Website Security Optimization

Chapter 9: Security – It’s more than https://

According to internet live stats over 100,000 websites are hacked every day. Holy Moly Batman! That’s why it’s so important to take your security seriously.

Https:// and SSL certificate:

A big misconception is that if you aren’t accepting credit cards that you don’t need SSL. Wrong! HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. This way you can better prevent hackers and or a middle man from gaining access to your website. Besides security, Google has officially said that HTTPS is a ranking factor. *Special Note: Plugins that force your site to load over https is not the same as having a properly configured SSL certificate from your hosting provider. In fact, such plugins can do more harm then good and severely slow down your site.

Security Headers:

This is where a huge amount of your site’s security actually lives! It tells the browser how to behave when handling your site’s content. It’s written in PHP code in your .htaccess file on your server. Do not attempt this on your own, there are dire consequences for even one mistyped character.

Test your site with SecurityHeaders.com to get a more complete picture of your site’s security. If you aren’t coming up green with at least a B grade, then reach out to have me implement them on your site. Takes less than an hour to complete and it will massively boost your security as well as improve your speed test scores on Security.

SecurityHeaders.com Security Report Summary - 99% of Bloggers test at D or F grade
SecurityHeaders.com Security Report – 99% of Bloggers test at D or F grade

DNS Proxy & Firewall:

Cloudflare CDN

Are you already using Cloudflare FREE CDN & Proxy? If yes, you pass this with flying colors! If no, then you’re exposing your site to security vulnerabilities by not hiding your server IP address, and not enjoying the protection of Cloudflare’s Firewall to help keep out hackers and bad bots from your site. DNS and IP addresses are the phone book of the Web, using Cloudflare would essentially give you a ‘Private’ number on the Hacker’s called ID. Not to mention they serve your image, css, javascript files blazing fast through their CDN service!

Keep WordPress & Components Updated:

Always use the latest version of WordPress, Plugins, and Themes. With every update, the developers behind them include security fixes and patches to keep your site safe from Hackers. Remember to backup your site before upgrading, just in case.

Did you know that it has been reported that plugin vulnerabilities represent 55.9% of the known entry points for hackers?

How Hacked WordPress Sites Were Compromised
Research by WordFence

Not sure if you’re installing a Plugin or Theme that is safe and should be trusted on your site? You can use an online tool like VirusTotal to scan a plugin or theme’s files to see if it detects any type of malware. Be wary of using Plugins that have not been updated within the last 6 months. Out-of-date plugins are more likely to contain security vulnerabilities.

PHP version:

PHP is the backbone of your WordPress site and therefore using the latest version on your server is very important. Each major release of PHP is typically fully supported for two years after its release. During that time, bugs and security issues are fixed and patched on a regular basis. As of right now, anyone running on version PHP 7.2 or below no longer has security support and are exposed to unpatched security vulnerabilities. If you can’t easily find what PHP version your site is running, message your Hosting customer service. All well-coded themes created in the past couple of years can support PHP version 7.3

If you’re not currently running version 7.3, it’s time to upgrade it, today. This will give a slight speed improvement to your site. Do take a backup of your entire site before upgrading, just in case you have an OLD theme or plugin that doesn’t support it.

Supported PHP versions by WordPress
Supported PHP versions by WordPress

Use Strong & Unique Passwords:

Don’t use the same password you do for every site of your business. If Hackers get to one, they’ll get all of them. Make sure your password is at least 10 characters in length, has at least 1 Capital letter, a Number, and a Special character (&*#!@%) You could also use a Strong Password generator to create an impenetrable password for you.

Default ‘admin’ username:

Make sure you’re not using the default Administrator username, ‘admin’ as one of your users. Hackers know that most website owners haven’t changed this, so their job is now easier since they know a username that’ll work to access your site. To fix this, first create a new Administrator user with a unique username. Log out and then back into the WP dashboard with this new username. Then delete the ‘admin’ user. Remember to assign all content created by ‘admin’ to your other Administrator account.

Delete Admin username and attribute all content to another unique username
WordPress Dashboard – Delete ‘admin’ user

Limit Login Attempts:

Login Lockdown Plugin

Hackers try Brute-Force attacks on your login page automatically with software that tries thousands of password combinations in a short time period. You can defend yourself against these with the Free plugin Login LockDown. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. View our guide to Login LockDown Settings configuration.

Automatic Backups:

UpdraftPlus

Backups are the one thing everyone knows they need but don’t always take. Most of the recommendations above are security measures you can take to better protect yourself. But no matter how secure your site is, it will never be 100% safe. So you want backups in case the worst happens. I recommend the Free/Paid plugin UpdraftPlus Backups.