Let’s pick this security topic up where we left off and take it a little deeper. There are four types or aspects of security that you need to be aware of. These four are protection, hiding, detection, and restoration. You need to implement all four to protect your site.
After the initial process of keeping WordPress, your plugins, and themes updated, you have to protect your site. This involves implementing security features that make getting into your site more difficult for hackers. This is the first level of security and will go a long way toward improving the security of your WordPress-powered site.
There are several things that fall under protection such as blocking bad users, enforcing strong passwords, stopping brute force attacks, turning off file editing from inside WordPress, lockdown database, and file system and if desired force SSL (secure socket language) on admin pages. All these aspects of security help protect your site from attacks but also help hid parts of your site.
Because of the popularity of WordPress, there are some common vulnerabilities that the platform has. You can reduce the vulnerability significantly by hiding areas of your site so attackers are not able to learn much about your site and thus help keep them away from sensitive areas. This can go a long way to reducing the number of attacks your site will face.
There are a number of items that can be hidden like the URLs for the WordPress login and admin pages. You can also remove the meta “Generator tag, hide WordPress, theme, and plugin updates and change the database table prefix. A couple of other items that can be hidden are the Windows Live Write header information, the RSD header information, renaming the “admin” account and changing the ID on user 1 to another ID.
By hiding the above areas of your WordPress site you are drastically reducing your exposure to hackers. Taking the time to make these changes will be worth the effort and keep your WordPress site safer.
Being able to detect changes to your filesystem or database is another step in protecting your site. You can have software watch your site and look for any unauthorized changes to your site. If it notices any strange activity it will notify you. Another way of detecting is to have software that looks for bots and searches that indicate someone is looking for common vulnerabilities to your site. In addition, their tools that allow you to lock users out who have a certain number of failed login attempts.
Each of the approaches to detecting possible attacks and then working to prevent them is a great enhancement to the security protection of your WordPress site.
As you’ll recall from the first article in the series, there are no guarantees when it comes to site security. There is always the risk that your site will get hacked. While the above security measures involving, detection, hiding common vulnerabilities and protection will significantly reduce your risk, there is still a chance things could go bad.
This is where having a recovery plan in place will get you back up and running if your security measures are breached. This recovery plan would include backing up your site files and database on a regular schedule and storing them on another server. With a recovery or backup plan in place you will have more peace of mind. Should your site get hacked you can still get things back up and running because of your recovery plan. A recovery plan is a form of insurance against the investment you have in your WordPress site.
Each of the above security layers can stand on their own but when you combine them you get the best form of defense for your WordPress site. Remember security is a mixture of usability vs. security.
Up next 4 Great Security Practices for Your WordPress Site.