Content Management Systemen such as WordPress are constantly scrutinized by hackers. They do this to highjack the site via a leak to attack other websites or to just put spam on your website. Sometimes even all of the above. To do great WordPress Security, monitor your website and to prevent brute force password attacks a lot has to be done. To prevent spam or malware injections is not an easy task. Not even with existing plugins and or scripts. But no worries. Let us take care of it while you work doing what you do best.
Prevention
Besides backing up your website, which is great prevention, there are a number of WordPress Security prevention tools that we use. We use state of the art security plugins such as Wordfence and or iThemes Security to monitor your website. We use general monitoring using iThemes Sync.We use .htaccess authentication to block brute force access in certain cases.
If we manage the server for you, we go even further. We implement server level security such as Fail2Ban Firewall, configure ip tables and harden file and folder rights and permissions. And we also use the Bedrock WordPress Boilerplate for better password security and webroot isolation.
WordPress Security Plugins
These plugins – Wordfence and iThemes Security – help us deal with all kind of possible issues that could occur or happen. They are great plugins by great companies with free versions as well as premium ones. They help us with:
- brute force attack prevention
- enforcing strong passwords
- keep track of file changes
- notify when plugins or WordPress needs updating
- enable two factor authentication
- malicious file injection prevention
- folder rights and permissions
iThemes is great for us as we can integrate it with the iThemes Synch which we use for general monitoring and updates as well.
Bedrock WordPress Boilerplate
We use Bedrock, Modern WordPress Stack. We use this for our managed WordPress sites as it does not work well on shared hosting sites. It is a boilerplate or WordPress stack that organizes your WordPress in a more logical way. Bedrock does plugin, theme and core management with Composer. WordPress Security wise it does the following:
- including WP Password Bcrypt to fix the issue with the weaker MD5 encryption,
- sets up an isolated web root to limit access to non-web files.
Two tweaks that can make all the difference for your website.
Monitoring
As mentioned we use iThemes Sync Pro for monitoring all our clients’ websites. It is an online panel provided by iThemes that allows us to monitor several things that matter. It monitors uptime, plugin, theme or WordPress updates. It also integrates fully with iThemes Security to show us what is happening on the security side of things.
Trellis Secure WordPress Server
At a server level we also take care of security. This again is the case when we do full server management. In that case we always use Trellis. It is an awesome ansible playbook to runs a local, staging and production environment all in one with hardened WordPress Security. It adds the following components to make your server more secure:
- Fail2Ban Firewall
- Let’s Encrypt SSL Certificates
- Roots disabled access
- HSTS Headers – HTTPS Enforcement on the fly
Often this security is solid enough to even go without the earlier mentioned security plugins.