When someone mentions WordPress, you will often hear people saying “don’t use it, it’s insecure”. In a sense, those people are right – there is no such thing as a “silver bullet” in security. There are a few ways developers can fend off attacks concerning WordPress though – let’s dive into them.
The very first thing you should do is use HTTPS instead of HTTP. Now I get that a blog isn’t a bank and your readers could be perfectly fine to read your content over HTTP, but adding SSL on top of it ensures privacy and boosts SEO rankings. More information on HTTPS can be found here.
When you upload the WordPress files to your server, the first thing you need to do is to install the platform. After you select the language and provide your database connection details you should see this page:
There are two things that should be noted here:
Not using “admin” as your username might help to prevent bruteforce attacks and using a strong password provides more security for your account.
You know what happens when websites fall out of date patch-wise? They get breached. A data breach is the last thing you want to see happening to your website, and to prevent it, you must keep the core, plugins and themes you use up to date. Simply keeping everything up to date does not ensure your website will not suffer a data breach, but it decreases the risk of such events.
You see a plugin that you would like to install, but it costs money – it’s expensive too. What do you do then? Download a nulled version of the plugin and install it, right? Well,no. Nulled plugins often contain backdoors that can be used by a malicious party to gain access to your website – avoid using them.
Vulnerable plugins are the main cause of WordPress websites getting hacked so frequently. Now don’t get me wrong – I don’t have anything against the use of plugins in WordPress – use them, but use them wisely: remove plugins you no longer use and update them when WordPress asks you to – updates are very important because they frequently ship patches for nasty security flaws.
If your website has a login functionality, you will most likely encounter malicious login attempts. And if you would use “admin” as your username like many people do, the only thing an attacker would need to do is to guess your password. There is a way to prevent this though – most of the attempts to guess your password can be halted if you change your WordPress login URL.
Modern day Web Application Firewalls are able to protect web applications against multiple types of attacks such as SQL Injection (SQLi), Cross-Site Scripting (XSS) and so on. A web application firewall can also prevent vulnerabilities that are unknown to the vendor (zero-days) from being exploited – this makes a WAF a crucial security defense.
A content security policy is a very good security measure because it helps website developers declare what resources are allowed to load into a web application. More information on CSP can be found here.
Another thing you should consider doing is monitoring your files for unexpected changes. What do you do if your website gets hacked and the hacker changes the content of some files? A file integrity monitor can help you know about the inflicted damage so you can clean potentially infected files.
It’s very important to have a robust backup strategy. Ideally, you should utilize the “3-2-1” strategy for backups, meaning that you should have at least 3 copies of your data – 2 of which are local but on different devices and one that is in a different location. If one of your data copies becomes unavailable, you can restore your data from a second device. However, if two devices are stored in the same location and you experience fire, flood or theft, there’s a good chance you will lose both of your backup devices. That’s why it’s important to also have a third copy of your data that is off-site meaning it isn’t in the same location as the other two.
This blog will walk you through some lessons for conference speakers who speak remotely no…
Insecure data storage is the second vulnerability in the OWASP Mobile Top 10 list. Insecure…
The improper platform usage vulnerability is the first vulnerability in the OWASP Mobile Top 10.…
If you ever heard of web application security, you probably heard of OWASP. And if…
If you have ever built a website, chances are you took care of security. Securing…
It's November. For some developers it's just an ordinary month - for some of them…