As a webmaster myself, I use WordPress on daily basis for my personal as well as for my client’s site. I have been using WordPress for more than 5 years now and in my opinion it is the best content management system for making any kind of website with whatever features you want. Now if you are thinking about creating some sort of portal for your business of clients I will suggest you to use other robust frameworks like Larval, cakePHP etc. But for general or basic ecommerce related websites, WordPress is the best of the best.
Now every time a discussion starts about WordPress related websites, a group of people started to scream saying it is not a secure platform. Today in this article I will try my best to clear out this fake myth about WordPress security and also share a few tips about how to make sure Brute Force Attacks can never happen on your site. So, lets first clear the myth about WordPress security in general, then I will briefly explain what is a Brute Force Attack in case you are not familiar with it and then at last I will share the tactics I personally use on my site to make sure no BFS attacks can penetrate my website security.
Is WordPress truly volatile in terms of security?
The short answer is absolutely not. In 99.99% cases, WordPress websites get hacked due to fault of the website owner or for choose a bad hosting company to host your site. You see I tell every time to each of my clients that to ensure your WordPress site security, follow this simple 5 rules:
- Always keep the theme and plugins of your site up to date with their latest versions
- If you want to modify anything on your existing theme, don’t just edit directly into it; instead create a child theme
- Don’t installs themes and plugins from scammy, untrusted, nulled sites or any sites which is claiming that it will increase your revenue just by installing plugins or by it will generate more leads for you
- Don’t use the basic admin username for your administrator user
- Understand thoroughly what you are installing in your site before actually installing them. Read the plugin comments & support forum before installing
If you can follow this 5 simple rule, I can assure you that you have already made your site 60% sure in terms of hacking or any other unauthorized use. The next 40% of the security depends on the web host.
Now to be honest most people doesn’t have the money to have a fully managed VPS for their site as it is a very costly thing, so most people eventually go with the basic Shared Hosting. As a webmaster and a reviewer I’ve tested and reviewed most of the renowned web hosting companies like GoDaddy, Namecheap, Hostgaor, Bluehost, JustHost etc. and in every cases I have seen that they provide very low quality overly crowded slow servers to their shared hosting users.
I’m not saying that all of these hosting companies have bad security in place for that server, but some of them does. In fact, the most ridiculous thing is that most of these companies block some PHP features in the name of server security even though they really don’t make such a huge security risk unless someone already has access to that server while keeping open some PHP features which are really a big deal about server security. Also most of the hosting companies are very ignorant in terms of providing the latest and greatest PHP version even though it can provide better performance and security enhancement. If you ask me for a web host recommendation, I will personally suggest Bigscoots. I have been using them for more than 3 years now and I’m extremely satisfied with their server hardware quality as well as extremely amazing technical support. You can give them a try. Go with their Pure SSD plans, not with the SSD Accelerated ones.
So, in short if you always keep your WordPress site up to date alongside if you have a rock solid web hosting, you really don’t have to worry about being your WordPress site hacked anytime. I’m not just telling this out of the blue, in fact I’m telling this as an experience webmaster who has been running WordPress site for more than 5 years now.
How to keep WordPress updated automatically?
Every time I tell people to keep their WordPress site up to date, the first reply I mostly get is, “I’m so busy and have no time for these”. But you have to understand that no matter how much you are busy, you always need to find time to keep your WordPress site up to date for your own sake. Because if your site got hacked or down, your business will fall too.
So, today I’m gonna share a small trick that I personally use (as I’m a busy person too :P) on my site it keep it up to date automatically on its own, so that I can focus my time in important things rather that always updating the site. Please note that this process is going to update your themes and plugins automatically which are downloaded from WordPress.org repository. But if you have installed any plugin or theme manually (like purchasing a theme from themeforest), this process is not going to update those plugins/themes. It will also not work for paid plugins. For these cases, you need to login to your WP Admin once in a while to manually update them.
