WordPress is a free and open-source content management system (CMS). It’s the most used CMS in the world and operates more than 35% of the 10 million largest sites, which translates into an estimate of a 60% market share of all sites that use a CMS.
Using such a popular system makes sense because there are lots of cool features implemented and millions of users are using it around the globe meaning it’s well tested, minimising the number of bugs.
But, as with most things, there is also a dark side. There’s always one, isn’t there? As there are so many users of WordPress, it makes their sites a perfect target for an attack. The law of averages means that it doesn’t make sense to spend hours creating a way to break into a secure site when there are several vulnerable ones out there.
So, to protect your website and prevent it from becoming vulnerable, you need to improve the security foundation WordPress is initially built with. Here are 5 plugins, I believe, you MUST include on your site to keep it secure.
One of the most reliables security plugins for WordPress. Wordfence includes an endpoint firewall and malware scanner that was built from the ground up to protect WordPress. It scans your site to check core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. You can also enable 2-factor authentication and block logins for administrators using known compromised passwords.
This plugin protects your WordPress users’ sessions from shoulder surfers and snoopers! You can define a time to automatically close your site user sessions after an idle period. You just need to install it and configure the timeout idle time to get it working.
SSL certificates are a must nowadays, not just for security reasons but it also impacts your SEO performance. That is why your site should always use a certificate. The simplest way to configure it if you do not have technical knowledge is using this plugin. Really Simple SSL automatically detects your settings and configures your website to run over https.
Log all the users' activity on your site to keep track of what has been changed. You will be able to log posts and pages, attachments, taxonomies (Custom taxonomies, categories, tags), comments, widgets, plugins, user profiles, user logins, failed user logins, menu edits, option screens, privacy page, Data Export and User Data Erasure Requests.
The WordPress file xmlrpc.php has long been the target of a very specific type of attack, formerly known as an XML-RPC pingback vulnerability and currently known as Brute Force Amplification Attack.
Basically, XML-RPC allows internet platforms to interact with each other. Specifically, the WordPress file xmlrpc.php allows various external applications to connect, transmit and process data.
Some plugins like Jetpack or WordPress app for iPhone and Android uses this file to interact with your site. If you are not using this functionality you can disable this access to prevent brute force attacks.
These 5 DIY choices offer an improved level of security to your WordPress installation but if you are managing a larger, enterprise-level WordPress site there are other actions you can do to ensure the site is as secure as possible. As these are of a highly technical nature, you will need an expert developer to handle these as unfortunately there aren’t plugins available to achieve the next level of security. This type of modification is quite specific for each site configuration and set up so they need to be planned individually to guarantee the best results.