“October is Cyber Security Awareness Month and an annual reminder for all Australians to stay secure online.”
That’s what the government Cyber.gov site is promoting at the moment as well as many other big corporations, their key messaging applies to everyone who uses a computer or device in their everyday life.
Let’s look at how we can apply some of their suggestions and our recommended best practices so we can lock down our WordPress sites to ensure they’re up to date, secure, and safe from hackers.
Use a secure password🔐
This is the most common piece of advice, and often times, security is just the basics.
Think about how you would secure your car – From locking your doors, closing your windows, and not exposing your valuables to be in full display.
You’re probably aware now that using a secure password is more than just ensuring it’s got a capital letter, number or special character. It’s also ensuring that the length varies, and that it’s not used in the same email + password combination across multiple sites.
Even though the password might be secure on its own, if a company holding your information is compromised, hackers may find other sites that your email exists on, and use the same email + password combination to gain access, thus rendering the secure password as useless.
WordPress does an excellent job at generating a random password for you, but if you want to use a different service, you can try LastPass or 1Passwords’ password generators.
Use 2 Factor Authentication
For all your WordPress hardening needs, we recommend using one plugin to handle this all – Solid Security Basic. We’ve found we don’t really use the Pro version, but you can get it for some additional support if you wish.
It has almost all the main features we need in a decent security plugin, 2FA, firewall, user rules, hiding your login, and forcing email logins.
Setting up 2FA is fairly straightforward. Once enabled, just go over to your Google Authenticator (for iOS or for Android) or Microsoft Authenticator (for iOS or for Android). I personally recommend Microsoft Authenticator as it is also device locked using your fingerprint or pin.
All done!🔐😉
Hide your login screen
Hiding your standard “wp-admin” login screen is one of the easiest ways to hide your WordPress site. This first step already creates a hindrance for any would be hacker as they won’t know what URL they need to even hit to get to a login screen.
In Solid Security basic, you can obscure your backend to a memorable URL for you, but a difficult one for someone to guess. So avoid anything like “login” or “backend” or “admin”. Something only you would know. Like an obscure Taylor Swift song for example…. /the-moment-i-knew
Use Emails only, no usernames 📧
Usernames are fairly easy to guess. If you know where to look, you can also get a list of usernames of every user on the site. So it makes sense for us to force the login to only accept email addresses only, furthering the difficulty of guessing an unknown email address + password combo!
Use an up-to-date PHP version
According to WordPress.org, a whopping 34% of all known WordPress installs are still on PHP 7.4… which reached its end of life support in November 2022. Almost 2 years ago now (Oct 2024).
The latest versions of PHP (8.4 at time of writing) have tonnes of performance improvements over PHP 7.4 as well as security fixes which makes an upgrade to PHP 8.4 a no-brainer.
Updating the PHP version also means you can upgrade your plugins and themes to the latest versions as well, further securing your WordPress install.
Update your themes and plugins
This is the most common method of WordPress hacks.
You might have read countless stories of websites running WordPress have been hacked or compromised. This is most commonly done through an outdated plugin or theme where a vulnerability is known and then exploited by the hackers.
Because all WordPress code is essentially open source, it means anyone can read the code and try and find a way in. But because it’s open source, it also means that it is one of the most secure platforms in the world. The caveat being, this only applies to the base WordPress platform, without any plugins or themes.
Plugins and themes are developed by 3rd parties, who may not have the same level of expertise or skill to safely lock down all vulnerable code to ensure outsiders cannot get in.
You can sign up for Wordfence’s security newsletter to keep yourself abreast of all the newly discovered issues.
As always, before you go ahead and update your plugins, be sure to take a backup of your site and database files in case there is a conflict or other issue.
Obscure WordPress 🙈
Majority of the time, hackers aren’t scrolling through sites, one by one to find a vulnerable site to hack. Since the WordPress structure is uniform and standardised, they simply have scripts which scrape millions of sites to check for certain plugins, versions and vulnerabilities.
If one that matches the right vulnerabilities is found, then the exploit and actual hacking takes place.
Knowing this, it’s easy for us to simply obscure the WordPress folder structure so that we replace folders like “wp-admin”, “wp-content”, “wp-content/plugins” with obfuscated text such as “fjw92l9a” which jumbles it all up, and the bots which are hunting for “wp-content” will not find it.
We can do this using WP Hide. It has the functions to help us rewrite the URLs using htaccess to hide the fact that we are running WordPress.
What to do if your site is hacked 😱
If your WordPress site has been hacked or compromised, reach out to us and we can recover and restore the hacked WordPress site and lock it down so it doesn’t happen again. Guaranteed.
We offer a no-fix, no-fee guarantee on this service. And so far, we’ve never had to honour this. 💪😎
