Out of the box, your WordPress website is not secure enough and you need to take some steps to protect your investment. After all, your website is the face of your business and you certainly don’t want it to go offline, and you don’t want it to be hacked.
Not securing your WordPress website properly, is like leaving the front door of your home open at night – surely nobody is going to coming in right?
Wrong. People will try and without the proper security, they will succeed.
Have you heard the popular statistic about WordPress?
The statistic is that WordPress powers 35% of all websites.
That’s often said to encourage people to choose the WordPress CMS. And I agree, that makes a compelling reason to consider WordPress for your business website.
But, with popularity comes vulnerability.
With so many eyes on WordPress, any vulnerabilities are quickly found and exploited.
So you need to protect your WordPress website not just today but for everyday in the future. Especially as WordPress is ever-evolving – releasing updates as often as 3 times a month.
My WordPress Website Analyser
In the Security audit of my WordPress Website Analyser, I test your site for the most basic, most fundamental security that it should have.
It comprises 5 different test and the more security features you have, the more you score:
1. Do you have an SSL certificate?
An SSL certificate is what provides a secure, encrypted connection between you on your computer and the website you are browsing.
Without it, there is potential for your connection to be hacked, and for the intruder to see everything that is being sent between you and the website.
That’s a great reason to have an SSL certificate – it will build trust and confidence in your website.
However, did you know that an SSL certificate can also improve your Google ranking?
Since 2014, Google has considered an SSL certificate significant enough to affect your ranking.
2. Is wp-login.php disabled?
What is wp-login.php? This is the WordPress page where you login to the WordPress Admin e.g. yourwebsite.com/wp-login.php
The problem with that is, everybody knows where it is!
Also, it is very easy to determine if your website is on WordPress by just checking the source code for some HTML that looks like this:
<meta name="generator" content="Wordpress 5.2">Without patching this hole, you are leaving your website open to being exploited.
If a hacker knows your website is WordPress, and knows where the Admin login is, that’s a huge vulnerability right?
3. Can I find out your WordPress Admin users?
Did you know I can visit your WordPress website and check for WordPress Admin users?
It’s easy, if you don’t have the right protection.
Normally, a WordPress website will allow me to append “?author=1” to any URL.
That 1 represents an identifier (ID) for a user.
If that identifier is correct, WordPress will then redirect me to the homepage for that user.
At this point, the URL will change, and it will contain the username of the user.
If I just did that on your website, without restriction, then I have just found a valid username for WordPress.
I could then try to login to your WordPress Admin using this username, and I don’t think you want that to happen do you?
4. Can I bring your site down with load-scripts.php and load-styles.php?
These 2 files – load-scripts.php and load-styles.php – are used by developers to load JavaScript and CSS respectively.
Used correctly, they are purposeful. Used maliciously, they have the potential to bring your website down.
This issue has never been fixed by WordPress and it has always existed. Eventually it was exposed with version 4.9.2.
In fact, it appears WordPress don’t acknowledge it as a specific issue to resolve. There has never been a security patch in a release since that has addressed it.
Also, a popular security plugin for WordPress defines it a “non-issue and would class this attack with other DoS and DDoS style attacks”.
What’s this DoS or DDoS?
It’s Denial of Service i.e. bringing your website down.
Someone could make so many requests to load-scripts.php or load-styles.php that they cause your website to become unavailable.
That would stop anybody else accessing your website.
For this reason, I recommend you be safe rather than sorry.
5. Are pingbacks and trackbacks disabled?
Pingbacks and trackbacks are great in theory.
They could have been a great way to easily drive more traffic to your website.
When you write a new article (blog post), you are going to add plenty of external links aren’t you?
You know external linking is good for SEO.
With pingbacks, those external websites are automatically notified that you are linking to them. And, if they accept, the text you wrote and a link to your article will appear in their comments.
Sounds pretty good for SEO doesn’t it?
Only, it got abused.
It wasn’t long after WordPress introduced this feature, that it got exploited by spammers – it was a great way for them to get more links to their spam website.
So today, most WordPress websites have it turned off.
If you don’t turn it off, the more popular your website becomes, the more you are going to have to wade through your pingback comments sifting out the spam.
So, I suggest you turn it off too.
How to make your WordPress website secure
I have shown you everything I test for in this audit, and now I will show you how you can easily pass all of these tests to score 100%:
1. Install an SSL certificate
Installing and then using an SSL certificate is something that involves your web hosting and your website itself.
In simple terms, you need to upload a certificate to your hosting and then change your website to use HTTPS rather than HTTP.
Usually your web hosting provider is the place to start.
You will be able to buy your certificate from them and they will help you with the installation.
Then, change your WordPress website over to HTTPS.
2. Install WP Cerber
With the WP Cerber plugin, you will be able to pass the following tests:
- Hide wp-login.php
- Prevent access to user information
- Restrict access to load-scripts.php and load-styles.php
Hide wp-login.php
So you need to hide your wp-login.php file.
That’s called obfuscating i.e. security by obscurity.
What I mean is, put your WordPress Admin login elsewhere.
With the WP Cerber plugin, you can change your Admin login from wp-login.php to anything else you want.
You want to use a random name like “dm0i302fd1” so that nobody has a chance of guessing it.
Do this for all of your WordPress sites, and make it different each time.
Finally, you want to disable wp-login.php so that anybody visiting this page will instead see a 404 error.
Prevent access to user information
WP Cerber makes this very easy for you.
Turn on the option “block access to user pages like /?author=n“.
Restrict access to load-scripts.php and load-styles.php
Again, with WP Cerber, you can do this very easily.
Simply turn on the option “protect admin scripts” and you are done.
3. Disable pingbacks and trackbacks
The last thing you need to do to score 100% is turn off pingbacks and trackbacks.
No additional plugins or code is required to do this.
Go to your WordPress Admin Discussion page, and turn off the pingbacks and trackbacks option.
Conclusion
So, what do you think about my WordPress Website Analyser? Do you think it has enough for WordPress security?
I know I haven’t talked about my WordPress Website Analyser, but I’ve been working on it in the background for a while.
A feature of this tool is to show you a cached report for a webpage if it exists. By doing this, I can keep demand on your web server and on mine to a minimum. It also enables me to show the results to you much quicker.
Give my WordPress Website Analyser a try and let me know what you think.