In a previous blog—I detailed three fundamentals for maintaining a healthy and secure B2B WordPress Website.
In this blog, I wanted to take you a step further and share some of the specific practices and steps we take to secure WordPress lead generation websites for our B2B clients.
Bear with me..
I know what you’re thinking… “Hey, I’m not a developer—and I don't have the time to spend days or weeks on website security.”
And to that I say—you don’t need to be AND these won’t take long. Most of these can be accomplished in just a few minutes and without any “development.”
How Do You Secure Your Website Without A WordPress Expert?
There are a number of effective WordPress security plugins to help you bolster your website’s defenses.
One of those that we use is AIOWPS Security & Firewall Plugin.
AIOWPS provides a wide range of features that you can “turn on” or work with your managed hosting provider to enable and configure. These can significantly strengthen your WordPress website security.
The tips we'll cover in this blog aren’t solely focused on using this plugin—though this is a good place to start for many organizations.
One last note…
Before performing any work on your website or making any changes like this—you should ALWAYS ensure you have a safe and healthy backup of your website. I don’t want anyone getting locked out of their site or losing previous work.
I’ve organized these 25 security measures into three main categories:
- Login & Brute Force Attacks
- Admin/User Accounts, Database, & System
- Habits & Other Best Practices
Alright. Let’s get started.
Protect Your WordPress Website Against Login and Brute Force Attacks The first category here is login and brute force attacks. These happen across the internet continuously.
It costs very little for hackers to deploy bots and automated processes to check unprotected websites for misconfigurations and weak username/password combinations (both in time and money).
Here are the steps you should take to protect yourself:
1. Change (rename) the URL “slug” for your WordPress login page
By default, WordPress uses the /wp-login.php slug for logging into your wp-admin section.
When hackers and bad actors wish to find sites and attempt a “brute force” attack—the sites using the default login page are at a major disadvantage. Bots are already hard at work to attempt known username/password combinations. (Hopefully, your site users haven’t used easy-to-remember and commonly-used passwords like admin, password, 123467, etc. More on that later.)
By changing your login page “slug”, you can significantly reduce the ease at which bots can find your login page. Yep, AIOWPS has a built-in feature that helps you to change the login page. Be careful though, if not handled appropriately, the feature can lock you out of your website. You’ll also want to contact your hosting provider to ensure that your login page is not cached.
2. Implement a website lockdown feature to ban questionable users and IPs
Another effective method for limiting brute force attacks is a lockdown feature to ban unknown usernames and/or IPs automatically when incorrect login credentials are provided in rapid succession.
The number of attempts and duration of the lockout can be set to your preferences. You can also make sure that you’re notified whenever an event occurs—so that you can recognize habits, trends, or potential dangers.
3. Require Two-Factor or Multi-Factor Authentication
Leveraging a form of two-factor authentication (2FA) or multi-factor authentication (MFA) will significantly increase your security stance. In this situation, the website owner (“you”) requires two (or more) forms of authentication, such as a secret question, code, or a more secure option like the Google Authenticator plugin.
Combined with the Google Authenticator app, users logging in will be required to share a six-number verification code that is time-sensitive and tied to information on their recognized smart device.
4. Require email for login (not usernames)
Plain and simple, usernames are not as secure as email addresses.
They tend to be easier to guess/predict—as well as rendered publicly by many of the built-in WordPress functions (like links and author archives). They are therefore much less secure than emails.
There are a number of WordPress security plugins that allow you to require login with email only.
5. Require strong passwords and the use of a password manager.
Longer, randomized passwords are stronger and more difficult to “crack.” If your password is “unreadable to humans” and made up of random numbers, letters (capitalized and lowercase), and special characters it will keep you safer.
For this, you’ll need to leverage a password manager. Often, our clients are concerned it will be difficult to train employees to use. But they’re actually incredibly easy to adopt. Especially with recent security technology advancements like facial recognition and fingerprint sensors on mobile devices and computers.
Password managers require that you remember one, strong, “master password”. Every other password is stored in a vault and encrypted based on your “master password”. It can also be tied to biometric security measures (like face and fingerprints) so that you only have to remember the one password—and most of the time use the biometric authentication. These password managers have the ability to sync with all of your devices using the same login email/password. Laptop, second laptop, desktop tower, phone, tablet, easy.
I recommend LastPass. The last password you’ll ever need. https://www.lastpass.com/
NOTE: This practice won’t just help secure your website. Using password managers across your accounts and digital activities will make your entire business more secure.
6. Automatically log out idle users
Any of your admin users that stay eternally logged into your website pose a security risk.
If they walk away or lose their computer—anyone who may find access to their computer or browser would be able to gain sustained access to your website and any sensitive information.
The best way to tackle this is to automatically log out idle users after a determined period of time. The shorter the period, the safer you are, but often 60 to 120 minutes of idle time is sufficient so that you’re better protected and it doesn’t interfere or cause inconvenience when users are working on the website.
Combined with security-minded processes implemented out in the “real world” (i.e. Keep computers in safe places, ensure all computers are guarded with a password, etc.) you will significantly improve your security.
