Securing WordPress (Plugins are the last tool to use)
I watched a few YouTube videos on security in WordPress and if you think all you need to do is install a WordPress plugin (as these videos suggested) I highly recommend watching this video. There is a lot more than just installing a plugin to secure a site, there are tools like using CloudFlare, using an actual firewall, etc.
Table of Contents
0:00 – Introduction
0:52 – Disclaimer
1:54 – Why this topic?
2:55 – Why do people hack?
5:12 – Start with a backup
7:09 – Use CloudFlare
19:36 – Use an actual firewall
24:22 – Finally, WordPress
39:22 – Wrapping it up
Here is the video I mentioned in this one, Setting up a Free Backup of My WordPress Site and Local Development:
Automated transcription here:
Aaron Reimann (00:00):
In this video, I’m gonna show people how I secure a WordPress site, and let’s just dive in. So here we go. All right, topic-wise here’s a I guess table of contents here, and I’m gonna explain why this topic, and then I’m gonna try to cover why people hack, and then go into CloudFlare dns, talk about firewalls and if it’s even possible for you guys to set up a firewall. And then at the end, I’ll cover some WordPress tips, little about me. So I normally do Word Camp talks, and so I always do a little part about my, myself. And you guys probably don’t care on YouTube. No big deal. I’m gonna skip it. If you wanna read that, read away. Here is a disclaimer. I’m not a network security engineer. I’ve been doing websites since 96 and I’ve learned everything by basically trial and error whether it be, you know, the first website I built you know, or networking where I used to do it, support type stuff.
Aaron Reimann (01:15):
I, it is just, I’ve always been a geek of always learned computer stuff, but I am not an expert in this, this video is not advice per se. You know, if you are, if you’re worried about security you can hire a security guy you know, to to to go through a full blown scan and, you know, do all that stuff. That that is not what I do. So this is you know, take this as, here’s some things you can do and it might work. So just a little disclaimer there. So why, why this topic? Well, I was, I, I went to YouTube and I just looked and was watching a couple videos. And one of the videos was basically someone five minutes like, Hey, to secure your website, you go and install word fence and boom, you’re done.
Aaron Reimann (02:13):
And I, and I just thought, what a bad thing to tell someone, because most of the people, if you’re on YouTube and you’re trying to get information on how to secure a site, and that’s all you you get is install a plugin, you are about 20 steps, you know, behind you, kinda like started at the end. You know, installing a plugin to me is the last step. There’s a lot of things you could do before that can help secure your site, and that’s why I’m doing this video because I think people could learn you know, what I, what I do. So why do people hack? Well, they kind of don’t, A lot of people are saying, why is, why are people trying to log into your site and, you know, go trying to get into the site? And, and it’s one of those things where it’s not, it’s probably not someone actually going to your site and typing in admin and then trying the password admin, and then trying admin, and then admin 1, 2, 3, and stuff like that.
Aaron Reimann (03:25):
It’s, that is, that’s a very tedious process. And really what, what they’re doing is they’re writing a script that is like grabbing a list of domains and then a list of usernames, popular usernames, and then a list of passwords. And then you write a script to go through each combination of things. And a computer can process those things. If you write a little script to do that, you can process, you know, go through a thousand usernames and passwords in, you know, 60 seconds or so, and that’s more so what what’s happening is someone writes a script and they just let it run, and it will go through and try to log in over and over again on different sites everywhere. And that’s what’s happening. It’s, it’s rarely is it an actual person that has some kind of vendetta against the website and they’re trying to hack in there.
Aaron Reimann (04:28):
So that’s, it’s not, it’s not as personal as, I mean, 99% of it, you know, it’s, it’s not a personal thing. And why do they do it? Well, they’re bored. I mean, why not? It’s one of those things where, I mean, I remember when I was 15, my brother and I, we, we rolled, rolled a house in the middle of the night and it was I mean, it was a blast. You know, but real obnoxious, you know, but I mean, you do it because, because you can. So anyway, that’s, that’s why people hack is just because you can claim that, look, I took this site down. It’s kind of lame. Kind of stupid and really obnoxious, but that’s, that’s just the world we live in. All right? So the first thing you need to do is make sure that you have a backup of your website.
