Log something crazy, but intresting.

Securing WordPress Site

Date: Jan 09, 2023

Securing your WordPress site should be on your mind from day one. The security of your user and yourself comes first. This should be taken very seriously, WordPress dominates the market with more than 60% share. That also means bad elements are working hard to exploit the domination.

If you are using Jetpack as a plugin you will also find the brute-force attack starts from the day you launch your site. How did they come to know? How do they do it? Is not my concern I just don't want to get hacked.

Before writing this I went on digging into what people were writing on their blogs about WordPress security. I found some of the posts really good but there are some that are asking you to write a bunch of codes. Now please if you don't know what you are doing then don't do it. Hire a person who can do this for you he or she is not going to charge you with a bomb. But at least you would know what is happening.

Every site will be installed differently, and have different plugins, different hosts, and different web servers. So, what works for one site that might not work for your site.

But what works for every site is what I will tell you and you can do it without doing any technical work on your WordPress installation.

Good Strong Password

This is the first step in securing your site, this is also the first thing asked while installing a fresh WordPress. Weak passwords will be guessed or broken and this is exactly what brute force trying to do. Always keep a long good strong password for your site. You should also mix it up with numbers, alphabets and symbols.

Most of the time the site gets hacked because of weak passwords, the bad elements are able to trace your name, date of birth, etc. With this knowledge, they are able to guess it.

Never underestimate a hacker he knows a lot about you. That is because you lead him to this knowledge. If on your site you have links to your Facebook, Instagram, Twitter or Linkedin account then everything is public. The hacker knows you well and if your password is going to be your “favorite-dish123” or your date of birth your site is going to be hacked.

Your password should be unrelated to everything that is not public. A good practice is also to keep changing your passwords. This can be done every month or week what ever you are comfortable with.

A good strong password is the smallest and the easiest thing that one can do on their site. It's not very difficult to change it as well.

Two-Factor Authentication

Another essential tool is 2FA. Even if the hacker is able to guess or crack your password Two-Factor Authentication will not let him enter. There are a ton of plugins available to do this but I really like the ones that are free and not a promo to get a premium version.

I use Two-Factor by Plugin Contributors this is a standalone free plugin for 2FA. In this plugin, I also like the fact that there are other ways to authenticate if you lost your phone. You can use email, or backup codes if you lost your phone and it asks you at the login page.

If your site is old or new just go and install this plugin.

Now, if you want more and have some extra budget then there are other premium plugins that are available. They not only give 2FA but also run scans in the installations for vulnerability. These plugins are Wordfence Security and iThemes Security Pro and many more.

Always keep a Back-Up

One of my WordPress sites got hacked the hacker posted some posts and removed some post pictures adding his. I just deleted the whole site and restored it with the backup. Changed the password and deleted all the comments.

That's all I did and it's been almost 5 years now no breach again. The one plugin I use for backing up is UpdraftPlus. Even if you are on the free version that is enough to keep your site backed up.

No matter how big your site is always do a backup and keep it on rotation with a base untouched. This not only helps in securing the site but also when you are shifting from one host to another.

CloudFlare

Most attacks happen when your site is not secured. Use Cloudflare and secure your site with the complete SSL. Cloudflare has some amazing tools that will make your site much more secure. It will even be helpful when your site gets hit by DDoS.

Their free plan is enough to get you started securing your site.

Protect your Database from SPAM

Comments and forms are one place that is abused by a lot of bots. They not only post links but also codes that would hit your database. Regularly check comments if you have them activated. The two plugins that help in eliminating most of the SPAM are Akismet Anti-Spam and Simple Google reCAPTCHA.

Both plugins are free and great tools for handling bots.

On this site as well as my other WordPress site I have removed the contact form plugins. Replaced it with a simple HTML code for filling in the details. When you press submit, now you have to send me an email your emails when want to contact me or use any of the social sites.

