Tech solutions that help your online business grow.

Working in technology is fabulous, but it has drawbacks: Everyone asks you about technology! Actually, we don’t mind this, and it’s been the basis of many of our articles on our blog. One question we get asked from smaller businesses is how they secure their WordPress website. This question got us thinking about an article, but it also surfaced that it’s not as simple as the Internet would have you believe. 

This article will examine what it means to secure WordPress and provide actionable insights to help smaller businesses secure their websites. We may refer to some of our services on the way, but you don’t have to use them to increase your security footprint. 

The thing about WordPress

WordPress is an excellent framework for creating beautiful websites. We design websites using it all the time to turn our clients’ businesses into online realities – even the SaneChoice website uses WordPress as the platform. But with all that code available to help build websites, it does increase the need for strict security to keep the bad guys out. 

When we considered positioning this article, we quickly understood that securing WordPress was not just about adding a plugin and ceasing worrying forever. If you search the Internet, you will be inundated with plugins offering excellent security at reasonable prices. However, securing WordPress is more about keeping threat actors at arm’s length and not only dealing with them when they get to your website. 

Layers of Security is a driver for a Secure WordPress

When considering any online service, consider the network, server, and software. Make security three-dimensional and not just the thing you touch the most.

As mentioned above, you want to stop the bad guys from getting to your website, which requires three levels of security:

1. Network-Level Security: All WordPress platforms sit on a network called the Internet. No one can connect to your website if you aren’t on this network! For strong protection, you need network-level security that significantly assists in preventing threat actors from getting close. 
2. Server-Level Security: WordPress will sit on a dedicated, virtual, or shared server. Servers need to be accessible for administration, updates, or changes, so server security is another layer of protection required to fight against malicious activity.
3. Software-Level Security: Even with network and server-based security, you need securely coded software and some code-level protection against malicious activity.

As you can see, the simplistic rhetoric provided via a Google search can lead you down a path that fails to protect your website. When you capture personal information and take payments online, this can lead to a terrible place indeed. So what is one meant to do, and how does one do this without their head exploding?!

Before we move on, we cannot emphasise enough that the three levels of security are the best approach to the problem. When considering any online service, consider the network, server, and software. Make security three-dimensional and not just the thing you touch the most. 

Securing WordPress the Practical Way

We could discuss the many ways to secure WordPress in great detail. However, this article aims to make it both understandable and actionable. You can lean on our experience and take the solutions below, which we have implemented for many years.

Step 1: Network Level Security via Cloudflare

There is no better place to start for network security than Cloudflare. Every website we build for clients sits on the Cloudflare network to help protect against malicious activity. (Before you ask, SaneChoice does not receive revenue for promoting Cloudflare. We use it because we know how good it is at network security). 

Cloudflare helps address the issue of keeping threat actors at arm’s length. It does this by routing your website traffic through its extensive network and scanning (or preventing) wrongdoing—even before it gets to your website. As Cloudflare obfuscates information, anyone on the Internet won’t know your underlying server platform or details. 

Cloudflare has so many features that it can make your head spin. However, even if you set it up at the most basic level (i.e., just route traffic without enabling settings), your website will be vastly more protected than it was before. 

Here’s how to obtain a free Cloudflare account and get started:

1. Visit the Cloudflare Website: Open your web browser and go to the Cloudflare website at https://www.cloudflare.com.
2. Navigate to the Sign-Up Page: Look for a “Sign Up” button on the homepage, usually in the screen’s upper-right corner. Click on it to begin the registration process.
3. Enter Your Email and Create a Password: You will be prompted to enter your email address and create a secure password. Make sure to choose a strong password to protect your account.
4. Agree to Terms and Create Account: You may need to agree to Cloudflare’s Terms of Service. Once you’ve read and agreed to them, click the button to create your account.
5. Verify Your Email: Cloudflare will send a verification email to your provided address. Check your inbox (and spam/junk folder if necessary) for this email, and click on the verification link.
6. Add Your Website: Login to your new Cloudflare account once your email is verified. You’ll be prompted to add your website by entering your domain. Click “Add Site” to continue.
7. Select a Plan: Cloudflare offers a range of plans. The “Free” plan offers essential services without any charges.
8. Review DNS Records: Cloudflare will scan your current website’s existing DNS records and display them for your review. Ensure these records are accurate; you can add, remove, or edit them as needed.
9. Update Your Domain’s Nameservers: To enable Cloudflare services, you must change your domain’s nameservers to those provided by Cloudflare. This step is done through your domain registrar’s website (where you purchased your domain).
10. Confirmation and Activation: Once you’ve updated your nameservers, return to your Cloudflare account and confirm that you’ve made this change. It may take some time (up to 48 hours) for the DNS changes to propagate and for Cloudflare services to become active for your site.
11. Configure Additional Settings (Optional for the brave!): After your site is active on Cloudflare, you can explore additional settings and features, such as security options, caching rules, and performance optimisations, through the Cloudflare dashboard.

