Website security is a topic that should be of huge importance for every website owner. Due to its prolific presence on the net, WordPress, which powers some 30% of websites globally, is often a target for hackers and ne’er do wells. It’s estimated that each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. As well as mentioning some basic ‘best practices’ you should be employing on your website, I’d like to shed a spotlight onto one particular WordPress security plugin that we recommend, the WP Cerber Security suite – a professional grade WordPress security and anti-spam plugin that protects from brute force attacks, spammers and bots with a host of useful features.
Website Security Best Practice
A hacked WordPress site can cause serious damage to your business. Hackers can steal user information or passwords, and can even distribute malware to users of the site. Worst case scenario, you may find yourself paying hackers to remove ransomware, in order to regain access to your website. What are some basic things you can do as a first line of defence against such attacks, or at the very least to minimalise the risks from an infrastructure perspective?
At the very least you should be making sure your WordPress instance is always up-to-date. Due to the open source nature of the software, WordPress is regularly updated and maintained, and whilst minor updates are generally done automatically, larger releases need to be done manually. The same goes for third party plugins. Any clear security holes that become apparent will hopefully be patched by a developer, and if that’s the case you need to make sure your plugins are updated. If you’re unsure about how to update WordPress or your plugins, ask your developer.
It should go without saying that you need to make sure any admin or user passwords for your WordPress site should be strong. If you find choosing a strong password a pain, because it might be hard to remember, then maybe consider a password manager. We, for example, are fans of LastPass. Another, sometimes overlooked element – if you have access to your WordPress backend, try not to use “admin” as your username. This will often be the first thing tried in a brute force attack. True, without the password, it’s useless, but the harder you can make it for a hacker, the better.
Backup Your WordPress Site
If, in the event of a successful attack on your site, the ability to kick off a backup to roll your site back to a working state is priceless. Some WordPress frameworks come with backup software included, so it’s well worth setting up a regular automatic full site back up (the frequency depends on how often you update your site with content and such). If you have a framework and it doesn’t include backup facilities, there are a number of plugins such as BackupBuddy or BackWPUp which will do the trick nicely. If you’re unsure about how to backup your site, ask your developer.
WP Cerber Security
One of the primary ways in which WordPress sites are breached, is via what’s known as a brute force attack. This is where an attacker, with the assistance of automated software used to generate a large number of guesses, repeatedly tries combinations of username and password in an attempt to gain access to the site’s backend. By default, WordPress allows unlimited login attempts through the login page form, so these brute force efforts can be frequent.
WP Cerber’s primary functionality involves blocking intruders by IP address from trying and repeatedly re-trying to breach the login page. The user can set a limit to the amount of login attempts before a lockout is put in place, and that IP address is marked as suspicious. When certain IP addresses or address ranges are noted as being suspicious, the user can add these to a blacklist to restrict future access (it’s also possible to create an IP whitelist for address that should never be blocked).
Add to this the ability to create a custom login page, so that if an attacker attempts to access the /wp-login.php page, they’ll be sent to a 404 error page. The user also has the ability to lock out any such IP addresses for a chosen period of time. Similarly, you can hide the /wp-admin page as well, returning a 404 error page if access to the dashboard is attempted by someone not logged in.
You can set up regular notifications from Cerber as well, informing of failed login attempts, as well as getting full summaries of any kind of suspicious activity on the site.
Here at Priority we’ve found WP Cerber to be invaluable in the prevention of brute force attack attempts, when they’ve occurred on on some of our clients’ sites. That, plus remembering the basics of website security can put you in good stead, and hopefully keep your business site safe from hacks.
If you are worried about security on your business’ website, don’t hesitate to get in touch with us via our contact page so that we can go undertake a security analysis for you, and advise on the best steps going forward, to keep your business safe.