Protect Your WordPress Admin/User Accounts, Database, & System
For hackers and bad actors—your admin accounts, database, and core system files are gold mines. They contain easy access to a variety of information and if compromised can cause you serious headaches.
Here are a few of the steps you should take to protect these:
7. Protect your wp-admin directory
A great way to add further protection to your wp-admin dashboard is to add a separate password protection element. This will keep your dashboard safe even when accounts are compromised—and even ask for the password periodically to ensure it’s up to date.
To add a password to your wp-admin dashboard, you can use a cPanel Password to protect the directory function on your wp-admin folder. This adds a little bit of friction for your web developers—but security has always a trade-off of convenience. You may consider activating this on your live site, but leaving it off for development and staging environments.
For more information, check out this other blog on tightening security of your wp-admin directory.
8. Install an SSL certificate to encrypt data
Implementing an SSL (Secure Socket Layer) certificate will encrypt all of the data transferred between user browsers and the hosting server. This ensures that any information provided—whether that be credit card information, login credentials, or anything else is protected as it is passed back and forth from browser to site. As an added benefit, sites that use SSL certificates that protect traffic receive better scores and higher ranks on Google and Bing search engines.
SSL certificates require some configuration but that’s getting easier and less expensive thanks to public efforts like Let’s Encrypt.
NOTE: If you’re going to host your website with a Managed WordPress Provider like WPEngine or Kinsta—they’ll NOT ONLY provide the SSL at no cost—rather than upsell you, they’ll also include the setup and configuration at no cost.
9. Restrict access and permissions to your admin dashboard
Use discretion and be picky about creating accounts and providing access to your website.
It’s best practice to provide the bare minimum of functionality necessary to fulfill a role when you allow employees access to your website. Anyone who isn’t an admin, editor, author, or contributor doesn’t necessarily need an account.
Basically, limit who you give access to your website. Secondly, you should perform an audit at least once a year to ensure every user has the proper permissions. You can remove users as needed.
Most B2B organizations don’t need to provide users with WordPress login credentials. These accounts are often better handled by other systems—support portals, ticketing, etc.
10. Change the admin user name
This recommendation goes hand-in-hand with using strong passwords and having good security hygiene. Strong username/password combinations and tips like changing your login URL will ensure that brute force attacks are less effective against your website.
However, one of the usernames that is often left AS IS after a WordPress website’s initial setup is the “admin” user. Change or delete that user and set your main administrator account up with a different name. This will ensure that any hacker doesn’t have 50 percent of the access equation right out of the gate.
11. Change your WordPress database tables prefix
If you’ve ever set up WordPress on your own from scratch, you are well aware of the standard ‘wp-’ table prefix that the WordPress database uses. Using the default database prefix can make your website vulnerable to SQL injection attacks and prying.
If you change the database prefix—we can close that hole easily. AIOWPS offers a feature that will change your database prefixes for you. Be careful when using this, if not, you could break your database connection. Just make sure that you have a backup or previous site snapshot before you attempt to change the prefix so that you can revert in case anything goes wrong.
This is a prime example of security through obscurity.
12. Set strong passwords for your database
Additionally, you can ensure that your database has a strong, unguessable password. Your WordPress database is no exception to this rule. Don’t reuse passwords either. We’ve already covered strong passwords but don’t forget about your database security.
13. Disallow file editing
Admins have access to edit any files that are part of your WordPress installation—including plugin and theme files. You can disallow file editing and remove the ability for anyone to modify files. This can hinder you as well if you want to adjust files, but turning off editing privileges as a general practice significantly improves your security. Our recommendation is to disallow file editing, and when you want to make any system changes simply toggle the setting.
To disallow file editing, add the following code to the very end of your wp-config.php file:
// Disallow File Editing
define (‘DISALLOW_FILE_EDIT’, true);
NOTE: AIOWPS also offers this feature.
14. Set & secure directory permissions
This will change the read/write permissions on critical WordPress directories to prevent changes. This is particularly important in shared hosting environments (which most sites use). If you’re unsure of whether you’re on a shared hosting environment—you most likely ARE.
AIOWPS offers an easy one-click setting “per directory” to lock down and protect key directories.
15. Protect your website traffic against DDoS
DDoS, or Distributed Denial of Service, is a tactic used to overload a server and block access to a website. The bad news is, it’s easier than ever for bad actors to perform these attacks and all but shut down small businesses. The good news is that you can set up your web traffic and DNS to route through a provider like Cloudflare and significantly improve your protection against DDoS attacks.
Cloudflare’s Pro and Business security protection provides a range of features and performance improvements—as well as an “I’m Under Attack” mode to instantly engage Cloudflare security support.
16. Disable WordPress Core Version From Being Rendered
If a hacker knows the exact WordPress Core version your site is running on, they can hand-select and tailor compromises to use against you. Unfortunately, by default WordPress publishes the core version in a number of places. But don’t worry—we can turn that off.
Once AIOWPS is installed, go to Settings > WP Version Info > and select the checkbox to “Remove WP Generator Meta Info”. This will stop WordPress from posting that information to the front-end of your website.
17. Change Author Slugs
Another quick and easy way to help protect your environment from unwanted intrusion is to change the slugs of your authors and contributors.
