WordPress Site Security, 6 Advanced Steps
In the last post, WordPress Site Security, 7 Simple Steps, we laid out 7 different ideas you could implement yourself to make your WordPress website more secure. If you feel that these measures are not enough, there are several more things you can do to protect your site. All of these measures, however, will likely require a professional web developer and additional subscription fees to your hosting plan or a 3rd party service to help monitor your website.
Before implementing the first 2 measures, you will need to have a current Secure Sockets Layer certification with your hosting company. In general, an SSL cert is going to cost around $70 per year.
- Login screen protected via web authentication. With this measure, we essentially give you a double login. The first login is a server setting that creates a popup window in which you have to correctly enter a password before you even get to the WordPress login screen.
- Entire website hosted in “https.” For this solution we encrypt your entire website. The first follow-up question we often get with this is, “will this slow down my site?” One word, “no.” The only issue that you could encounter is if you try and embed external media (like a YouTube video) onto a secure page of your site. On the flip side though, is that any media you post through WordPress would also be secure. The second question we get is, “well, how does it actually work?” As a server talks to your computer, they send packets of information back and forth. If your website is not encrypted, a hacker can watch the information travel back and forth and capture that information. However, if the site is encrypted, someone watching would have to decrypt the packets before they could get the information. Decrypting the packets, while not impossible, is difficult and time consuming and will deter all but the most talented and compelled hackers.
- Require a registered IP address to allow WordPress Admin login. This solution is a really good one, but it can be inconvenient. We can set up the server so that the only place your administrators can login is from a registered IP address. The good: Faking an IP address is a very difficult thing to do, and this is easily one of the best measures to take to beef up your security. The bad: This means that if you’re on the road and need to login from a new location, you would need to call/email someone to get that IP “whitelisted” and allow login.
- Automatically limit login attempts. Again, this solution could be a hassle, but only if you forget your password. If someone tries to use the same username to login unsuccessfully 3 times, the account can be shut down until for a certain amount of time, or until it has been reauthorized. So, if you forgot your password this could be a problem, but it also helps keep out unwanted intruders who have figured out your username.
- Create server scripts to block too many requests. This can deflect what is called a “brute force” attack. How this works: the hacker uses a computer program to try usernames and passwords, over and over again, until they get in. The other way that this attack can hurt your website is by causing performance problems because the attack causes your server’s memory to go through the roof. This is because the number of http requests (i.e. the number of times someone visits your site) is so high that servers run out of memory. There are also several WordPress plugins you can install that will deflect a brute force attack, here is an example.
- External server monitoring software to watch for attacks and monitor uptime. As we mentioned in the introduction, this would require a subscription fee to a 3rd party vendor. For WordPress monitoring, we recommend VaultPress which you can pick up with site backups and a nifty Business-level anti-Spam package for a really reasonable price.