WordPress remains one of the most popular web builders. A significant proportion of the internet is home to a WordPress website. Of course, companies like Apple and Microsoft don’t use WordPress – they always use funky technology for their hundreds of developers. But for us mere mortals, WordPress is king.
One common question is about security and how to secure WordPress from hacking. It is an excellent question as most people think you ‘buy a plug-in’ and forget about it. But that is not the case and requires quite a bit more understanding.
This article will focus on what business users should do to secure their websites. This is because personal users don’t have as much personally identifiable information. Besides, focusing on business users will automatically cover the personal. So it is an excellent place to start.
At SaneChoice, we take a layered view of security to securing WordPress. The layers consist of Application, Server and Network, and we call this ‘The Stack’. Each stack layer has potential vulnerabilities and is open to manipulation or attack. As a result, you must ensure each one is closed off to Threat Actors.
Read on to find out how to secure WordPress.
Applications are lines of code which make the service function. There are different types of applications, too. For example, WordPress is a web application, and PING is an operating system application. If it runs with code, you can call it an application.
Unfortunately, a Threat Actor can exploit these lines of code to gain access to a service and steal sensitive data. One of the key ways to ensure you are protected (as much as possible) is to ensure that your software is up to date. Software developers are constantly improving their code, and this includes improving security, too.
It is also essential to understand the application’s security features. For example, in WordPress, plenty of plug-ins prevent malware and brute-force login attempts – to name but a few threats. Regardless of the software you use, always understand its security features and take them seriously. They are there for a reason. (Usually, because some poor soul has previously been a victim of something).
Get yourself an SSL Certificate
Installing a suitable SSL Certificate is another critical security area for Web Applications, and securing WordPress. SSL (Secure Socket Layer) is a technology that encrypts communication between a visitor’s browser and a web server. SSL certificates are essential to prevent a Threat Actor from ‘sniffing’ the traffic and extracting private data such as credit card details and personally identifiable information. If you have a website, you need SSL for security purposes and for search engines to rank you highly.
The good news is that SSL certificates can be free! Companies like LetsEncrypt provide you SSL to use on your website without charge. However, if you take online payments or hold personal data, you will need a premium SSL certificate. Premium certificates come with a warranty (a form of insurance) which will pay out if the certificate fails to protect data.
So, your application is up to date, and you have set all the security features to the maximum. So, you are all done, right? Well, not really. You have another layer to tackle, and this one might need the help of your hosting supplier or administrator.
Just because your application is secure does not mean you are bulletproof. Trying to do something naughty at the application level might be challenging, but Threat Actors will quickly move to the next layer down – in this case, the Server Layer.
So how is that possible? Your web application typically works on a particular PORT (80 and 443). But there are other services which are exposed to the internet. You have DNS, Mail Servers and other services which need to be externally accessible to ensure normal operation. If your mail server runs on an old and vulnerable software version, then the Threat Actor will focus on the mail server rather than the web application. The result would be the same: a bad person ultimately gets access to your server and sensitive data.
Hardening the Server Layer
Securing your server is a lot more challenging than securing your web application. This is especially a problem when you host in a shared environment. In this case, you are ultimately at the hosting provider’s mercy to ensure security is tight and the operating system is up to date. Our advice for people with sensitive data (or online ordering systems) is to use a virtual server or dedicated server, which is much easier to secure for your specific needs.
If you have a virtual or dedicated server, it’s time to get your server administrator to help secure it as much as possible. This will include closing down all unnecessary PORTs, ensuring the software is up to date (and kept up to date) and implementing security software to detect and prevent unauthorised access. This will include a firewall, which will block unauthorised access to the server. Furthermore, modern Firewalls are very sophisticated and can detect traffic pretending to be legitimate. You can find out more about firewalls in the upcoming Networks section.
Surely we are all set now? The Application Layer is secured, and the server is as bulletproof as possible. Can we rest now? Sadly not.
The good news is (assuming you have implemented the above correctly) that you have gone a long way to protecting your data. But network security is king and the icing on the cake regarding protection. As a result, it’s the final piece of the jigsaw puzzle to complete.
Securing the network
One solution to this is relatively easy and industry standard. Companies like Cloudflare are network security experts, and their products (including a free one) come with excellent security features. For example, Cloudflare routes all your traffic through its network, and its Web Application Firewall (WAF) inspects and manages the traffic. They detect bad guys trying to access your website and, on the whole, stops it dead in its tracks. So, you have a doorkeeper protecting the entry point even before a Threat Actor can get close to your web application or server.
How do you force all traffic through Cloudflare? This is also pretty simple. First, you point your DNS records to Cloudflare, which means all internet traffic goes via them. Then, you configure their security features to prevent access you don’t want. Most people with little technical knowledge can implement this, but having a technology expert to help is a good idea.
Of course, Cloudflare is one of many ways to secure your network layer. But in our experience, Cloudflare is the most intuitive for people with limited technical expertise.
Is there any downside to Security?
If you talk to most seasoned security experts, they will tell you that security is paramount and nothing trumps it. We tend to agree. However, there are a few downsides that you need to know.
Firstly, you can prevent legitimate traffic from getting to your business website. For example, your security could be so tight that Joe Blogs in Greece gets unintentionally blocked. To combat this, you must monitor what is getting blocked when implementing security features. Again, services like Cloudflare have all the logs you need to tell whether you are being overly aggressive.
Secondly, layers of security introduce latency, slowing down your user experience. As traffic traverses through each layer and checks its legitimacy, it will cause a slight delay. However, when considering the alternative of a security breach, you have to bear latency.
Lastly, adding layers of security introduces complexity and support overhead into the environment. As before, you must factor this into your operations as the alternative could be catastrophic. There have been many companies which have suffered data loss, and it adversely affects customer confidence.
Is it 100% bulletproof?
The simple answer is no.
Threat Actors are becoming increasingly sophisticated at finding vulnerabilities and quietly exploiting them. In recent years, retrospective reviews of cyber attacks found malicious code in the environment for multiple months. During that time, the Threat Actor found other vulnerabilities to exploit without being detected. As a result, it has been devastating for some companies and almost impossible to secure.
For example, in December 2022, Rackspace suffered a security incident, forcing its Hosted Exchange environment to be shut down.
Your job is to restrict the attack surface as much as possible, making the hacker’s job much harder.
We have covered a lot in this article, and you now know how to secure WordPress. And, as you can see, it is not plain sailing when dealing with security. However, it is essential to ensure that security is a crucial consideration when setting up your WordPress website – unless you only store data which you don’t care about losing. Of course, there are some downsides, but when you do the math, it is always better to be secure.