Will A WordPress Security Checklist Really Help Keep My Site Safe?

The short answer is yes, the long answer is, well . . .  it’s complicated.

We can all benefit from checklists. Having a website requires daily, weekly, monthly, and annual maintenance tasks. Without a checklist of some kind or reminder some of those tasks will fall by the wayside. Here’s a couple of ways a WordPress Website Security Checklist will benefit you:

1. Effective Management of Tasks – Checklists (sometimes called a to-do list) are used in nearly every kind of job you can imagine. When you’re in the day to day grind it’s easy to forget the simple things. If you have a task that requires many steps, having a checklist will ensure you don’t forget a step.
2. Boost Efficiency and Reduce Mistakes – One type of checklist is especially good for WordPress maintenance and security tasks. It is a simple Read/Do list. You read what needs to be done, you do the task and you check it off the list. If this is done and all tasks are checked off then nothing is forgotten, and you will not waste time later tracking down errors.

The bottom line is that a detailed WordPress Website Security Checklist will keep your site safer (if you use it) than it would be otherwise.

Reasons You Need A WordPress Security Checklist

Why should you be worried about the security of your website? According to Google,  “Every day, Safe Browsing discovers thousands of new unsafe sites. Many of these are legitimate websites that have been compromised by hackers. Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.” If you aren’t paying attention to the health and security of you site you could be one of these statistics.

You might think (as many do) that your website is too small and insignificant for a hacker to come after, but the truth is, most hackers prefer sites that are small because they don’t pay attention to their security measures.

Regardless of the size or importance of your website you need to take security precautions to make sure your site is safe for your visitors.

Why Do Hackers Target WordPress Websites?

Many hackers target WordPress websites simply because there are so many of them. As of the writing of this article, roughly 64,000,000 websites use WordPress.

WordPress IS a secure content management system, and you do not have to be afraid of using it for ANY type of business. The code is solid, and it is very rare to find vulnerability in the WordPress code itself. Some large sites that use WordPress are:

• New York Times
• Ebay
• Best Buy
• Forbes
• Sony

When a hacker breaks into your site they can use it for a variety of purposes:

• Store files (malicious and otherwise)
• Send Spam from your domain and email address
• Redirect visitors to their own website
• Deface your website
• Launch attacks on other websites
• Steal data from your website

There are many other things they could do once they gain access but you get the picture.

How Do Hackers Gain Access?

The two easiest methods of breaking into a WordPress site for a hacker are outdated plugins or themes and weak passwords.

It seems that knowing this website owners would take care and ensure that plugins, themes and passwords are up-to-date and secure. The sad truth is that this is rarely the case. According to Forbes over 30,000 websites are hacked every day. Many of these could be avoided.

Our WordPress website security checklist below will set you well on your way to understanding what needs to be done and how to do it. Let’s get started.

Your WordPress Security Checklist

 #1. Backups

Even with every security measure in existence there is no guarantee that your website won’t be hacked. However, if you have a good, current backup available, your site can be easily restored and you’re back in business. You would want to ensure that your backups do not have any malicious code before moving forward if your site had been hacked to begin with.

 #2. Two Factor Authentication

Two-factor authentication makes it more difficult for hackers to access your website through the WordPress Admin login screen. Even if they know your password the second authentication process kicks in and will fail, unless they have your phone, email, or whatever the second authentication process requires. This second authentication step will prevent them from logging into your site. For more information view the video below.

 #3. Limit Login Attempts

One of the ways that hackers can get access to your site is called a brute force attack. They have an automated system that uses multiple username and password combinations to try to break in using your WordPress Admin login screen. Since WordPress allows an unlimited number of login attempts by default when you limit the number of login attempts allowed and force that user to wait a specified amount of time you protect your website from this kind of attack. There are a number of plugins that will enable you to do this.

 #4. Use Strong Passwords

Security of your website will become null and void if you do not use strong passwords. If you allow users to login then you must force them to have strong passwords as well. Many people use easy passwords like ‘123John’ or ‘rachel36.’ They do this because they probably have many passwords and it is more difficult to remember a hard to crack password. The challenge is that hackers can easily crack these types of passwords and then leave a backdoor entry into your site.

Never use words or phrases that are easy to guess or look up, like your name, initials, phone number, birth date or anniversary. Also, never use the same password anywhere else. Use a different password for every site you have to log into.

There are varying theories on passwords these days but if you use a combination of random letters, characters, and numbers you should be relatively safe. All my passwords are built this way and each one is anywhere from 12 to 25 characters. You might be wondering how in the world I can remember that many passwords when they are that complex. It’s not hard.

I use a password manager. It creates the passwords for me, remembers them on every site, logs me in, and I only have to remember one difficult password to log into my manager. I have used 1Password for years and love it but there are many to choose from. Here are a few others. Some have a free plan and some do not. It’s the easiest way to have secure logins for everything you do online.

• LastPass
• RoboForm
• Dashlane

 #5. Turn Off File Editing

WordPress comes with its own file editor which allows you to open theme files and plugin files for editing. This is especially dangerous if someone were to gain access to your WordPress admin area. An easy way to stop anyone from changing those files should they gain access, is to disable the editor. In order to do that you can use a security plugin (we use iThemes Security Security Pro) or you can add a line to your configuration file as shown below. This will keep your files safe.