Aaron Reimann (05:21):
I once had a, about 80 sites hosted on, on some servers, and I had backups were, were running. And I, at one point had to run restore one of those backup backups, and I realized that all of the zip files that this program was using to create ’em were all corrupt, corrupted. And so I basically did not have a valid and a good backup of any of the sites. <Laugh>, I have since solved that problem, and I’ve tested things. So I’ll just tell you guys, if, if you don’t have a, a backup of your site, go to manage wp. Manage WP has a free one, one backup every 30 days or every month and it costs nothing. And if you wanted to do daily backups and get a daily backup that runs every night, it’s only a dollar and 40 cents to do that.
Aaron Reimann (06:24):
So to me, that’s a no-brainer. And if you don’t wanna go the managed WP route, you can use a plug-in called Duplicator to do a backup. The most important thing to do though, is to test your backup. And if you guys want to just in the comments, ask me you know, how, how do you do that? But I also have a, I have a YouTube video about how to go to manage WP and set up a backup and how to set it up on local. So use that, that video. I’ll try to link to that in the, in the video. To be honest, I’m not a hundred percent sure how to do that, but we’ll figure it out. I’m learning the YouTubes, so, all right, next step is CloudFlare using CloudFlare as your dns. There are a lot of tools in CloudFlare that you get just out of the box. And I’m going to go through, let me go find a site where I can actually log in here. Might have to pause this.
Aaron Reimann (07:43):
All right. I wanted to find a domain on CloudFlare that I’m not actually using, so I can show you guys what it’ll look like if you move your DNS over. So, CloudFlare a lot of people buy domains on GoDaddy or I don’t know, blue Host or, or something like that. And they’ll keep their DNS on on GoDaddy, and I’ll, I’ll just continue to use GoDaddy as my, my example. I have had, within GoDaddy I’ve had where DNS records have been completely wiped out. It’s happened five times in probably 2000 since 2008, which is not a lot, but if your DNS records are wiped out, no one can get to your website and no one can email you to tell you that your website is down. So I, I’m not sure why GoDaddy has decided to completely wipe out records before, but because of that, I can’t recommend keeping your DNS on GoDaddy.
Aaron Reimann (08:55):
Not only that, you don’t get any of these cool features that I’m about to walk you guys through. So let me show you how awesome CloudFlare is. So when you first set up your account in there, it’s gonna try to scan and go through all the records. And you, if you do that, if you migrate to CloudFlare, I feel free to reach out to me, but I might be able to point you in the right direction if you have questions or whatever. But you, when you import the records, CloudFlare will try to find all the records. And what you wanna do is you want to go to like GoDaddy and look at those records and the records that CloudFlare found, and make sure that they, they match up and that everything is set up properly before you make that switch. Because if you, if it’s not set up properly, and let’s say for some reason it doesn’t, findex records, mail, exchange records, and you make that switch, it will, your email will go down.
Aaron Reimann (09:56):
So you have to be real careful. Now, I’ve done, actually, I’ve probably done over a thousand migrations to CloudFlare because of some of the stuff I’ve, I’ve been involved in where we build 48 websites for 48 nonprofits and 48 hours, and we’ve done it a lot of times. So I have a, I have like hundreds and hundreds and hundreds of migrations that I’ve done, so I’m real familiar with it. But it is a little daunting if you’re not familiar with it. And so just, just be real careful if you do port over. But I’m just gonna show, I’m not going through the porting process, but I’m showing you guys why I like CloudFlare. So when you put a domain in here, and I don’t really have any DNS records, for some reason I bought weird computer.com I don’t know why I bought it, but anyway, when you set up a domain, it’s gonna go in here and it’s gonna go through this quick guide, and I just hit get started, and I just hit save and save and save and save.
