As WordPress is open source software it is regularly updated and is free, which of course is great news, but with that comes the associated problem that hackers have easy access to the source code and this makes WordPress sites open to hacking on a regular basis.
As an example of the sheer level of the problem of attacks against WordPress websites, the ever so popular Wordfence plug in, as we wrote this blog post on the 12th December 2019, reported that in the previous 30 days it had blocked an outstanding 3,389,940,569 attacks against WordPress websites and backlisted 68,398 Malicious IP addresses.
In this blog post we will discuss the steps to take/Plugins to install that we consider an absolute minimum requirement when configuring your WordPress site in order to protect your website as much as possible from future hacking attempts that it will inevitably receive.
There are many thousands of different plugins available to do just about anything you can think of with a WordPress site, the majority of which are free to download and use, for those that charge for their plugin usually they have a ‘light’ version that will do the basics for you free of charge and thereafter you can purchase the enhanced version if you can see the added value given the purchase costs.
Several plugin authors may ask you for a voluntary contribution to use the plugin and in our opinion, if you see a benefit from using the plugin then it would be only right if you expect free updates of the plugin and for it to compatible with all the latest versions of WordPress moving forward that you do make an appropriate donation. If no one did then the plugin author would eventually get fed up of updating it and you would need to replace it relatively quickly.
Below we have highlighted a few plugins that we consider are almost an absolute necessity to assist you with the day to day management of your WordPress site and its security, by default all WordPress installations that we work on ourselves have as a minimum the following Plugins installed:-
Wordfence is the Leading Cyber Security solution for WordPress. It provides a Complete Anti-Virus and Firewall Package for your WordPress Website including Two Factor Authentication, a Firewall incorporating Machine Learning and Tools to help Recover from a Hack.
Wordfence Security is available free. Simply sign into your WordPress website, go to Plugins > Add New > And search for ‘Wordfence’ by WordFence.
The premium version includes enterprise WordPress Security features like Two Factor Authentication and Country Blocking, however, see below for another option for a two factor authenticator Plugin.
Two Factor Authentication (TFA / 2FA)
Two Factor Authentication, from the authors of Updraft Plus, secures your WordPress login with two factor authentication (TFA / 2FA). Users for whom it is enabled will require a one-time code, obtained generally from an App on their smartphone in order to log in.
This plug in supports the Google Authenticator, Authy and many more applications.
If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication logins to your Gmail account, Dropbox account, LastPass account or Amazon etc.
The two-factor authentication requirement can be enabled on a per-user basis. We recommend as an absolute minimum that your Administrators account is enabled and you allow log in as usual to the less privileged accounts, in an ideal world however you would protect all user accounts with Two Factor Authentication.
Two Factor Authentication is available free, simply sign into your WordPress website, go to Plugins > Add New > And search for ‘Two Factor Authentication’ by David Nutbourne and David Anderson.
When it comes to software installations then we can say no more other than backup, backup and backup – one day you will thank yourself for making the effort and in this day and age offsite backup for many server software installations can be completed absolutely free.
WordPress, like any content management system application, can be vulnerable to things such as server crashes, hacking, security flaws, bad plugin or theme updates. If anything happened to your website, it could cost you dearly in time, money and reputation.
Whilst other security measures are essential, backups are the ultimate insurance: they mean that if the worst were to happen, your website (plus all related files and databases) stay safe and can be restored in no time.
Whilst all our hosting accounts include the protection of daily backups with the ability to restore directly from within cPanel we appreciate that a lot of hosting accounts do not afford this essential facility without substantial additional costs.
We would therefore recommend as ‘belt and braces’ to install a Backup Plugin in order to further protect your WordPress website.
UpdraftPlus simplifies backups and restoration. It is the world’s highest ranking and most popular scheduled backup plugin, with over two million currently active installs. It will allow you to backup your files and databases into the cloud and restore with a single click!
Backup into the cloud directly to Dropbox, Google Drive, Amazon S3 (or compatible), UpdraftVault, Rackspace Cloud, FTP, DreamObjects, Openstack Swift, and email. The paid version also backs up to Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, Backblaze B2, SFTP, SCP, and WebDAV.
Your WordPress backups are worth the entire investment you’ve made in your website. The day may come when you get hacked, when something goes wrong with an update, your server, without good backups, you lose everything.
UpdraftPlus is available free, simply sign into your WordPress website, go to Plugins > Add New > And search for ‘UpdraftPlus WordPress Backup Plugin’ by UpdraftPlus.Com, David Anderson
Once you have installed UpdraftPlus you will need somewhere to save your backup files to, we would suggest that you use a DropBox account, you can sign up and enjoy 2GB of storage absolutely free, that should be sufficient for several daily backups of your WordPress site.
Easy Updates Manager is a light yet powerful plugin that allows you to manage all kinds of updates. With a huge number of settings for endless configuration, Easy Updates Manager is a good choice for anyone wanting to take control of their WordPress updates.
Free Features Include: Disable all updates with one click, Enable automatic updates with one click, Deeply customise your automatic update settings, Use logs to determine what and when something is updated, Hide plugin and theme updates (if custom developed), Select which plugins and themes can be automatically updated, Disable core, plugin, theme, and translation updates, Force Updates to check that automatic updates are working and much more.
Easy Updates Manager is available free, simply sign into your WordPress website, go to Plugins > Add New > And search for ‘Easy Updates Manager’ by Easy Updates Manager Team
SSL On your WordPress site – Really Simple SSL
If you have installed a secure SSL certificate to your hosting account and are migrating your WordPress site to a secure (https) URL, or if you are experiencing insecure mixed content consider installing the Really Simple SSL Plugin.
Really Simple SSL automatically detects your settings and configures your website to run over https. to keep it lightweight, the options are kept to a minimum, your entire site will easily move to SSL.
Really Simple SSL is available free, simply sign into your WordPress website, go to Plugins > Add New > And search for ‘Really Simple SSL’ by Rogier Lankhorst, Mark Wolters.
And Finally, a Small Plug for us…