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

 #6. Disable PHP File Execution

WordPress has many folders that contain the files which make it run. Some of those directories are writeable which allow to authorized users to upload themes, plugins, images, and other content to your site. While this makes it easy for you to design your site and and add the plugins needed it also gives hackers an exploitation point. If they can get into those folders they are able to insert malicious scripts (malware) to take control or take your site down.

It would not be practical to just block all directories from write permissions but you can do it for specific directories by adding an htaccess file to that directory. This will help to reduce the chance of a hacker gaining access and inserting malicious code.

Type the code below in Notepad:

<Files *.php>
 deny from all
</Files>

Save this file as .htaccess not htaccess.txt. Upload the file to the directory to which you want to restrict access by using an FTP client. We use Filezilla. Once this code has been added to the directory it will stop any PHP file from running. Remember this is a preventative step not a fix. If your site has already been hacked you will probably need a service that will fix a hacked site.

 #7. Turn Off Directory Indexing and Browsing

As mentioned above WordPress stores files and content in a number of different directories. The files that run WordPress (core files) which remain static are stored in /wp-admin and /wp-includes. Files that are used to help design the site and give it functionality (themes, plugins, and media files) are usually located in the /wp-content directory.

Unless your browser finds an index.html or index.php file inside a directory it will list all files when you put in the URL to that directory in your browser. If a hacker is able to list out the files in your directory then they are able to find out which plugins and themes are installed.

Knowing that, they can identify and exploit any vulnerabilities in those themes or plugins. This is why it is necessary to disable directory indexing and browsing. To do so is pretty easy if you have an FTP client and are comfortable editing files. See the video below. 

 #8. Update WordPress Files Regularly

In 2019, 56% of all CMS (Content Management System) applications were out of date at the point of infection. WordPress sites were slightly better. 49% of WordPress installations were outdated at the point of infection That is a pretty scary statistic and shows how important a regular WordPress Website Maintenance plan is to the safety of your site.

No matter how many backups you have, if they include outdated files you are still at risk for an attack by restoring your site with those backups.

Updates are crucial because they patch up security vulnerabilities and often use newer more secure coding practices.

 #9. Use Secure WordPress Hosting

Hosting is one of the most critical areas to address for your website’s security. If your hosting provider does not harden (secure) their server hackers have a better chance of exploiting security vulnerabilities. You need to choose a web hosting provider that provides maximum security for your website.

Make sure your WordPress hosting provider offers at a minimum, SFTP (secure file transfer protocol), SSL certificates (free or paid), firewall protection, real-time network monitoring, DDoS prevention and some type of disaster recovery plan to protect your data in case of an accident.

Now that you know what’s important in a WordPress Website Security Checklist let’s figure out an easier way to accomplish these tasks rather than manually changing files.

WordPress Security Plugins

There are 3 plugins we recommend for WordPress security. You can choose one of these or any other that you’ve researched and will do the job. On our site we use iThemes Security Security Pro. We also install it on client sites free of charge that use our TLC Complete Security maintenance plan.

One of the easiest (and best) ways to make sure your site is secure is through the use of a WordPress security plugin. Using a security plugin will allow to to do most of the changes we’ve outline in this article without having to do any coding or file uploads yourself. Security plugins also help you identify any vulnerabilities you may currently have in your website.

Below are three popular security plugins for your WordPress site.

Sucuri

A comprehensive plugin from a well respected company available in free and premium versions.

Some of plugin’s features include:

• Activity Auditing: All security-related activity on your site is logged and available for review.
• File Integrity Monitoring: Any time a file is changed within your site the plugin will detect it and notify you of the change(s).
• Remote Malware Scanning: SiteCheck can be used to search your site for malware with or without the plugin.
• Blacklist Monitoring: The plugin will monitor sites that keep blacklists to make sure your site isn’t being blocked for security reasons.
• Security Hardening: This process goes through your site and removes common vulnerabilities.
• Security Notifications: This feature allows you to determine how often you wish to be notified of security activities.

The paid version gives you some additional options and features but for the average small business site the free plugin is sufficient.

Wordfence

A very popular plugin from a well another well respected company in the security field, also available in free and premium versions.

Wordfence plugin features include:

• WAF: One thing that Wordfence includes that you must pay for with Sucuri is a Web Application Firewall. This feature blocks IP addresses that try to access your sensitive files in real time with the paid version and 30 day lag time with free version. A great feature to have.
• Security Scanning: You get detailed malware scans. It scans all the files on your site and checks for other security issues.
• Security Hardening: Similar to the Sucuri plugin Wordfence runs through your site and removes or enhances ways to block common vulnerabilities.

You can’t go wrong with Wordfence. It’s a matter of preference in most cases.

MalCare

A very popular plugin from a well another well respected company in the security field, also available in free and premium versions.

Some features of the MalCare plugin include:

• WAF: This plugin also includes a Web Application Firewall. Checks every 5 minutes with paid version and 6 hours with free version.
• Security Scanning: A cloud based security scanner that can be scheduled daily or on demand.
• Security Hardening: Similar to the Sucuri and Wordfence plugins. Goes through your website and removes or enhances ways to block common vulnerabilities.

All three of these plugins are good options for your website. To really determine what’s best in your situation you can check out this in-depth review of the differences between each of the plugins listed above.

Now that you have a WordPress Website Security Checklist you can keep up-to-date with your site on your own. If you find these steps to be to cumbersome or time consuming we can help with one of our WordPress Website Maintenance Plans.