Aaron Reimann (10:56):
Aaron Reimann (12:20):
In that cost, CloudFlare, the, the $0 amount is all I have. I have 180 some sites on CloudFlare, and I’m not paying for any of their, their features. So, you know, it’s, it’s free and you get all of this security without any without any cost. So no brainer. Another thing that that I always do is I’ll go into the waff or the web application firewall, and this is an actual firewall. If you, if you see a WordPress plugin and it says it’s a firewall, it’s not that, that’s not it might act like a firewall, meaning it blocks things. That’s not a, that’s a software firewall that, that kind of runs on top of the web server, but that’s not a true firewall. This is close to a real firewall here, and it gives us some great features.
Aaron Reimann (13:28):
Aaron Reimann (14:32):
And this is to me just a no-brainer. And okay, I’m gonna turn it off, and when I turn the, I’m under attack off, I always set this to the high level. I’ve never had any issues changing it any other way, but I wanna show you guys how I secure the actual login. So I’m gonna go over here, go back to the whaf, and I’m gonna create a rule and be real careful here with this, this advice because you could lock yourself out. So but I do most of the websites that I maintain, I do not have it where people are commenting. I do a lot of marketing sites where there’s not a reason for anybody to log into the site except for someone like me. And so I’ll set up some rules like securing WP Login, php, and I’ll do stuff like if the country does not equal United States, meaning if the country, if it’s not me, you know where I am now, if I’m in the Netherlands or Israel, wherever I travel, I can go in here and change that.
Aaron Reimann (15:57):
Aaron Reimann (17:09):
So this rule is now in place where we get some, some security. And another thing that I, I will always do is I’ll go in here to analytics and go to security. And this is not a real domain that I’m using, so we don’t have any traffic, but CloudFlare will keep track of the threats and it’ll list these countries here. And if you’re getting a ton of traffic from, I don’t know Nepal or India or, or, or something like that I’m not targeting those, those countries per se, but those are ones that I, I see a lot of unwanted traffic where things are blocked. You can go, go in here and say, let, let’s just say Russia and India you guys see a lot of unwanted traffic from there, you can go over here to security and you don’t necessarily have to block those countries, but you can do a rule that does something like this. So if on this list js, I don’t know if I can put a comma in there, but, so we can do something like if the country equals Russia or the country equals
Aaron Reimann (18:34):
Aaron Reimann (18:38):
Aaron Reimann (19:31):
And again, there’s nothing to lose. The free plan is all I need. So, all right, an actual firewall is recommended. This doesn’t apply to probably the, the majority of of you guys because shared hosting is, is interest, is interesting. So shared hosting, which is if you’re hosted on Blue Host GoDaddy, host Gator, things like that, what they do is they spin up a server for you and they install something like C Panel. It’s a control panel tool where they have it set up where if you’re hosting WordPress, they have MySQL there for you. If you are a Rubion Rails developer, they’ll have Rails installed or Ruby installed, or if they’re, you know, a jengo web developer, which is Python based, they’ll have Python on that server. Shared hosting normally also has email on that server and other things. And this is where shared hosting and managed server or dedicated are, are very different.
Aaron Reimann (20:49):
So this is where I have to say, I, I not a huge fan of shared hosting because the way they set up those servers is, I mean, I’m a I’m a WordPress person and I’m only gonna do WordPress sites, so a managed WordPress would be a better fit. But Blue Host and GoDaddy and all of those, those companies, they have to have it set up where they allow more things like that. And what that means is they have to open more ports, especially if you’re doing email, but I think a web server should be a web server and never do email. So if you have dedicated, if you have a dedicated server, you wanna set up a firewall the two ports that you only need, the only two ports you need are port 80 and 4 43, and I block everything else.
Aaron Reimann (21:46):
In my humble opinion web server shouldn’t send email. And so you should use a WordPress plugin like post smtp and I have a whole YouTube video about that, that you could watch and use that plugin to send mail using something like Mail Gun or SendGrid or things like that. N all of the sites that I’ve, or the only the servers I have seen that have gotten hacked, all they’re trying to do is to become a spam relay server. And so that’s why I don’t even have email installed on my servers. And so I can block port 25 and one 10 and 9 93, whatever, whatever ports it is that runs on email, I always block those things. So that’s kind of the, the difference though, between shared hosting and dedicated servers. Shared hosting normally can’t block all those things because they have to keep it very open for any ti it has to be very agnostic, I guess.
