7 Tips To Better Secure WordPress Blogs

7 Tips to Better Secure WordPress Blogs

For many, our blogs are the lifeline of our passion.  We use it to share our life experiences to others, in hopes that it will have a positive impact on their day to day lives.  There is nothing more unsettling than when our passion projects are derailed due to a breach.

In my previous post, Why My WordPress Blog Is Being Attacked, I shared how my blog was constantly attacked by threat actors around the world.  In sharing that information with some of my closest friends, they were taken back at efforts that others took to gain access.  As unsettling as it can be knowing someone out there wants you to fail, I am thankful for the knowledge received by the Information Security Community which has kept my mindset calm, cool and collective.

Due to the overwhelming support received on the previous post, I have decided to list some best practices that can assist you in better securing your WordPress Blogs.

Here are 7 tips to help you better secure your blog on WordPress.

Enable Privacy Guard on DNS Records

Security begins at the registration process of your domain.  You may not be aware, but by default your personal information is made readily available to the public when you register your domain.  This includes your full name, address, phone number and email address.

Depending on the popularity of your blog, people can use this information to do some heinous things including calling your hosting provider pretending to be you to gain access to your site, create a social engineering profile or worse, use the information to send law enforcement to your home (Swatting).

That last part especially strikes a chord with me as I would never have thought to need to go to such lengths to protect my family.  Unfortunately, there are individuals who get a kick out of making others miserable.

To mitigate such risk, I would recommend either opening up a PO BOX with the United States Post Office or enabling the privacy guard when you register your domain.  Enabling the privacy guard typically comes with an extra fee but allows your personal information to be hidden from DNS queries.  It will also help curb solicitations and SPAM (unwanted emails).

Back to Top

Use Unique User Names

When you set up your initial content management system like WordPress, one of the very first tasks is to select a user name.  I would strongly recommend that you use something independent of your site’s content or subject.

One of the things I noticed right off the bat, is that the threat actors were using terms scraped directly from my blog posts including the domain name, designations and even “admin.”  Try to use something unique and descriptive when choosing your username.  In most instances, you only get one shot at it.

Almost forgot!  If the username you select was involved in a prior data breach on another service, don’t use it.  There are many password lists available that use compromised usernames and passwords from known breaches.

Back to Top

Change All Default Passwords

Since we are on the subject of passwords, let’s talk about the elephant in the room.  If there is a default password to get into your WordPress blog, change it and change it now.  As I alluded to in the last section, there are many password lists that consist of usernames and passwords from known breaches, but they also include default passwords like admin, password or password123.

Remember to use best practices when it comes to creating a password.  Passwords should be a minimum of 8 characters long with uppercase, lowercase, alphanumeric and symbols.  Avoid using personal information in your passwords like the name of your family members or pets.

Back to Top

Enable 2 Factor Authentication (2FA)

And to finish off the login trinity, enable 2-Factor Authentication.  This is an added layer of protection in the event your password is compromised. For more information on 2FA, please visit our blog post related to the Nintendo Data Breach last month.

Back to Top

Install Security Plugins and Monitor

WordPress has a great variety of security plug-ins that can help address issues like brute-force and Spam.  Unfortunately, the topic is too vast for this blog post but I would recommend looking into the following as they have some of the highest ratings in the marketplace:

  • iThemes Security
  • Loginizer
  • WordFence
  • Invisible ReCaptcha
  • Ninja Firewall

Back to Top

Keep Routine Backups

I always express to my clients that you are only as good as your last backup.  Be sure that you have a good backup strategy in place.  Most hosting providers will allow you to backup your entire blog at the root or setup level.  

This would be ideal since you are creating a separation of exposure.  Meaning, that if your WordPress Credentials were ever compromised, assuming they are not the same credential you use to log in with, you would have a valid point of recovery.

WordPress also has a variety of plug-ins that can assist you with recovery including 

  • WP Time Capsule
  • Updraft Plus
  • Duplicator

Frequency of backups are important and at a later time, I will post about the different types of backups.  For now, I would recommend that you consider doing a Full Backup + Incremental strategy.  This will allow you to take a full backup of your site (once a week or month) and in-between full backups you only backup the changes (incremental).

This makes the process more efficient and less taxing on the web server, especially if your site has a lot of content.  Make sure you configure this to process automatically and choose dates and times that will cause the least amount of impact to your readers (i.e. off peak hours).

Back to Top

Update WordPress Plugins Regularly

Now at this point you may be thinking, what else could go wrong if I addressed the other 6 points on this post.  My response, plenty.  The single most important failure that contributes to the compromise of WordPress websites is not updating plug-ins.

