There are tons of methods available to fortify your website. Some are centered around knowledge and best practice — things like choosing unique passwords and not responding to phishing attempts or spam. Others can be more technical and may require some know-how or at least a willingness to learn in order to be used safely and effectively. In this article, we’ll cover a few tried and true methods for hardening a WordPress site.
As more and more services are offered online, more accounts are needed to access these services. This means more users on your site, and more maintenance to keep it secure. Login security is an important factor to consider when looking at potential security risks on your site. Here we’re going to outline some effective ways to limit access to your site.
Two-Factor Authentication (2FA)
Two-factor authentication (2FA) is becoming increasingly popular due to its accessibility and effectiveness. 2FA limits site access by forcing users to provide an additional security code after their regular login credentials before they can access the site. This way, if a password ever were compromised, the offending user would be prompted for a security code after entering the login credentials. If a user is registered to login to the site using 2FA they wouldn’t be able to gain access with just a username and password. Combining 2FA with another method is an ideal way to harden your business’s website.
Add Google Login Functionality
For some businesses, adding a Google login can be a simple and effective way to immediately improve site security. If you’re OK with utilizing a third-party service like Google to control your login functionality, there are some distinct benefits to using a Google login. For starters, it’s one fewer password to remember, and that’s always a good thing. Once you add Google login functionality, you can generally remove the traditional username and password fields using built-in settings in the WordPress admin. By doing this, you prevent scripts from using brute-force attacks to try and gain access by repeatedly guessing credential combinations. With Google login, a potential hacker couldn’t simply create a script to generate and attempt username and password login combos — they would need to identify a registered Gmail user with login credentials and then attempt to gain access to the site that way. Overall, it is a practical way to increase site security that does not require too much expertise or maintenance.
Limit Login Attempts
If you want to avoid using third-party services like Google for your login needs, consider limiting login attempts for users looking to access your site. Similar to using a Google login, limiting attempts also prevents scripts from guessing username / password combos by shutting them out of the site after a few failed attempts. It is another simple way that you can add a layer of security to your site. There are a variety of plugins available to accomplish this and we’ll outline what to look for with those in the Plugins section below.
Limiting File Additions and Changes
WordPress sites can be customized to limit certain behaviors based on predefined settings found in the
wp-config.php file. Oftentimes, actions like installing plugins and editing template files aren’t necessary for most of a website’s users and we can add a few lines of code to quickly prevent those actions from being allowed on site:
define( 'DISALLOW_FILE_MODS', true ); define( 'DISALLOW_FILE_EDIT', true );
Principle of Least Privilege
The Principle of Least Privilege is a concept that revolves around affording users the least amount of user permissions possible for their role. User permissions determine the capacity a user has to change a WordPress site, so it’s important to make sure that no user has more permissions than they need to. Permissions are granted when a user is assigned a role, where Super Admin and Admin roles grant the most permissions, the Editor role grants limited editor abilities, and the Subscriber role generally grants the least permissions. When assigning permissions, it’s important to have a method set up so that users are never assigned higher permissions than they need. Most users who would be making content changes to a site do not need full Admin or Super Admin permissions, so auditing user permissions to make sure they’re granted according to the Principle of Least Privilege is a great way to proactively protect your site.
There are many plugins available to both monitor and protect your WordPress site and many of them cover a lot of the functionality mentioned above. The benefits to using a plugin are the speed with which insights can be acquired — they simplify the process by providing a user interface instead of code, and they are often able to cover more than one aspect of security. There are tons of plugins available to help protect your site and there is no one-size-fits all as far as solutions go. When making decisions about what to install, take a look at the functionality offered and see what’s covered. It’s important you install plugins which offer you functionality you need, and not just because it’s the flavor of the week. Other factors like reviews can help add context, too. One of the most important things to look out for is responsiveness from the developers — you should be able to see when a plugin was last updated on its page at https://wordpress.org/plugins/. If you see a flurry of issues from a few years back and no responses or updates since then, it’s probably best to move on to the next one.
There are a lot of variables to consider when implementing security fixes. Compatibility and ease of deployment are important to consider but so is identifying areas where you do and don’t need to increase your security. Some measures that help one site might not do anything for another. If you need a better understanding of best practices for securing your online presence, contact the experts at Hall.