Aaron Reimann (22:50):
It can’t be only, we only support WordPress, you know that’s why shared hosting, my humble opinion, is not as good as something that’s dedicated. So, but if you do have a dedicated server, block all those ports because you shouldn’t need ’em. Again, be careful because if you accidentally block different ports you could lock yourself out of the server, but you should know that if you’re, if you’re in there if you’re a network engineer guy, you’ll, you’ll, you’ll know that. But so you can do that. Like I have most of my servers on Digital Ocean, in digital Ocean gives me a firewall rule that I can set up and I set it up on all the servers, and then you can also do a firewall within the server itself using IP tables. If your, you’re, you’re interested in any of this stuff, just reach out to me.
Aaron Reimann (23:48):
I mean, I can point you guys in the right direction. But anyway, that’s, that is a firewall. And again, if you ever see a WordPress plugin that says it’s a firewall, it’s, it’s not, all of those ports are, are open and you’re, you’re not really at a firewall level. You’re, you’re at a software firewall that doesn’t really block it as, as early as it should. So actual firewall is recommended. All right, finally, WordPress, okay, security plugins. There are a lot of security plugins and I’m a, I’m a fan of Word Fence or I, I themes security. If you’re on shared hosting, you probably need need those. I’m, and to be completely honest, I’ve compared word fence, a site running word fence and not running word fence. And the site does get a little slower if you’re doing a security plugin because it has to process everything that’s coming in.
Aaron Reimann (25:03):
So be careful with word fence or, or the, like again, shared hosting needs, those type of plugins. If you’re dedicated and you’ve blocked everything else and you have it pretty managed, you, you might not need it. Again, I’m not gonna recommend I one or the other. You know, you have to make that decision yourself. The next thing here is two-factor authentication. Wordfence does have a way to do two fa but there’s also a plugin called Wordfence Login Security. Whoops. Let’s I can’t copy and paste that. Let me let me open a new tab. Word fence security login plugin. So this is a plugin that I’ll put on a lot of the sites and with this plugin. And then here, let me show you the secondary plugin.
Aaron Reimann (26:21):
So with, I think that’s my next, yeah, so with two factor authentication and then limit login attempts, reloaded, you’re doing a pretty good job. So what, what Wordfence login security does is they’ve taken part of Wordfence that plugin and just done the, put the two factor authentication part where it’s its own little plugin. So what it does is it, when you log in, it asks for your username and your password, and then it takes you to authenticator, which you guys are probably familiar with this. I mean, I’m always going into authenticator here to get into sites. And so it’ll ask for your username and password, and then it’ll say, what, what’s the six digit code? And you have to have it on your phone. That’s what two factor authentication does, and that does leaps and bounds. Like that’s a great thing to do if you’re trying to secure your site because that two-factor authentication is really hard to get past.
Aaron Reimann (27:31):
One of the things that’s important though, you have to have it on every user. If you only have it on one user and you have 10 other admins that, that’s a problem. The second plugin that I can recommend is this Limit Login attempts reloaded. And it does a really good job of keeping track of a, a lot of times you’ll, you’ll go through the log of limit login attempts, and you’ll see the admin username logged in over and over again, and then eventually they get locked out. And once you have that plugin activated, I normally go into the settings and I tell it after three failed logins. I think the default is it blocks you for an hour or something like that. I change that to about 96 hours because if someone does they get the password wrong three times, chances are, I know who this person is, they’re gonna call my cell or send me an email saying, Hey, I can’t log into the site and I’ll go in and, and, and fix it.