All software solutions are susceptible to bad coding either initially or through time.  This is typically due to the fact that there are more than one way to find a solution to a problem when programming.  When someone discovers a flaw or bug in a software solution that can have unintended privacy, availability or security consequences, it is called a vulnerability.  When someone uses that vulnerability, it’s called an exploit.

There are many repositories available online that chronicle these types of vulnerabilities and exploits if you are interested in reviewing them, but the important thing is that you have a plan for updating patches (patch management) as they come available.  

Note: It is worth noting that it is best practice to backup your site before applying major updates.  Some patches may not have been fully tested with your current WordPress or Theme version.  Major updates are denoted by the digits before the first period (i.e. XX.xx) while minor updates are denoted by the digits after the first period (i.e.xx.XX).

Although no level of precaution will make you impervious to cyber threats, the goal is to make it as difficult as possible for threat actors to gain access to your blog and more importantly, access to sensitive information that can put you and your family at-risk.  Blog responsibility and stay safe.

Back to Top

To support this blog, this post may contain affiliate links.   Please read our Privacy Policy for more information.

Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Title Image: AI Security Realities: Rethinking PII as the Sole Indicator

AI Security Realities: Rethinking PII as the Sole Risk Indicator

During a client meeting, I addressed misconceptions about cybersecurity, especially the notion that absence of PII equates to no risk. I discussed how cyber threats extend beyond data theft to include system vulnerabilities that could disrupt operations and impact users, citing the SolarWinds and New York Times attacks as examples. I explained that comprehensive assessments are crucial for understanding broader cybersecurity risks, not just those involving PII. Additionally, I highlighted the importance of protecting AI models from poisoning, underscoring the need for robust security measures in AI development.

10 Ways to Improve Your Math Skills for Cybersecurity

10 Ways to Improve Your Math Skills for Cybersecurity

As highlighted in our earlier discussion, The Intersection of Math and Cybersecurity, a solid grasp of mathematics is indispensable within the realm of cybersecurity. The specific demands…

The Intersection of Math and Cybersecurity - Does Cybersecurity Require Math?

The Intersection of Math and Cybersecurity

During my weekend exploration of a renowned Q&A platform, I unexpectedly encountered a question that left me intrigued. I couldn’t help but wonder if the original poster (OP) was playfully jesting or sincerely seeking knowledge. This curious moment brought forth a reminiscent smile as I recalled the age-old adage we all encountered during our early school years: “Math is fundamental to all endeavors.” However, an interesting twist emerged: Does this axiom extend its influence into the intricate realm of Cybersecurity?

Client Confidence Crisis: How Neglecting Security Practices Can Drive Customers Away

In today’s digital landscape, establishing an Information Systems Security Program (ISSP) is no longer optional but a crucial necessity for organizations. This blog post explores the vital importance of implementing an ISSP early on and understanding the factors that influence its establishment and modification. Senior management’s role in championing ISSPs is emphasized, as their buy-in and recognition of its significance set the tone for organizational security practices.

However, misconceptions and flawed reasoning often hinder the adoption of robust security measures. From the belief that “it will never happen to us” to relying solely on insurance coverage, these notions can prove detrimental to an organization’s security posture. Furthermore, assumptions that clients don’t care about security or that the cloud provides ultimate protection are debunked, shedding light on the evolving expectations and regulations surrounding data protection.

The ugly truth emerges as we delve into the constant threat of internet vulnerability scans and the risks organizations face when vulnerabilities are discovered. This post aims to dismantle these flawed mindsets, highlighting the need for a comprehensive security approach beyond insurance coverage and the importance of addressing vulnerabilities proactively.

Stay tuned for the upcoming parts of this conversation, where we will explore additional influential factors and provide insights into developing effective ISSPs. Together, let’s navigate the complex world of system security and ensure the protection of your organization’s invaluable assets.

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Top 10 Cybersecurity Job Sites

Top 10 Job Sites for Cybersecurity Professionals

As the world continues to rely heavily on technology, the demand for cybersecurity professionals continues to grow. Cybersecurity jobs offer high salaries, job security, and a wide range of career options. However, finding the right job can be challenging.

This Post Has 3 Comments

  1. This is great! I had done some of these things, but hadn’t thought of some others. Makes me grateful that I already had a PO Box, for sure.

    1. Lisa, thank you so much for the feedback. I really hope these tips have helped. I agree, swatting is a scary thing and glad that you have implemented steps to prevent. Let me know if there are any technical topics you would like me to cover in future posts. Take care!

Comments are closed.