Embed Size (px)
Citation preview
Share Whitepaper
Introduction 3
General Security 4
Security Plugins 5
WordFence Plugin 6
Share Whitepaper
Page 3
Introduction
In this whitepaper, we’ll take a detailed look at how to secure your WordPress Gutenberg installation. WordPress is the most common Content Management System for websites, which makes it a frequent target for hackers. With the recent update to 5.0, it’s a good time to refresh your website’s security measures.
With this whitepaper, you can significantly improve the security of your website.
Share Whitepaper
Page 4
General SecurityUsernamesWhen a WordPress website is first set up, the username is “admin.” Because each set up has the same username to start with, hackers always try it first, eliminating some of the work for them. They’ll also try similar words, like “root,” “webmaster,” “administrator,” your business name or your name.
It’s best to change the standard username if you still have them set to default to give an extra layer of defense against brute force attacks.
Passwords“123456”, “123!@#ABC”, and “Password!” are unfortunately still very common passwords. A weak password will destroy your website. A dictionary attack by a hacker will try out as many words as possible, with choices like these examples first on the list.
Safe passwords should have upper and lowercase letters, numbers and special characters. You can even get a plugin which requires you to change your password on a regular basis, or a password manager to help you remember your passwords.
UpdatesWhether you’ve just updated to WordPress 5.0 or plan to soon, it’s essential to get your plugins updated as well. Every time WordPress or a plugin are updated, they usually include patches for newly identified security vulnerabilities. If you put off upgrading for too long, your website could be more accessible to hackers than your neighbors.
Updating plugins can be handled through WordPress with the click of a button. But, anytime you update WordPress versions or a plugin, it’s important to have a backup of your site in case something breaks.
BackupsBefore making any updates or changes to your website, make sure you have a recent backup. If something breaks or doesn’t behave the way you expect, then you can roll back to the latest version.
Having backups created regularly also protects you against a hack or other attack. Automatically up both your files and database for complete protection. There are plugins which can handle this as well.
Share Whitepaper
Page 5
Security Plugins*For a WordPress Gutenberg installation, it’s important to note which security plugins are actually compatible with Gutenberg and WordPress 5.0. Luckily, we have a database where you can cross-check any plugin (as of publication) to see if it will work with Gutenberg: http://bit.ly/GutenbergPluginCompat
The below plugins are all free. There are paid plugins which perform similar functions, but for our purposes, we try to provide the most reliable free plugins we can find.
WPS Hide LoginWPS Hide Login will most likely work with a WordPress Gutenberg installation.
When your website was created, the login page was automatically set as www.sitename.com/wp-login or www.sitename.com/wp-admin. This makes it easy for you to login into your site, but it also makes it easy for hackers to get in and begin trying your username and password.
If you change the URL to something harder to guess or rotate your URL regularly, that makes it just that much harder for someone to get in. WPS Hide Login allows you to adjust the URL of your login page easily.
Limit Login Attempts ReloadedLimit Login Attempts Reloaded will most likely work with a WordPress Gutenberg installation.
Let’s say a hacker or bot finds your login page. Maybe they try 1,000 or 10,000 different username and password combinations and break in. Better hope you have a good backup.
If you have a way to limit the number of attempts to log in, you can remove a lot of future headaches. With Limit Login Attempts Reloaded, you can limit login attempts to 5, 10 or whatever number you’d like, reducing the likelihood of a brute force hack.
No Captcha reCAPTCHA No Captcha reCAPTCHA will most likely work with a WordPress Gutenberg installation.
If a bot finds your website login page and tries to break in, they can enter those 5 or 10 password combinations you’ve limited them to with the previous plugin. But what if they guess right?
Share Whitepaper
Page 6
With No Captcha reCAPTCHA, you can block all robots from trying to gain access to your site. This test only allows humans who are physically attempting to enter usernames and passwords to attempt a login - bots won’t be able to click the “login” button anymore.
iQ Block CountryIt’s still unknown if iQ Block Country will work with a WordPress Gutenberg installation.
So now we’ve blocked all of the robots. But what about bad actors from specific nations? If a majority of hackers are attempting to enter your website from Russia, China or India, wouldn’t it be a good idea to block those countries - unless, that is, you are trying to attract users from those nations as well.
With iQ Block Country, you can prevent entire countries from seeing your website or attempting to log in.
No CommentsIt’s still unknown if No Comments will work with a WordPress Gutenberg installation.
Finally, comments can be used by hackers and spammers to both slow down your website, use it as a way to feed traffic to their own websites, or as an attack vector to gain access to your website.
With No Comments, you’ll remove the ability to add comments to your website completely, eliminating the headache of spammers and hackers from your mind.
WordFence Plugin*WordFence will work with a WordPress Gutenberg installation.
The WordFence plugin is a paid plugin. This plugin can handle nearly all of the features of the plugins above, all under a single umbrella. If you’re looking for one plugin to do it all, a subscription with WordFence might be the ticket.
*Remember to do your own research and due diligence before installing plugins or other software on your website, or partnering with a website design agency.
Share Whitepaper
St. Cloud, MNCohlab Digital Marketing