Aaron Reimann (28:38):
But I, I said it where it’s pretty secure because I think it’s probably not strict enough by default because I want, I want people to, if they fail three times, they, they probably, they, they have no reason to be on the site. So those are two plug-ins that I, I highly recommend. Fourth thing here, getting SSL certificate. And to be honest, the, I’m a big fan of Lets Encrypt, it’s a free SSL certificate, and things like GoDaddy will sell you a SSL certificate, and there is absolutely no, no difference between a GoDaddy SSL certificate in a let’s encrypt SSL certificate. The technology is exactly the same. They’re using the same SSL software to generate that. The only thing that’s different is that if you pay for your SSL certificate at GoDaddy, you’re basically paying what, I don’t even know how much a, an SSL certificate is 70 bucks, a hundred bucks, I don’t know.
Aaron Reimann (29:49):
But they are basically, you’re paying for a insurance policy. So if your height, if your site does get hacked via the SSL certificate, which I’ve never seen in my life there’s insurance, you know, so if I have some kind of e-commerce site and I’m breaking in a couple million a year through that and I need some kind of insurance policy for that SSL certificate, I could do that through GoDaddy. Now you should al also have your business should have insurance to cover that type of stuff anyway, so I just, I don’t think a paid SSL cert is important. It’s important that you have an SSL certificate, and the reason why is because if you’re using ssl, you are encrypting the username and password, the, the information that’s being sent to and from the server, it’s at least encrypted information. The fifth thing here, audit users.
Aaron Reimann (30:52):
A lot of times I’ll see, I’ll log into a site and I’ll see who are all these admins, and they’ll say, oh, that’s the old guy that used to manage the site. And I’m like, and his account exists. Why? so I always, if, if you’re not a hundred percent sure if you can delete these, these users that are administrators just change to subscribers instead of an administrators. And if that person’s trying to log in, they’ll, they’ll reach out and they’ll, they’ll reach out and say, Hey, I, I, for some reason, I’m no longer an admin. But auditing your users are really important because I’ve seen websites that have been around for 15 years, and you have just a log of of users that used to maintain the site, and you’ve gotta keep that clean. Another thing is auditing plugins and themes. If you don’t have, if you have a plugin that is on the site, but it’s inactive, why is it there?
Aaron Reimann (31:58):
You need to remove that. And that goes with themes. Also with themes, I will have two themes on the site. I’ll have one for the actual theme that I’m using. I’ll have, I’ll keep a 20 23, 20 23 theme, or a 2022 theme or some, something like that. So I can switch. If I need to test things, I have another theme to switch over to, but all the other themes get rid of ’em. And that goes to, with plug-ins, if the, the PHP files that are contained in the plug-in or theme, if they’re there, they are a, they’re a risk because those plugins need to be up to date. And sometimes, especially if it’s inactive, people won’t update the plugin because I’m not using it. But that’s where a security hole comes in. Out date stuff or files that aren’t maintained, they, they get hacked pretty quickly. And to be honest, I’ve seen most, most of the time when I see a hacked site, it’s because they did not update plug-ins. So that’s, that’s important. I’m gonna drink some water.
Aaron Reimann (33:14):
All right, next one is avoid dumb plug-ins. I say dumb just in, in the aspect of plugins that, let me, let me try to show you guys. So like Ninja Forms, I’m not saying Ninja Forms is dumb, I just happen to click on that one. I’ll tell you why, why Ninja Forms is a good a not a, not a dumb plugin. So one Ninja Forms it’s not at version one <laugh>, you know, which is, which is good. It was updated recently. There’s a lot of active installs. It works with the newest version of WordPress. It’s tested up to 6.1 0.1, and it gets a lot of good ratings. Just kind of think of this when it comes to, I kind of compare plug-ins to shopping on Amazon. If it only has, you know, only three people have reviewed this product and they give it three stars, I’m not gonna wanna buy that product.