By ensuring that the author slugs of your administrators and high-profile users don’t match their usernames—you can help prevent hackers from guessing parts of login credentials.
18. Monitor your audit logs
You can periodically review and edit your audit logs to identify trends or potential compromises. In most cases, you’ll probably find minor errors or wrong passwords entered by your authors—but if you notice problems this can be a good practice to spot compounding issues early.
Other Habits & Best Practices to Protect Your B2B WordPress Website
It’s not ALL about plugins and configurations—though that’s a large part of security. It’s also about the habits you form. Here are a few of those for good measure.
Heads Up! A few of these are repeats from our last blog.
19. Change passwords on a regular basis
Strong passwords and multi-factor authentication provide a great starting point for security and make it increasingly difficult for your website accounts to be “hacked into”. That said, it’s a good practice to rotate out passwords after a time.
The frequency of this event may vary based on your security stance and needs. Most businesses don’t even require this, but if you swap out passwords once a year—combined with strong passwords, use of a password manager, and multi-factor authentication—you are way ahead of the curve.
20. Select A Managed WordPress Host
If you’re not a web developer or designer yourself and want to spend the majority of your time working on your specialty or building your business—spending a little bit more every month on a Managed WordPress Hosting Provider is a “no-brainer”.
Providers like WPEngine or Kinsta not only have dedicated support and development teams that take care of server maintenance, planned code updates, as well as providing support whenever you have a question or problem. The added peace of mind is that—in the event of a security event—they also continuously monitor and work to protect the health of their cloud environment.
In most cases, they will monitor and close security gaps as they arise without you ever hearing about them. If something specific requires your attention—you’ll be notified.
21. Keep regular backups
This was mentioned in our previous blog, but it’s so important—it stands to reiterate. Keeping regular, healthy backups in a safe place (not connected to your website, or your primary network and systems) will ensure that in the event of a catastrophic event—your website isn’t entirely lost.
I strongly recommend spending the extra money on a Managed WordPress provider who will take regular snapshots and enable you to back up your site on-demand as needed.
By doing this, you will also have a dedicated team of WordPress experts to help remedy the problem if there is a major flaw or compromise occurs with their cloud hosting environment.
Alternatively, you can invest in physical hard drives—or even—low-cost and reliable offsite cloud storage like with Wasabi Hot Cloud Storage to keep regular backups of your website.
22. Keep plugins and themes up to date
Most compromises occur after security vulnerabilities are found in code libraries or versions. They are then “weaponized” against specific WordPress websites that are using a specific core or plugin version. Many WordPress plugin developers work hard to maintain their plugin codebase—keeping it up to date and removing security loopholes/vulnerabilities when they are found by the security community.
Keeping your themes and plugins up to date generally only requires a bit of time every week or month and is a MUST in order to keep your site/investment protected and running.
Every so often, plugin conflicts or PHP updates will require a higher level of technical knowledge and may require a developer—but most of the time, you can manage the month to month.
23. Disable XML-RPC (Unless you use Jetpack or WP iOS)
If you don’t use Jetpack or need to access the admin section of your website from a mobile app—consider disabling XML-RPC. This will close off parts of the codebase that can be taken advantage of.
24. Invest in spam prevention (Your time is valuable)
If your website is popular and allows comments on blog posts, news, products, or other content types—you’ll probably receive a lot of spam. Much of it is facilitated by bots, who will submit a comment for review that includes links out to another website or other messaging.
Typically, these practices are intended to take advantage of misconfigured WordPress sites and drive traffic for advertising revenue. But it’s possible that these tactics can be used to compromise your website or put your users at risk. Investing in an anti-spam service like Akismet is an affordable and easy solution that can reduce your spam by 99%.
25. Block trackbacks and pingbacks
This practice isn’t used as commonly today, but in the old days (even several years ago) WordPress sites and blogs used trackbacks and pingbacks as a way of notifying blog owners when another site referenced a page or resource on their site. I won’t get into the technical details, but vulnerabilities were found in the way this was performed. It also takes a small hit on the performance of your site.
Turning this off is also easy with AIOWPS and improves your security.
26. Prevent Hotlinking
Hotlinking is the practice of other websites linking directly to images or assets that are hosted on your website to steal your bandwidth and harm your website performance. By preventing hotlinking, you can save yourself bandwidth, protect your website investments, and improve the overall performance of your own website.
This is less about security than ensuring the performance of your website—but we thought it worth mentioning as low-hanging fruit.
Final Words on WordPress Security For Your B2B Website
No single step is going to ensure you achieve a secure site. It’s only through a series of continuous steps, habits, and following best practices that you will minimize your risk to malicious threats online.
You should also know that even if you implement all of these recommendations—you will never be 100% protected. The threat landscape online is continuously changing and new threats are being identified every day—even every hour.
I hope that this information has been helpful in your quest to protect your investment, your business, and your customer data (i.e. “your WordPress website”). These are just a few of the checks we take to secure WordPress websites for our B2B clients.
If you have additional questions or recommendations regarding implementation or looking for HubSpot CMS Website Design—don’t hesitate to contact us.