Safeguarding Your WordPress Site

WordPress accounts for almost 30% of all websites on the Internet and is one of the most popular CMS (Content Management Systems) used by content creators and site owners.

Unfortunately due to its ease of use and popularity, it is also prone to hackers and site attacks and has been notorious for breaking in production due to faulty security measures.

The following points would help you safeguard your website to avoid running into problems once your site is live:

  1. Disable/Hide WP-ADMIN

The first point of call to most hackers is the WP-ADMIN login endpoint. By default, WordPress comes with a popular well-known URL that hackers have been known to take advantage of.

https://www.yoursite.com/wp-admin

By disabling or hiding that URL, you can make it a little difficult for hackers to find out where to break in from. This is extremely useful for a lot of sites and should be one of the top security priorities for WordPress sites.

To achieve this, you can make use of the iThemes Security plugin on the WordPress plugin repository. Once installed you can change your default login URL to a custom one of your choice.

https://www.yoursite.com/custom

Even better, you could define other security measures or stopgaps that could prevent bots or scripts from nosing about your website or trying to use brute force to access resources on your site and so much more.

2. Disable/Authenticate REST API

The next point of call would be your REST API. Believe it or not, WordPress does come with a fully functioning REST API that exposes its resources and data to the general public by default!

https://www.yoursite.com/wp-json

Even worse, a smart hacker or malicious user only has to visit your users’ endpoint to see your username and you’d have solved half of the problem to enable him brute force his way into your site via a series of techniques like Social Engineering, Browser Phishing and so on.

https://www.yoursite.com/wp-json/wp/v2/users

To prevent this unbelievable craziness, you can disable the REST API via the Disable WP REST API plugin available on the WordPress plugin repository. You can also specify which endpoints to expose and secure vital parts of your WP site and data.

Another option would be to authenticate the endpoints via custom code or plugin.

3. Staging Sites & Plugin Testing/Updates

Another step would be to ensure that your site has a staging version. A staging site is simply an exact replica or copy of your website for testing features, new plugins, and design changes. For e.g. if your site is:

https://www.yoursite.com

Your staging site could be a sub-domain endpoint like so:

https://staging.yoursite.com

You should never try out a new plugin on your production website. It’s always never a good idea and could lead to unintended problems. This is extremely crucial since unverified or untested plugins account for over 80% of WP site breakdowns in production.

When you’re not sure what a plugin does, it’s always a good idea to try it out on your staging website and maybe even go through its source code to see if there are any malicious scripts before attempting to install it on your live website (production).

This same approach should also be applied for plugin updates as well.

4. Activity Log & Site Monitoring

Ever wondered what’s going on in your WP site when you’re not around? Me too! Everyone does! Having a way to monitor site activities could help you know when you’ve been breached or encountered a major file change on your website.

To achieve this, you could use a plugin called Stream on the WordPress plugin repository. It comes with a detailed log of user events, file changes and monitors every single activity on your website.

In this way you can know for sure when something changed and who made that change. Very useful.

5. User Roles & Capabilities

By default, WordPress allows you to create new users for its CMS with any role of your choice (Editor, Contributor, Admin…).

Specifying the right role or capabilities for each user is important so that only users with the right privileges can make global or system-wide changes on the site such as modifying a file on the Theme Editor section.

A user who is not a site manager or WordPress developer should never be allowed an Admin status as this gives the user the ability to modify your functions.php or theme files and also install or uninstall plugins.

Users should be assigned roles based on their job descriptions or roles within the organization.

And that’s it, folks… Are there more tips you can think of, please feel free to drop them in the comments section.

Full Stack Engineer