As promised, today I finally close this series of five articles about how to make your WordPress installation more secure with the last two actions:
- Make your WordPress not look like a WordPress, and not give clues
- Schedule a backup system.
Make your WordPress not look like a WordPress, and not give clues
One of the problems with WordPress is that it is very unobtrusive, it loves to declare to the world that it is WordPress and does so in much of its code. And there is no way to hide it up front in the installation.
This, which might appear to be an advantage, can and does become a threat.
If, for example, we start to review the code of a Web page, and to do so we just click the right button of the browser and in the contextual menu choose the option "View page source code".. we can discover a lot of information about the site:
Like if it is a WordPress, the version of it, what Theme it is using, what plugins it has installed... This with a simple glance at the code, so imagine what a robot launched by a person with bad intentions can collect.
For example, if you open a window with the source code of a page and search for the string "Generator you will know, if the installation is default, the version of WordPress installed.
Or if you search for the string "wp-" you can find references to the wp-admin, wp-content or wp-includesfolders.
If you search for the string "Theme you will find the name of the active Theme, but in some cases this may not be of much use because it is a custom Theme.
If you search for the string "pluginsyou'll get a complete list of active plugins... and so on to infinity... and beyond.
Let's see, this in itself is not a serious problem, it happens as I said in the first of these articles when I said that it was not convenient to show the user's name so as not to facilitate the work. Here it is the same, if we do not give clues about our installation and the passing robot is not able to figure out that we have a WordPress, it will pass by and go to look for another more vulnerable WordPress, just that.
To "camouflage" our WordPress we have a fantastic plugin that allows us, like Tenorio in the Sevillian nights, to go as unnoticed as possible. We are talking about WP Hide & Security Enhancer.
With this plugin we will be able, among many other things, to customize the administration URL, block the default Url, customize the name of the wp-login.php file, or the default folder name, the name of the styles file ..... In this way we will give less clues to friends of others.
Schedule a backup system.
By means of a backup system we are not going to avoid an attack, not at all, but it is advisable that we have backup copies of our site, and that we make them periodically.
This way, if despite all the other measures we find that one day our site is down, or we discover that we have been infected, or even if some plugin or theme messes up our website, we can always go back to a previous version of it instead of wasting time trying to fix the mess (from experience with clients who call me when there is no remedy, I can assure you that trying to fix a hacked website is a real odyssey).
To establish a backup system we have to take into account, first of all, that in a WordPress installation there are two elements to back up, the installation itself and the database.
There are three methods to perform a backup in WordPress, manually, through the backup service offered by many hosting providers or through plugins that we install in our WordPress.
The first of these, manually, has a drawback, or two, to start with: that we will have to do it ourselves on a regular basis and, as I said at the beginning, that we will have to back up both the installation and the database. Bad idea...
Regarding the Backup services offered by hosting providers, the first thing to do is to make sure if the one you have now offers it, if not, you should consider changing provider, because if it does not offer this, surely there will be many other things that it will not offer you either.
In case you are in the second case, if offered, look in your cpanel or hosting administration tool, make sure it is enabled and check how often the backup is performed and how the restore process is performed.
The last option is to use a backup plugin within WordPress itself, which will allow you to configure partial or total backups of your installation and the frequency of backups, or to make one on an occasional basis when, for example, you are going to perform amajor update of WordPress or of a critical plugin (for example, WooCommerce).
If you find yourself in one of these upgrade situations, I strongly recommend that you first make a backup, not so much of WordPress, but also of the plugins.
I still remember the mess that broke out among the WordPress community when Woocommerce updated to version 2.6, there were people who sweated blood from the mess that was made. If they had made a backup before, it would have been enough to restore that version and wait for the developer to release a version without problems.
Well, regarding plugins, I won't go into detail, this would be enough for one or more articles. I recommend four (to choose between one of them, of course: BackWPup, UpdraftPlus, Backup Buddy and Duplicator, the latter is not a backup plugin as such but it was initially designed to migrate a WordPress from one site to another, but in its Pro version it is a good alternative to make backups of a site.
All of them have, obviously, a free version in the WordPress repository and a paid version. I recommend the second option because, in most cases, the option to schedule backups and / or store them in Google Drive, Amazon, Dropbox or FTP, comes in the paid version. A recommendation, either manually or automatically, make your backups during low traffic hours, such as in the early hours of the morning.
And if you want 100% peace of mind, the option is undoubtedly Automatic' s VaultPress, which, if you don't know, is the company that created WordPress and which performs daily or real-time backups, depending on the subscription you purchase. In addition, although it has a plugin in the WordPress repository that is free, everything is done from a control panel external to WordPress itself, so in the case of having our server unusable we can always restore it.
Ah, as you can see in the image it is a SaaS or Software as a Service, which means that you have to pay for it, but you forget about problems and annoyances, I assure you that it is worth it.
Finally, and I didn't say this on purpose, we have the security plugins. I recommend 2: Sucuri Security and Wordfence Security two plugins that will protect, and even clean in case of attack, our installation.
Don't go yet
Well and that's it, we have seen quite a few ways to make our WordPress more secure, although there are more things but in summary we have seen:
- How to improve the security of our passwords.
- Make it difficult for hackers to gain access to the users we have.
- Secure and protect access to the administration panel (wp-admin) and to the WordPress configuration (wp-config.php).
- Change the database prefix.
- Deactivate the file editor of our WordPress.
- Set keys and security jumps to strengthen cookies.
- Add HTTP security headers to our server.
- Assign the appropriate permissions to the folders and files on our Web server.
- Make your WordPress not look like a WordPress, and not give clues.
- Schedule a backup system.
I invite you to leave your impressions and/or doubts in the contact form and to suggest new topics that you would like me to cover in these tutorials. I will be happy to answer you by email and write in this blog.