It's always good to remind ourselves that security is an aspect we cannot overlook in our website. We have already discussed the advantages of using SSL and how to protect ourselves from attacks to xmlrpc, but that is just the beginning.
Today we will learn how to defend our website in a much more complete way with All In One WP Security & Firewall, a free and easy to set up tool which will allow us to manage nearly every aspect of our security.
Basic security advice
First of all, I'd like to point out some basic rules which we need to follow at all times
- 1Use safe usernames and passwords. Avoid names that appear by default when finishing an instalation. Use strong passwords (+6 characters, upper and lowercase, digitsd). My advice for making them easy to remember: take 2 letters from each word of a sentence, turn some of the letters into uppercase and add some digits. The result would look somewhat like ¡Me23caeNtuMU!, which Kaspersky says this will take 327 centuries to decipher. Thanks, Chiquito de la Calzada.
- 2Keep the website updated, plugins y temas incluided. Don't use hacked software, look for free alternatives.
- 3Make backups periodically
- 4Protect critical files (wp-config.php, .htaccess, uploads folder, etc)
- 5Minimize spam mail and keep track of user activity. If this is not necessary, it's ideal to deactivate automatic register.ent
- 6Install a security plugin for instance All In One WP Security & Firewall.
All in One WordPress Security
I chose this plugin due to it being easy to set up, and contrary to other plugins, we don't need to purchase the premium version to unlock its numerous functions.
Download the plugin from the repository or from the official website and activate it. It will immediately run the first scan of our system.
The first panel shows our progressp the second indicates which critical aspects we've got pending and the third one gives us the importance of each aspect within the group. It's a very intuitive way of evaluating our status.
The tabs show diverse information about our website and activity of our users.
To set up the plugin we'll take a look to each of its elements.
1.- We have all the information needed to decide to turn a setting on or off available to us at all times. Sometimes it will be an informative text like what point 1 shows, or else they will be links which provide extra information and suggestions.
2.- Protection level
3.- The score. Its value is arguable, but without a doubt it gives a good idea of the level of security we've achieved.
As a rule of thumb, I recommend turning on everything that doesn't affect the performance of our website, it's better to oversecure than ending up unprotected. Luckily we have everything we need to choose correctly.
General Settings - Shows links to settings for critical element backups. It allows us to partially or fully deactivate plugin functionalities should problems arise withing our website.
.htaccess and wp-config.php files - Makes backups of these files and restores them when necessary.
WP version info - I suggest turning this setting on. It's preferrable to offer the least information possible.
We can also export these settings to use them in other websites.
There's 3 tabs here, the first one checks that admins don't use default usernames. If this were the case the best option would be to delete said account and replacing it for another one.
The second tab verifies that usernames are not published. It will provide a list of accounts in which this issue occurs, which we'll modify accordingly.
We make changes in the user's profile and choose a variant of the account as the public username.
Once these changes are made we'll notice that we are up to date in this regard.
Finally, in the third tab, we evaluate our passwords.
I recommend activating every setting in the first tab, with the exception of: Don't allow automatic unlock petitions. This is a personal opinion. Any other default values can be left as they are.
I prefer, as a rule, to disallow white lists if it's not strictly necessary.
We have access to the list of failed login attempts, the last 50 logins and all online users at the current moment. We can disconnect anyone from their sessions. These settings are useful to detect attack attempts and to resolve other incidents.
An optional setting is to limit connection time of our admin users.
In this section we can configure database backups and change its prefix if we haven't already done so during the instalation. We need to activate every setting unless we have implemented an alternative solution.
When changing the prefix of the database, we need to proceed carefully to avoid undesired effects.
This function runs a scan of our instalation and if it finds access permissions different to the recommended ones it gives the option to correct them. Correcting is usual procedure.
I also suggest deactivating editing .php files and access to common WordPress files. To modify the code, it's better to use a more proper tool such as NetBeans. For specific cases we can temporarily turn off this setting.
If we are curious, we'll see of our score progresses as we activate different security measures.
Firewall activation modifies the .htaccess by adding rules which allow to block users with malicious behavior.
The first tab is basic settings. We have already seen how to implement one of them without a plugin. If we need to extend the upload limit over 10MB, we need to modify the corresponding line in .htaccess. To do that we search for LimitRequestBody 10240000 and change it to LimitRequestBody 30720000 to extend the limit to 30MB.
Let's activate the 3 additional rules. We need to use chain filtering and malicious consulting carefully.
Finally,we turn on 6g blacklist rules, block any fake bots, implement 404 detection and hotlink prevention. The latter prevents our bandwith from being stolen.
We don't have to touch custom rules, unless we know what we're doing.
It's a group of simple measures which minimize the effects of brute force attacks.
This type of attack consumes resources from our server, and even if the attacker can't succeed in entering the server, it can cause a very negative effect on our website.
The minimum we have to do is implementing HoneyPot, since this tool will have the smallest impact on our users being transparent to them. Using captcha provides an additional layer of security without affecting functionality, even though legitimate users will be required to take an additional step to log in.
It may be possible that each and every one needs its own combination. As with most of everything in this world, there is no universal suggestion that is optimal for every case.
Nothing much to say here, turn on every option.
Activate automatic scaning of our files and don't forget to exclude for example images and cache files if available.
Within "various" we can deactivate user numeration, right click usage, iframes and rest API.
It's not necessary to activate every setting for a reasonable protection. It's more about trying and testing settings which don't interfere with the correct functionality of the website.
What we have before us is a very complete security plugin, which is free and easy to configure.
It no doubt helps us protect our website and deserves its place within our recommended plugins.