Once traffic routes through the Cloudflare network, you are starting to add a robust layer of security around your WordPress website. Moreover, you are leveraging Cloudflare’s security expertise to stop malicious traffic from getting anywhere near your website.

Step 2: Server Level Security

If you have completed the Cloudflare step above, then any web traffic going toward your website will be inspected for malicious activity. So that is good news. However, your server, which hosts WordPress, is still on the network and can be accessed via SSH or FTP using its IP address. This means we need to secure the actual server access.

This is where you want a WordPress platform or server provider to provide you with firewall capabilities. With a firewall, you can implement two security fundamentals:

1. Only allowing web traffic (HTTPS) or email traffic to be open to the Internet. This means that only two services are exposed to the general Internet, thus reducing your attack surface.
2. Only allow access to other services (like SSH, FTP, or other sensitive areas) from your office IP address. You will need to be able to connect to your server, but YOU only want YOU to be able to do that. 

Not everyone will have access to a firewall. For example, if you use an off-the-shelf WordPress service, you expect that provider to ensure secure access. (If you don’t know, ask them or check their website details). However, if you deploy your WordPress build from AWS or DigitalOcean, you will have all these capabilities available – in short, complete control.

An alternative approach

If you use a LINUX flavour of operating system and don’t have access to a supplier firewall, don’t panic. There is a concept of a local firewall on the server itself. IPTables and UFW (Uncomplicated Firewall) are examples that can be installed (if they have not already been installed by default). Similar to a more enterprise-grade firewall, they inspect incoming traffic and ALLOW or DENY based on the rules configured. This approach is a great second best and one to consider to help tighten server-level security.

Step 3: Software Level Security

At this point, Cloudflare and a firewall protect your traffic and the server on which your WordPress website is hosted, so you are already in a powerful security position. The final leg of this journey is ensuring your software contributes to a secure environment.

Countless WordPress security plugins do great jobs at this. We have used a few and quite like their features and protection. However, with Cloudflare and firewalls implemented, your best software-level security strategy is to ensure they are always up to date. 

Plugin and WordPress updates are the key to removing any software security bugs on your website – its one of the main reasons developers release updates. However, if you wish to add a plugin to help, then here are four which tend to feature at the top of people’s minds:

• Wordfence Security: Wordfence is one of the most popular security plugins. It offers a robust firewall, malware scanning, protection against brute force attacks, and live traffic monitoring. Its comprehensive security package also includes two-factor authentication and many other features.
• Sucuri Security: Sucuri provides a wide range of security features, including security activity auditing, file integrity monitoring, remote malware scanning, blacklisting monitoring, and effective security hardening. It also offers a Website Firewall as part of its premium package.
• All-In-One WP Security & Firewall: All-in-One WP offers an easy-to-use interface for beginners and advanced features for experienced users. It includes login lockdown, firewall protection, user account security, and various security scanners to detect vulnerabilities.
• iThemes Security: iThemes Security (now rebranded as Solid) helps secure and protect your website from potential threats. It offers two-factor authentication, password security and expiration, reCAPTCHA, and database backups. The plugin is known for its user-friendly interface and detailed logs.

Conclusion

Hopefully, if anything, we have taught you one aspect of security – security is three-dimensional. A single WordPress plugin cannot create an iron-clad defence against threat actors.

If you want to minimise your security workload to one area, we advise you to ensure your traffic routes through the Cloudflare network. The free plan has so many security features that it is hard to ignore. However, ensuring your server is behind a firewall and keeping software up-to-date is also very important in the fight against malicious threat actors.

If you take online payments or collect personal information, spend time and budget on security. It’s a little like car insurance; everyone hates it until they have an accident, and then they realise its value. Don’t be the one telling your customers that their valuable data is now in the public domain because you skimped on security. They expect you to protect their data and privacy as a given.