Cybersecurity is one of the most important facets of our digital world. As we continue to evolve and rely on technology to grow and maintain our businesses, we require constant security and support for our hardware and software, including WordPress.
Websites that utilize content management systems (CMS) with account login access can all suffer the consequences of brute-force attacks. These automated attacks feature bots who attempt to log into your site multiple times, overloading your server resources in the process.
If your site gets hacked
We can hear your silent tears; our ears are that good. It’s unlikely that someone hacks your website for the sheer thrill of it. Chances are that malware is implemented within the code and your site will require immediate attention. Consider using a tool like Sucuri.
If your site doesn’t get hacked
Don’t huzzah just yet. If a bot doesn’t quite make it into your account, the act of attempting can still overload your server. Each time an interaction is made with your website, even a simple login attempt, resources are used. Since the server is where your website files are hosted, this can cause your website to be taken down if your account doesn’t have the bandwidth to keep up.
Backup your website
Check with your website host to ensure your account has backup options available. Most hosts will offer automatic, daily backups either as part of your hosting package or as an add-on. With backups enabled, you can roll back to a previous save point prior to your website getting hacked. From there, you’ll have a clean site to start the security process.
Pro Tip: If you run an eCommerce site, or make content updates more than once a day, you will want to acquire Manual Backup tools. This will allow you to specify when a backup is made, in cases that you need to roll back to a time more recent than an automated daily backup.
Be mindful of your WordPress users and their permissions
Not every person on staff needs access to the backend of your website. The more users you have, the more opportunities there are for login attempts. Since Administrators can see everything when they log into WordPress, it is recommended to have one sole administrator role within your account. Additional roles like Editors can be used for individuals who don’t require access to all the settings of your website and may only need to post blogs.
Users assigned to the Administrator role in WordPress can send password reset requests to additional users from the Users panel. This is particularly handy if you’ve recently discovered a brute-force attack and want everyone in your organization to reset their passwords.
Start with your password
You’ve heard it time and time again – the importance of password protection. Beyond choosing the right password, keeping it secure, and updating it routinely there are some additional steps you can take within WordPress.
2FA – Two factor authentication
Last year we showed you how to set up authentication in your Microsoft Office 365 mailbox – did you know there is a similar step you can set-up in WordPress?
You may already have an Authenticator app installed on your mobile phone. By installing and activating a 2FA WordPress plugin, you can get an additional code in your app to apply to your login process on WordPress.
IP and Country Blocking
Security plugins like Wordfence and global networks like Cloudflare give you tools to track and block the IP Addresses that continually try to login to WordPress. Because it’s easy enough to change your IP address, there are functions in place to block entire regions from having access to your website.
Adding reCAPTCHA to the Login and Comments Forms
Developed by Google, reCAPTCHA is a system that distinguishes access to websites between bots and humans. You may recall seeing hard-to-read words that you then had to decipher and retype to gain access to the web page. Or do you remember having to select all the images that feature a traffic light? How about “clicking here to prove you’re not a robot?” These are all examples of reCAPTCHA.
While it’s not 100% bot-proof (not many things can be today, let me tell ya) it can help.
Do you really need comments turned on in your blog?
Any form on your WordPress site provides an additional way for bots to go forth and hacketh away. In addition to your login page, this includes contact and comment forms.
If your blog is widely visited and you routinely receive comments from your audience that are authentic and benefit users – well done, you! Many blogs don’t necessarily require the commenting system. Sure, it’s nice to have it when it’s used appropriately, but typically it serves as another way for automated scripts to get passed onto your website.
We recommend that if turning on commenting, you ensure you have a monitoring strategy in place. Don’t set it and forget it. Many businesses opt to keep their communication with customers to social media in lieu of static comments that remain on the page. Consider your needs and what brings you value, then ensure you’re following best practices.
Old sites may be worth a revamp
If you have a WordPress site that was built *years* ago, was never properly monitored and maintained, and you’re not quite sure the state of your server – it’s time for a new website. The money and effort put in to fix something outdated may end up more costly than starting from scratch. If you find yourself in this position, reach out to us! We’d be happy to speak with you about your website options.