In a 1993 movie directed by Sydney Pollack, ‘The Firm’, starring Tom Cruise, there’s an excellent quote spoken by the head of security for a Tennessee law practice. When asked why he was keeping a close eye on Mitch McDeere (Cruise’s character) the conversation went something like this:
“Why are you so keen on checking out this guy? He doesn’t seem suspicious.”
“Because I get paid to be suspicious, *especially* when I’ve got nothing to be suspicious about…”
That’s just the attitude that WordPress (WP) designers and site owners should take to their online security. Just because you’re paranoid doesn’t mean that they’re not out to get you!
Let’s look at the steps we can take to make WP sites as secure as possible for the owners, designers and visitors alike:
External tools.
Aside from the obvious on-site security practices that we can examine further below, there are external tools that can beef up safeguards such as using proxy servers or VPNs (virtual private networks) to prevent hackers from targeting designers’ machines in the first place.
A VPN server works by placing an encrypted ‘third-party’ server in between the user’s device and their internet service provider (ISP). Ordinarily, without a VPN, if a WP designer was working from home or office, the modem router in the building would connect the computer to the user’s ISP. In turn, that ISP looks up the IP address of the target website or online service and makes the connection. But regular ISP servers aren’t generally encrypted, so the analytics software of the target website can determine the identity and location of the visitor. So can hackers and malicious online crooks.
However, VPN servers are encrypted via a tunnel that means the location and identity of the user logging onto the browsing session is hidden. Hackers only tend to go for known targets and low hanging fruit, such as influencers’ blogs and social pages. If the bad guys in black hats don’t know who or where a connection is coming from, they tend to walk on by and choose another victim.
A neat analogy might be leaving a laptop computer on the passenger seat of a Cadillac and parking it in a bad neighborhood. The chances are that a window will be smashed, and the car robbed. But if that same laptop was hidden under the rear passenger seat of a 15-year-old Chevy Nova, nobody is going to give the vehicle a second glance.
It’s the anonymity and encryption that a VPN provides which is its very strength. So how can a VPN be used in conjunction with regular WP security measures to make sure that your precautions are the best that they can be?
The dating game.
The most obvious first rule is to keep your WP core, plugins and themes updated regularly. This will patch vulnerabilities as they are discovered by WP central – and whether you use a VPN or not, this is just common sense. We know, of course, that it means some of your plugins and themes may not be compatible with upgrades, but better to upgrade and tweak than have your site hacked and flooded with unimaginable horrors.
Abracadabra!
Use strong passwords for your WP database and admin. Don’t have the primary admin username as ‘admin’ and use a password manager to generate and keep unique passwords. If your website is JimsAutos dot com – your admin name is Jim and your password JimsAutos – you only have yourself to blame if someone drives off with your website in shreds.
The host with the most.
Choosing a reputable WP hosting provider is essential. Cheap hosting packages often don’t keep their PHP versions up to date – the worst thing possible for WP sites. Consequently, many people see the sensible option of paying WP.com to act as host. If your site doesn’t work there, it’s definitely you that’s making the mistakes. Having a VPN between your machine and the hosting provider beefs up security even more. If you have friends who are maybe trained in ethical hacking, you could put them to the test to see if they can crack your security precautions.
Sweet 2FA.
Enabling Two-Factor Authentication (2FA) is an excellent idea, especially if guest admins and clients are going to be logging into sites. Likewise, limiting the number of login attempts using a plugin can prevent brute force attacks. Using security plugins such as Sucuri or Wordfence, can also help secure from hacking attempts.
It’s also a good idea to cloak and customize the default login URL. Change it from ‘wp-login.php’ to an address of your own naming. Restricting access to the wp-admin directory using IP blocks is possible, but more difficult if you’re using a VPN when you’re away from your regular connection.
If in doubt, disable it out.
Of course, you can always restrict editing access to any WP theme by adding a line of code into the wp-config.php file:
“define(‘DISALLOW_FILE_EDIT’, true);” (without the inverted commas)
Additionally, to really frustrate hackers even further, you can remove or hide the WordPress version number; this makes it more difficult for malicious actors to know if any vulnerabilities are inherent in your WP core.
In summary, if you take the above precautions and use a VPN every time you log in to your WP admin area (especially if you’re away from home using public Wi-Fi) you’ll be hosting a business website that performs and looks like that Cadillac we mentioned above, but it’ll be as secure as Fort Knox from all those internet baddies.
