Your WordPress website’s security
I am indebted to Daniel Kanchev of the hosting company Siteground, who posted a video ahout this in October 2022, cybersecurity month. These are my own notes on his video. He starts by outlining different kinds of vulnerability and moves onto the solutions. Inevitably, some of the solutions are Siteground-related. Declaring an interest: this website is hosted by Siteground.
If you are accessing your site from a public wifi (eg in Starbucks), another person using the same wifi can see your logins if your website is not protected with an SSL certificate which encrypts information. Solution: use SSL encryption, which sends logins in an encrypted format.
SSL is free with Siteground but there is a paid option as well. Paid SSL is renewed less often and provide a warranty if there is a data breach, and offers a higher level of protection.
The attacker can’t see your login details but they try to guess the username and passwords, by making hundreds of thousands of attempts.
Don’t make it easy for them by using obvious logins like ‘admin’ and ‘1234’, they will guess this in minutes. Complicated logins will take them weeks or months. But they will succeed eventually. They can get access to your FTP, email and information.
Very common. We have an internally built solution protecting all Siteground websites. It works under the hood, it’s an AI system that makes brute-forcing impossible to succeed. We can see if login attempts are made, and if many attempts are made from a single IP address that is usually a sign of brute-forcing. We can block that IP address.
If a particular IP address has been found responsible for brute-forcing on their European servers, they can block the same IP address on their servers elsewhere in the world. Siteground block 430 million requests a day.
If they are not sure if a particular request is malicious, they show the user a capture which they have to solve if they are not a robot. When this happens, only 0.1% users actually solve it so the rest are malicious.
As a webmaster, you can also add 2-factor authentication (2FA) as an extra layer of protection for people logging in. The system requests an extra piece of information such as a code that is sent to your mobile phone. If your host is Siteground, you can activate this from within your client area. It’s useful where people re-use the same password for different application. If your password is leaked from another application, the hackers will try that password in other parts of your system to get access to other things. 2FA makes this impossible.
Siteground’s own security plugin is preinstalled with all WP sites installed through Siteground: limit login attempts and 2FA. That plugin feeds information to Siteground’s AI system. Siteground obtain meta data from the plugin and track patterns in global traffic requests that come to their servers. Using the plugin helps them to protect other websites.
There can be security flaws in plugins that no one knows about, which can affect your WordPress website’s security. When developers become aware of them, it can already be too late because there isn’t time to develop a patch. An attacher can attack all websites that have this flaw.
One solution is to monitor constantly for updates to plugins and themes. Update whenever a new version becomes available. But often, users aren’t on their website every day, they need time to become aware that a new version is available..
Good servers provide a WAF: web application firewall. Siteground has one too, here’s how it works. Siteground has a team that checks for such vulnerabilities and monitor security feeds where other researchers find vulnerabilities. When we find one, or are informed of one, we report it to the developers of the theme or plugin. At the same time, we write a security rule to patch that hole at server level. That way we don’t have to update all the plugins and themes of all our websites. The rule blocks malicious requests that attempt to exploit such vulnerbilities but allows the website to continue working.
Once we have written this rule, we are able to see in the logs the IP addresses that are trying to exploit this vulnerability and block them across the whole server.
Siteground are a WP partner and are notified by them of security releases. They are able to protect websites in advance. Siteground contributes to WP by writing security code for them, so it works both ways. The big plugin providers such as Yoast are clients of Siteground so they also inform them early of security issues they face, and can write code as quickly as possible.
Siteground’s WAF today blocks about 50 million malicious requests per day, traffic that never gets as far as websites themselves. It happens in the background doesn’t show up in the access logs of the website.
If your host does not offer WAF by default, either find another host, or use a plugin that integrates a firewall within WP.
Outdated software can compromise your WordPress website’s security
Not just plugins and themes and WP core,but server software that is too old and no longer supported by its original developers. This has an effect on the security of your website. Eg: php, apache, nginx, mysqul. These can go out of date and create security loopholes.
Siteground manages updates fully. They upgrade WP for clients and create full backups before going ahead with the update. It then does checks to make sure the browser display is ok and if it is not, it automatically restores from backup.
Additionally, you can select an option in the system to automatically update the plugins and templates whenever the core updates. They upgrade php automatically. Siteground doesn’t download the update packages but their source code, and builds the packages themselves. This allows them to add layers of security. Definitely the case for php.
There is always a possibility that malicious code can end up in your website. 100% protection is not possible. A targeted attack can succeed. There are always ways to mitigate or solve this. SiteScanner is a paid Siteground service that can help. It is also a source of information when malicious code gets through, which can protect all other websites because of the code added to the firewall to protect from it.
SiteScanner scans your website every day and finds threats such as specific malware affecting the database or redirecting your pages to a malicious website. It alerts you and give you tools for reaction. Scans all uploaded files to system, will allow quarantining and deletion of malicious files.s
Related to social engineering and phishing. They use people as the weak point in a chain of events: no advanced system can guarantee you against willingly, though unwittingly, giving access to passwords to the bad guys.
Educate yourself to recognise these attempts. There have been trick emails asking Siteground customers to renew their domain, not sent by Siteground. Siteground monitors, analyses and blocks these emails but that doesn’t stop them getting through and posing a theoretical threat. There is no all-round solution, only awareness on the part of users. There is a blog post about this.
One thing that can protect you is to protect your domain name: hide the Whois information about a domain. Domain privacy is a paid service from Siteground. Only about £12-15 per year but might be worth considering.
What happens if you’ve been hacked
Disaster recovery plan: revert to a clean backup. Early notification helps. Siteground takes backups everyday so you can revert to a clean one. But the backup itself may have vulnerabilities, so protect it after you have restored it. Change all the passwords: WP logins, FTP, email addresses, upgrade all plugins and themes, WP core, and all softwares. Also check your devices: are you using the latest version of your browser? Keep your operating system up to date. Antivirus software.
If restoring from a backup, you can order a cleaning service. This is a paid service from Siteground. Even if you can’t restore from a backup this can work.
Stay informed and focused on your WordPress webisite’s security
Take time to ask your hosting provider how often they take backups, how they help in the event of a hack. Time is of the essence after a hack so plan ahead.
Staging sites can be a back door to a live site. Use the SG security plugin: limit login attempts. Regularly review the number of staging websites you have and delete the ones you don’t need.
SSL: Let’s Encrypt is free because it is community-driven and supported by big tech giants. But it has not warranty. Paid certificates give additional checks and warranties.
2FA is not completely proof against a targeted attack (it is against random attacks). There is an extra layer using physical security keys. This a USB device you need to plug into you computer or phone in order to access your account. Used by high-profile users like politicians, journalists, etc.
SG security is as good as Wordfence. Additionally, the SG one feeds information to the AI that monitors malicious attacks.
Category: WordPress Help
← Previous post: Website hygiene with Wordpress