Aaron Reimann (34:24):
And that’s the same thing with, with plug-ins. If, if you don’t have a lot of active installs and it’s under the number, and, and it kind of depends on which plug-in the more niche, or I think that’s how you pronounce that word, n the more niche the plugin is, the lower the number of active installs, you know, it’s, it’s gonna, it’s gonna plummet. But you wanna make sure that you have, you know, other people are using this plugin, you know, make sure you have at least a thousand people using this plugin, or, or it’s gonna be, it, it might not, you might not have all the reviews and things like that. Just again, think of it as like, if you’re shopping on Amazon, would you buy this plugin? So those are some of the things you wanna, you wanna look at. So that’s avoiding dumb plugins.
Aaron Reimann (35:16):
Disable XML rpc. So what’s xml rrp c? Well, within WordPress in the root of WordPress, there is a file called XML R P C, and I disable that on all of my servers actually in the web server in engine X. I go in and tell it to not process that file if it’s there because XML rpc, I’ve only s the only reason you would use XML RPC is if at least I could be wrong about this. So don’t, don’t quote me on this, but I’m 99% sure that I only need XML rrp C if someone is using the WordPress mobile app on my phone to log into the website. That’s how the mobile app authenticates off of the web server. And I don’t, I have yet to have a single person that wants to have the WordPress mobile app installed on my phone, let alone use it.
Aaron Reimann (36:27):
But disabling XML RPC is a good thing because people will write scripts that will hit the XML RPC file and try usernames and passwords over and over and over and over and over again. So that is definitely worth disabling. You can actually, there’s a plugin you can use called disable XML RRP C or you could remove the XML RRP C file. And when you update WordPress, it’s not going to reinstall the XML RPC file. It’s just gone, gone, gone, gone. So that’s one thing I normally do. Disabling comments. This isn’t so much a security thing, it’s just more obnoxious if you’re doing and drink some more water. If, if you’re doing a marketing site and you don’t have a blog and you don’t have comments and you don’t want people to comment on your site, there is a great plugin called Disabled Comments, let’s go find it.
Aaron Reimann (37:36):
This right here, great plugin. Again, it has a million active installs. It was updated two weeks ago. It works with the newest version of WordPress, et cetera, et cetera. So it’s a, my humble opinion, it’s a great, great plugin. One of the things that makes this even more important is that it allows you to turn off. You can, you have a checkbox, basically, where you can tell it to disable comments on pages and or post, but I, I block it on everything. So you can block it where it blocks it on the XML RPC level and at the REST api. So if you have no desire to have anyone post comments on the site, this is a good plugin to, to have installed. Again, not really a security thing, just more of a let’s keep the site clean and we don’t have to worry about spam comments and have to configure a kismet and things like that.
Aaron Reimann (38:40):
Again, use Manage WP or something like that. I use Manage WP a lot of times because one, I get that backup, which is, which is awesome, but they also have a way where you can set it up where it scans your site for malware. So that’s a good, good tool. I, I do pay for that, and I have that scanning on most of my sites out there. And then lastly, keep your plug-ins up to date. I mentioned it before, the number one problem is that people don’t keep their plug-ins up to date and they get hacked because of it. And that is, that’s important. So there’s a lot you could do to secure your site. One of, one of the things, and I I, I know I’ve kind of slammed shared hosting you know, if you are getting shared hosting and it’s $3 a month, I mean, I, I get it.
Aaron Reimann (39:42):
It’s a lot of people don’t wanna spend, spend the money, but it really boils down to what, how much is a secure site worth to you? If you are, if you’re just blogging and you’re not getting, you’re not making money off of your site per se or directly, I understand that shared hosting is the way to go. It’s cheap, it’s easy, and things like that. It’s just, it’s not as secure as doing something dedicated. So, you know, if you, if you have a business and your business, it, if your, your website is your, your first introduction to this company, you know, how much is that worth that the site’s fast, that it’s secure, that it doesn’t get hacked. You know, if your site does get hacked, that’s a big liability thing that can stain the name of a company for a while. So so I, you know, just try to stay away from the shared, the shared hosting, and that’s pretty much it. I hope that helps. Feel free to reach out to me, comment, ask questions. I’m, I’m around on Twitter a Ryman and I could greatly appreciate a, like, and subscribe. So please do so. Thank you very much.
Leave a Comment