By
Ruhit Rafian Prinon
February 5, 2020
Share
With the exponential growth of the internet, comes the risk of being under a constant threat of attacks by malicious hackers. In this blog post, we’ll aim to cover the basics of WordPress content security. We’ll also try to give you an idea of what you should be doing to better protect the data of you and your users.
The most obvious and yet sometimes the most neglected practice is to keep your WordPress and PHP updated. You must, must, must, always keep your WordPress core updated to the latest version. PHP on your server should be of the latest recommended version. Staying updated is very important for your content security. Not only do you get new features, but you also get tons of security updates that are freely provided to you by the developers over at the WordPress Foundation and the PHP Group.
If you go onto a WordPress forum, you’ll notice that a lot of WordPress users argue that if they update their WordPress core, it might break their site. That, however, is never a good enough reason to keep your site at risk; and it’s definitely better than waking up one day to see your site breached and user information stolen.
At the time of writing, the latest version of PHP supported by WordPress is v7.4.1, and the latest version of WordPress is v5.3.2. Updating your site’s backend will definitely boost your WordPress security. Explore the essential web hosting features for more details.
Attackers might try to compromise your site by masking malware and malicious programs on your site. As such, having a malware scanner is crucial as they will identify bad or ill-modified files on your WordPress website. A few plugins that have advanced malware scanners are:
Prevent Content Theft is a nifty little plugin that simply disables the right click option for your webpages. This means bad netizens also can’t steal your images by saving them. It also disables the default copy-paste keyboard shortcuts so your text contents are also safer than usual.
WordProof protects your texts and files from copyright infringement using hashing algorithms that create hashes of your web content. It then adds them to the blockchain with a time and date so that you can prove the authenticity of your work. You can also create certificates of authenticity to display as popups on your website.
Hotlinking occurs when a different website links to your resources (images, videos or files) from their site for their benefit. This ends up using your bandwidth to serve someone else’s visitors. As a result, you gain no benefit but lose money in the form of used bandwidth. So hotlinking to other websites’ resources are often considered as bad “netiquette“. Therefore, to enhance your content protection, you should disable hotlinking.
Fortunately, though, it’s super easy to disable hotlinking to your website following these easy instructions:
If you’re running an Apache server, simply add these lines of code to your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]
Alternatively, if you’re running an NGINX server, add these lines of code to your NGINX config file.
location ~ .(gif|png|jpeg|jpg|svg)$ {
valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;
if ($invalid_referer) {
return 403;
}
}
We’ve published an in-depth tutorial on how to prevent hotlinking on WordPress for you. Check that out!
DDoS stands for Distributed Denial-of-Service and it can be one of the most disruptive attacks on your website. Your data and files will remain mostly untouched but the server’s memory and bandwidth will be in shambles. To learn more about DDoS, you can refer to this write-up by Cloudflare.
As for the solutions, there are currently two front runners for the best DDoS protection services available:
Sucuri provides a robust DDoS mitigation system with ever-improving application firewalls. You also get access to high-performance CDNs for better content delivery. Although there is no free version of their service, the investment is well worth the money if you are serious about your WordPress website.
Cloudflare also provides a strong and secure DDoS protection firewall. You also get access to a ton of analytics tools from them. It has a free version of its DDoS protection plan but it provides minimal defense. To get the most out of Cloudflare we recommend buying the premium versions of their service.
An easy way that a hacker gets unwarranted access to your website is through your WordPress login page. Moreover, a login page is the first layer of protection against intruders, and most of them will start from there. As such, securing the login page is one of the first steps towards content security.
Masking your login page is pretty crucial. All you have to know is that your website uses WordPress, and you can use the www.yourdomainname/wp-login.php link to get into the backend login page. Afterward, your website is exposed to brute force attacks by a hacker, whereby he or she will simply try to guess the username and password using automated scripts.
For an elegant solution to this problem, why not just move the login URL to a different unique one? We already have an article for you to learn how to mask your login page.
Even after masking your login page, if attackers do find it, this layer of protection will protect from brute force attacks. For this purpose, you can use this plugin called Limit Login Attempts Reloaded.
“Limit Login Attempts Reloaded blocks an Internet address from making further attempts after a specified limit on retries has been reached, making a brute-force attack difficult or impossible.”
Limit Login Attempts Reloaded
Another WordPress security plugin to deter brute force attacks is called iThemes Security. This plugin takes brute-force protection to the next level. They create a blacklist of all the IPs that have tried brute-force attacks on iThemes enabled websites. This enables them to be a step ahead of other WordPress plugins as well as attackers.
2 Factor-Authentication is another clean way of securing the WordPress login process. The netizens of the new decade open up to the importance of cybersecurity. 2-factor authentication is a concept that is transitioning in their minds from a nuisance to a necessity. It’s a very simple system but allows a layer of protection that’s very difficult to bypass. To learn how to enable 2 factor-authentication, please refer to our article.
CDN stands for Content Delivery Network. In a nutshell, CDNs provide faster loading speeds by replicating some of your website’s assets to different servers around all parts of the globe. This in no way replaces your hosting provider but helps to make loading your webpages much faster. Assets such as javascript files, stylesheets, regular files, images, and videos are off-loaded to a CDN once enabled.
Most of the assets will be loaded very fast as the route to the CDN servers are generally shorter. Along with speed improvements, your host server will be less prone to crashes as all your website’s resources aren’t being transferred from the origin server. To learn more about CDNs, refer to our article on why you should use a CDN.
There are tons of ways to secure your content from hacks, losses, and malware attacks. At this day and age, being alert of the practices you must follow to create a safe and stable environment for your users is a big deal. Therefore, we believe using these tips and tricks as well as the tools mentioned, you too can enhance the content security on your WordPress website.