Layered Defense: Earlier this week, we learned that a WordPress-based ticket distribution site was hacked. The hacker also stole and leaked details of customers and employees. This is not usual. Every few months, we learn of either a massive hack attempt made on numerous websites or a big website being compromised, backdoors being inserted, or sites being redirected to malicious websites.
What does this mean for you?
It means that you should be worried about the security of your WordPress website. But what is the real problem? Why are websites facing such security threats so often? Since WordPress is the world’s preferred website building platform, one would think they’d take security seriously. And they do. WordPress is a fairly secure CMS but it does not work in isolation. WordPress allows add-on like themes and plugins that helps build a website as per one’s desire. And vulnerabilities in themes and plugins are often responsible for website hacks. Security of a WordPress site, therefore, is dependant on a number of factors and it’s never absolute. And for that reason, you need a layered security strategy that incorporates security tools.
What’s Layered Security Anyway?
No one can assure complete security. Security plugins can only help reduce chances of a security breach. Layered security strategy is the best approach to protection. It’s like guarding a castle. The king takes his seat inside, dreading an invasion. He is protected by armed guards outside his chamber, the walls of the fort, and his army outside the gate of the castle. An invader has to cross each one of these protective shields to reach to the king. Layered protection is like this protective shield, built to prevent hack attempts at various points.
Why Do We Need it?
Back in the days, when a website would get hacked, one only had to look into a few places, to find malware and then proceed to clean them. Scanning and cleaning a hacked WordPress site was easy. But hackers have since evolved and have found ways to compromise a site and even hide malware on that site. This calls for a good security approach. Layered security is a strategy devised to provide overlapping protection (i.e. layered defense) designed to mitigate security attacks.
What Constitutes Layered Defense of a WordPress Site?
To provide your WordPress website layered protection, these are the things you can do. You can first run a WordPress security audit and then take the following measures –
Use Firewall Security
One of the first things that constitute layered defense is the use of a firewall. In a WordPress website, firewall fulfills only one purpose, it filters incoming traffic to your website. Primarily, there are three types of firewall: a Plugin-based firewall that can be installed and configured on your site like any other plugin. It has predetermined rules based on which when someone requests a page of your site, it decides if the request is malicious or not. Another type of firewall is a cloud-based ( cloud computing ) firewall that intercepts requests every visitors makes to your site and with the help of a variety of technologies, the firewall determines if a request is valid or malicious. Lastly, some web host providers have an inbuilt firewall that is built to protect their own infrastructure and by extension your website. Choosing a firewall is dependant on the kind of security you are looking for and where you want the firewall to be deployed. Some might even have AI features like machine learning.
Install an SSL Certificate
SSL certificate helps create an encrypted link between the server and the browser viewing your website. The ‘S’ stands for Security and the SSL certificate is used to transfer sensitive data like payments. Previously, SSL certificates were limited to login pages sites where one have to make payments. In recent years, Google’s drive to make the web safer has pushed many to install SSL certificate. Google may never reveal the algorithm behind ranking websites, but they have explicitly mentioned SSL certificate to be one ranking factor.
These are some of the main types of certificates you can install on your website:
Free SSL: Web host companies offer these types of certificate and typically there are some conditions involved where you have to manually renew it.
Domain SSL: One of the cheapest form of SSL certificate that you can install in only one domain.
Organization SSL: Enhanced type of SSL certificate that requires paperwork and verifications.
Whatever SSL certificate you choose, it will get you a step closer to layered defence.
Protect WordPress Login Page
The WordPress login page keeps invaders out of the dashboard. Therefore it’s not surprising that the login page is one of the most attacked parts of a website. Hackers program bots that try a combination of popular username and passwords to break into your website. To prevent them from succeeding, you’ll first need to create a strong password (how to create one) and then use a login protector. You can either use a specialized service like Brute Force Login Protection or a comprehensive solution like MalCare that equips a WordPress site with firewall protection among other security measures.
MalCare’s WordPress firewall does two things. It tracks hundreds of thousands of bad IP addresses online that are known to cause harm to websites they access. MalCare marks those IP addresses and prevents them from entering your site. And it protects the login page by generating a CAPTCHA after three consecutive failed login attempts.
Harden Your Website
Hardening your website constitutes an important part of a layered defense. Given the present state of cybersecurity, WordPress recommends users to harden their websites. To put WP’s advice into practice one will need to have some technical expertise. Comprehensive security services like MalCare enables users to harden their site in just a few clicks. You can block PHP execution in an untrusted folder which will prevent TimThumb/MailPoet attacks. Security measures like blocking installation of plugins and themes help lock your site if it gets hacked. Disabling the file editor blocks anyone who gains access to the site from modifying files in your site. While changing security keys in wp-config.php invalidates all cookies, resetting password and activation keys will lock out unauthorized people from accessing your site.
Update Plugins, Themes & WordPress Core Regularly
When a WordPress is site is compromised, a majority of the time, plugin and themes are the main culprits. When developers find a vulnerability in the plugin, they create a patch and issue an update. When website owners ignore those updates, the vulnerabilities remain unpatched. And that becomes an entry point for hackers. This is why updating your sites regularly should be a priority.
A lot of times small websites owners are lenient about their security measures. They think hackers won’t be interested in their insignificant site that draws a small traffic. But there are many reasons why hacker hacks a site and not just traffic. A small site is often easier target than the big ones because they tend to be lenient towards security. The bottom line is, no matter the size of the website, taking updates seriously is the key to keeping your site safe.
Take Regular Backups
Whether you post ones a week or every day, taking backups is a fail-safe. In occasion of a hack, the hacker may delete some of your content. A situation like this will be a nightmare for a website that posts quite regularly. To avoid loss of data, we suggest you take regular backups of your website.
Manually backing up a WordPress site is a laborious job and comes with a number of risks. Since the backups are not automatic, you may forget taking backups sometimes. Storing the backups safely is another hassle. External hard disks and USB drives are known to fail and local storages are risky as they can become malware infected. Web hosting services offer backups but not all hosting services provide daily backups. Thus before relying on a web host for backups, do your research, get in touch with the support team if need be. Some web hosts offer backups as an add-on that comes with a bit of additional cost. Finally, there are WordPress backup services like BlogVault that offer complete backup solutions for your site. It offers a ton of features and flexibility.
Use a Security Service
Having a good multidimensional security service in place will not secure your site but will also save you from a lot of hassle. While running a WordPress website, one can run across a number of issues. Hack attempts and malware infections are one, some other issues include web host problems, outdated plugins, and themes among other things. To deal with such issues a good security plugin should be able to do automatic scans on a daily basis in search of not only known malware but also the complex and unknown ones. It should also constitute a good malware cleaner and should allow users to take the necessary steps to harden their site. Complete security services like MalCare offers a layered defence to a WordPress website. It even enables users to manage updates of plugins, themes or WordPress core. If you’d feel more comfortable with a team fully managing the security of your website, a white-label WordPress maintenance and support from WP Buffs Or GoWP is probably exactly what you’re looking for. They look after updates, security, website speed and ongoing edits regardless of whether you’re managing 1 website or 1000!
Over to You
A recap of what comprises layered defence:
- Use Firewall Security
- Install an SSL Certificate
- Protect WordPress Login Page
- Harden Your Website
- Update Plugins, Themes & WordPress Core Regularly
- Take Regular Backups
- Use a Security Service
We hope with this post, we were able to point you towards what needs to be done. Thanks for reading and if you have any question on layered defence, shoot us a mail.