Now for this process to work first you need to install an amazing plugin made by the WordPress team itself named Jetpack. Now I know some people have a myth in their mind that jetpack slows down the site, but it is not true and explained in-depth below (Tip: Don’t enable all Jetpack modules, only enable exactly the ones you need). Anyways, after you have installed the Jetpack plugin, connect it with your WordPress.com account (if you don’t have one, create one, its free). Then enable the JSON API module and Site Management module.
You might also be greeted with an image like what shown above in your WordPress dashboard to enable the Jetpack Site Management module. If you see an image like this after enabling Jetpack plugin in your site, just click on the Activate Now button to enable the Site Management module on your site.
After this is done, you can go to WordPress.com/sites anytime to see the sites which are being managed under that Jetpack account. Then you can click on one specific site from the list and click on the Plugins/Themes section from the left vertical menu. There you will see the list of your plugins/themes and a cog button to enable auto update feature as shown in the image above.
Moreover, for updating the WordPress core automatically you can add this simple line of code:
define( 'WP_AUTO_UPDATE_CORE', true ); at the top of your
wp-config.php file. After this you are all done. Now your WordPress core as well as the free theme/plugins will be automatically updated whenever a new version gets released without your intervention.
What is Brute Force Attacks on WordPress?
Brute Force Attacks (a.k.a. BFS) is a type of attack where the attacker (commonly known as the hacker) uses some algorithmic tool to predict administrator login of your site by constantly trying to log into your site with various username and password combination unless they get succeeded.
According to Wikipedia
a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.
So, in short anyone who is visiting your WordPress site’s
wp-login.php path without proper credentials and trying to guess a username and password combination in hope it is your admin login details, it will be counted as a brute force attack. This is why it is why it is highly suggested not to use the default WordPress admin username i.e. admin, instead change it to something else when you are installing WordPress.
Anyways now as doing brute force attacks manually is very cumbersome, most hacker uses various tools to predict it. So, the more complex password you got, it will be harder to guess by any algorithm. So, besides having a non admin username and strong password I am going to share a few tricks that I use on my site to block it from any unauthorized access. If you want, you can also use these tools to protect your site. None of these tools increases any extra weight on your website. So, these plugins will not harm your website loading performance.
So, how to protect WordPress from Brute Force Attacks?
Every time it WordPress security topic comes, people think about installing plugins like Wordfence, Sucuri Security etc. But personally I never recommend anyone to install these security plugins. The reason behind it is when you install these kind of security plugins in your WordPress site, it makes the site very heavy as it checks a bunch of condition before processing the actual PHP requests. Instead if you truly want to add quality security checks make sure your web host uses quality firewall for their server like CSF firewall.
As I said earlier neither I personally use these heavy security plugins on my word installs nor I suggest anyone to do so. Instead I will suggest you to try out these following two plugins in your WordPress site which is not only lightweight but also makes your site even more secure than these so called “security plugins”.
Jetpack is a WordPress plugin made by the actual WordPress development team to bring many amazing feature of WordPress.com to the self-hosted WordPress.org sites. But unfortunately some people has a misconception that Jetpack slows down the website. It is definitely not true. You see Jetpack is a huge plugin which has tons of different modules for various needs. Now the plugin makes sites slower only for those people who blindly activate all modules of Jetpack. Don’t be that person.
After you install Jetpack plugin and login with your WordPress.com account, head over to Jetpack > Settings from the left WordPress vertical menu bar. On this page you will see a detailed list of all the various modules Jetpack offers. Only activate those modules which you are going to use on your site, keep rest of the modules deactivated. This is how the plugin should be used and it will not show down your site.
Jetpack also has a great light weight module to protect your site from any unauthorized access or any sorts of Brute Force Attacks. To enable this option, please find and enable the Protect Module of Jetpack from the Jetpack Settings. This module will block access to your site from any risk prone IP addresses at the same time it will show up various level of captchas only when it is needed (not every time like other captcha systems). Also the captchas used by Jetpack is a multi-level captcha and not a single level captcha like most captcha provider.
