directory and pop in this bit of text after the .htaccess file: “Options -Indexes”.

Note that any directory or path will not be accessible if you disable viewing for ordinary users. Also, for Windows,  the text should be “webconfig,” so configuration files are different. cPanel is only for hosting that supports cPanel. On an unmanaged private server (VPS) where cPanel wasn’t purchased beforehand, there won’t be any cPanel. Instead we recommend the use of SFTP instead of FTP as “S” is more secure.

In addition to this, code should be added so that in the case the SQL injection cannot work, any new AJAX call should be done with proper authentication. So any user cannot access or make changes in the backend through those AJAX calls.

WordPress supports AJAX by default, so make sure those AJAX are secured and hackers are not able to make changes using any of your custom code or plugin that you’ve installed.

 

Audit your audit logs

You can double-check your coding (as well as keep a lookout for unwanted guests) by auditing your audit logs. If you have freelance writers who access your site to upload articles and images, then you might want to keep an eye on their activities. 

Nobody should be changing the backbones of your site, including passwords, themes, plugins, and widgets. So, take a quick scroll through your audit log from time to time to make sure everyone’s hands are where they should be. 

In 2020: change your passwords

Can you believe we’re about to list changing your password as a 2020 security tip? In 2019 alone, over four billion records were exposed in data breaches. More than 1 billion of those records contained plain-text passwords. That means people are actually still using passwords like “password” and “123456.” 

Brute-force attacks are some of the easiest attacks hackers can deploy. They’re just a series of attempts with common letter, word, and number combinations. It would be a tad embarrassing to employ several website security best practices but not rotate your passwords regularly with the touted combination of numbers, upper and lower case letters, and special symbols. 

Also in 2020: change the admin username

Have you left your WordPress username as “admin” all this time? It’s a self-propagated username when you first create your WordPress website.

And, as surprising as the whole “password” ordeal, people aren’t changing the “admin” username. If you don’t change this to your email address or something creative, then hackers only have one job: a brute force attack on your password. 

WordPress website security for you

The news keeps telling us that the world is going to pot. So, let’s at least try to control the things we can, like website security. Here at Strategic DigitaLab, we specialise in bespoke website solutions. We break barriers, code websites properly, and create top-notch tech solutions that will not only keep your business safe, but help you rank with the gods of Google. 

Installing SSL certs, firewalls, and plugins may be manageable tasks. But, if you’re still worried about  suspicious activities, then you can call in the guard with our backend engineers. We’ll handle some of the trickier coding processes that will lock down your site and uptick your visitors. 

Beyond these trickier affairs, we’re also your pals when it comes to web content management and UX development. With a great user experience and flowing content, you can protect your website and approach the precipice of success. Allow us to take you there today. Send us a line and we can start diagnosing your site and implementing processes that will award you a Google gold star.