If you want to do the same just select the HTML code in your contact page and add the below code:

            
<div class="my-contact-form">  
    <form action="mailto:YOUR@EMAILID.COM" method="post" enctype="text/plain">
        <div class="my-contact-form-1">
            <label class="my-contact-form-label-1">Name</label>
            <input type="text" class="my-contact-form-control-1" name="yourName: " value="" placeholder="Your Name">
        </div>
        <div class="my-contact-form-1">
            <label class="my-contact-form-label-1">Email address</label>
            <input type="email" class="my-contact-form-control-1" name="yourEmail: " value="" placeholder="name@example.com">
        </div>
        <div class="my-contact-form-1">
            <label class="my-contact-form-label-1">Comment:</label>
            <textarea class="my-contact-form-control-1" name="yourMsg: " value="" rows="5"></textarea>
        </div>
            <button type="submit" class="btn" name="">Submit</button>       
    </form>
</div>

This form should look good so add this below styling in your CSS

            
    .my-contact-form {
    position: relative;
    padding: 0 5% 0 5%;
    }
                
    .my-contact-form-1 {
    margin-bottom: 1rem !important;
    }
                
    .my-contact-form-label-1 {
    margin-bottom: 0.5rem;
    }
                
    .my-contact-form-control-1 {
    display: block;
    width: 100%;
    padding: 0.375rem 0.75rem;
    font-size: 1rem;
    font-weight: 400;
    line-height: 1.5;
    color: #212529;
    background-color: #fff;
    background-clip: padding-box;
    border: 1px solid #ced4da;
    -webkit-appearance: none;
    -moz-appearance: none;
    appearance: none;
    border-radius: 0.375rem;
    transition: border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;
    }

    .btn {
    --bs-btn-padding-x: 2.75rem;
    --bs-btn-padding-y: 0.50rem;
    --bs-btn-font-family: ;
    --bs-btn-font-size: 1rem;
    --bs-btn-font-weight: 400;
    --bs-btn-line-height: 1.5;
    --bs-btn-color: #212529;
    --bs-btn-bg: transparent;
    --bs-btn-border-width: 1px;
    --bs-btn-border-color: transparent;
    --bs-btn-border-radius: 0.375rem;
    --bs-btn-hover-border-color: transparent;
    --bs-btn-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.15), 0 1px 1px rgba(0, 0, 0, 0.075);
    --bs-btn-disabled-opacity: 0.65;
    --bs-btn-focus-box-shadow: 0 0 0 0.25rem rgba(var(--bs-btn-focus-shadow-rgb), .5);
    display: inline-block;
    padding: var(--bs-btn-padding-y) var(--bs-btn-padding-x);
    font-family: var(--bs-btn-font-family);
    font-size: var(--bs-btn-font-size);
    font-weight: var(--bs-btn-font-weight);
    line-height: var(--bs-btn-line-height);
    color: white;
    text-align: center;
    text-decoration: none;
    vertical-align: middle;
    cursor: pointer;
    -webkit-user-select: none;
    -moz-user-select: none;
    user-select: none;
    border: var(--bs-btn-border-width) solid #0d6efd;
    border-radius: var(--bs-btn-border-radius);
    background-color: #0d6efd;
    transition: color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;
    }                
                 
    .btn:hover {
    background-color: black;
    }

Now after this anyone who wants to contact you will have to send an email from their email. There will be no interaction between the form and your database.

Update Plugins and Themes

This becomes critical when you stop your site management. When WordPress rolls out an update the themes and plugins also roll out their version of updates.

Always keep your site application up-to-date.
Remove all unused themes and plugins.
Always buy themes and plugins from trusted sources and avoid the null versions.
Continuously monitor your site and user activity.
Remove the SPAM comments and messages.

Conclusion

Security is very important and if you can just do the above you will be helping yourself in the long run. I do the above on all my sites as soon as I launch them. There should be no compromise when it comes to site security. Small things such as good strong passwords, F2A, and backing up go a long way.

If you are running a WordPress site then you must manage your site on regular basis. Logging in to your admin panel only when you want to post is not correct. Login into your dashboard on regular basis, and check if everything is working correctly. Do regular updates on themes and plugins. Monitor the comments, messages and other user interactions. All this helps you keep your site secure.

Further, if you are still looking to do more in securing your site a good place to start is WordPress Security, WP Beginner's Security Guide, and Search Engine Journal's Secure A WordPress Site.