Install Google Authenticator
Now this plugin is only going to be useful if you have an android or iOS device always with you. I use the Google Authenticator in conjunction with the Protect module of Jetpack. This is a hell of a login security plugin for WordPress (the best in my opinion) and if you thinking about using this plugin make sure it is enabled for all the administrator level users. You don’t need this much security level for basic subscribers as with a subscriber level privilege you can’t do anything inside the WordPress admin dashboard. Anyways, this is how it works:
First you need to download an app called Google Authenticator (made by Google Inc.) in your android or iOS device. After that is done, install the Google Authenticator WordPress Plugin. Now login to WordPress with your admin credentials and head over to Users > Your Profile and scroll down to the Google Authenticator section. Scan the generated QR code with your phone, or enter the secret manually (I prefer the QR option). After your Google Authenticator app is synced with this plugin, you are good to go. So, from now on in the WordPress admin login form you will see a new section called “Google Authentication Code” which you need to put along with your username and password for login.
Also if you use WordPress apps on your phones which uses the XMLRPC, you may need to turn on the App Password feature just below the normal Google Authentication QR code generator and within the WordPress apps instead of using your normal password, you have to use this App Password.
The reason it is highly secure is because the Google Authentication code automatically changes in every 20 seconds. So, each of these code is valid for 20 seconds and after that a new code will be generated and old code gets invalid. This is a great 2 tire authentication approach which will not just stop unusual brute force attacks, it will also make your site extremely sure. So, even if someone has the admin login details with them, they still can’t login without the Google Authentication code from your phone.
The only downside to this app is, if you ever lose your phone, you literally need to login to your FTP account, head over to the
/wp-contents/plugin/ folder and then remove the Google Authentication plugin manually from your site. After you get a new phone you need to reset it up again from the scratch. I will suggest to use this 2 tier authentication only for admin users, not for all.
So, if you think thoroughly, I don’t think it is too hard to keep your WordPress site secure if you have an excellent webhost. Most WordPress site gets hacked due to the fault of the site owner and not WordPress itself. WordPress core development team is a highly talented individual who works hard to keep WordPress extremely secure. But as WordPress functionality is highly dependent on third-party themes and plugins, it is very crucial that you check the reviews, support threads, do proper research before installing any random plugin to your WordPress site. Being a webmaster and WordPress developer I’m telling you, most devs don’t spend much time to strengthening their plugin’s security as most WordPress plugins are free and don’t generate any revenue. The same things apply for the themes too. That is why I personally prefer paid plugin and themes for my projects (when needed).
- WordPress is a very secure platform. Most site gets hacked due to bad hosting or negligence of the website owner.
- Always keep the themes & plugins of your site up to date with their latest version.
- Never use the basic “admin” username for the admin login and use a very strong password.
- To update the themes & plugins (only the free ones) automatically, you can use the Site Management module of Jetpack plugin.
- While using Jetpack plugin on your site, never enable all Jetpack modules, instead only enable the ones you needed for that site.
define( 'WP_AUTO_UPDATE_CORE', true );at the beginning of your
wp-config.phpfile to make sure WordPress gets auto updated to the latest version.
- Don’t install security plugins like Wordfence, Sucuri security as these plugins are very heavy and make your site run slower. Instead ask your host to implement security and firewall at the core server level (all good host like Bigscoots does).
- To strengthening the security of your WordPress site even further, enable the Protect Module of Jetpack along with the Google Authenticator for WordPress plugin.
- Make sure you enable the Google Authenticator for WordPress feature only for the admin users.
- Google Authenticator feature needs to be enabled by each admin basis, there is no master button to enable it for all.
- Always install themes and plugins from very trusted source only. Read the review of the plugin and do proper research before installing it. Most dev doesn’t give much thought about their free plugin’s security as it generates no revenue, so if you can go with paid theme and plugin alternatives.
So, what do you think you? Has your site ever got hacked before? If yes, what was your experience with that? Have you figured out the reason why it got hacked? Do you already follow the things I have mentioned before or you are listening about them for the first site? I would love to hear your thoughts on this and keep continuing this discussion in the comment section below.
You can also connect with me via twitter @iSaumya. If you like this post, please don’t forget to share it with others who might enjoy reading it. Also if you have any other ideas or request about future posts, you can let me know in the comment section below or via twitter.