Security

Security is a consideration if you have a website. There are concerns even if you don’t have users. I manage some personal servers and websites on a bunch of different hosts. I repaired and identified server and site side hacks and this is what I’ve gathered from experience.

  1. Domain
  2. DNS
  3. Server
  4. WordPress
  5. User Accounts
  6. Email
  7. Spam

Domain

Your domain is the first line of security related to your website. It’s also the key to any email on that domain. I always insist on and recommend that companies and individuals own their own domains. I say own, but in fact you are only leasing them from a domain authority. I recommend that you use a registrar that offers two factor authentication. My two favorite registrars are Google Domains and NameCheap.

DNS

Your Domain Name Server controls the traffic to your site and it’s pretty important that it’s reliable, performant, and secure. I recommend that you either use the DNS associated with your registrar or your host because it’s the easiest to manage.

Server

Your web host is the second most common target after WordPres. The majority of those publishing websites depend on others like their ad agency, web development company, hosting company, or others for server security. In that case, just make sure they are running up to date version of the languages and databases that power your site. An easy way to check this is the site health screen in WordPress. And irregardless, I’ll just run through some server basics. The most important recommendation I can make is that there are regular backups of your databases and site. And the best advice I could give on server side security is to pay attention.

  • use SSH keys with passphrases for access
  • remove all unnecessary software
  • remove the default root accounts
  • block all ports not in use
  • don’t run Mail on the same server as your web host.
  • run OSSEC and Lynis for intrusion detection, audits, and hardening
    • OSSEC – https://www.ossec.net/
    • Lynis – https://cisofy.com/lynis/
  • run a global blacklist of IPs and referrers – https://code.davidawindham.com/david/custom.d.
  • use 7G Firewall – https://perishablepress.com/7g-firewall/
  • watch logs and block referrers and IPs.
  • set your headers properly. x-xss protection, access-control-allow-origin, and x-frame in particular
  • make sure you log files are not in public directories.

WordPress

WordPress security does not mean installing a plugin and expecting it to work. Because WordPress powers so much of the internet, it’s a common target and a whole cottage industry has evolved around it’s security. The vast majority of hacks are simple designed to either implement some form of spam or try to hold your site hostage for a fee. I’ve dealt with both of them and spend a good amount of time repairing other websites that have been hacked. I’ve found a couple simple techniques to be powerful enough to prevent 99% of the vulnerabilities.

  • Use as little third party code as possible. There are tens of thousands of documented vulnerabilities in plugins and themes. e.g – https://wpscan.com/
  • turn off file editing using define('DISALLOW_FILE_EDIT',true);in your wp-config.php file
  • disable theme and plugin editing with define('DISALLOW_FILE_MODS', true); this also disables updates but I turn off incremental upgrades in favor of running them manually. If you’re not paying attention to the site, I recommended setting define( 'WP_AUTO_UPDATE_CORE', 'minor' ); as a way to pull minor updates only.
  • move your wp-config.php file up a directory outside of your public web directory.
  • block access to the xmlrpc.php file using .htaccess or
  • password protect your wp-login.php using either .htaccess (Apache ) or .ini (nginx)
  • block access to the xmlrpc.php file – ( this will stop the WordPress mobile app and a couple features in Jetpack from working… do we need either? )
  • use a custom prefix for your database
  • use a strong database specific password.
  • change the user ID of the admins from 1,2,3, or 4 etc… to something like 34892.
  • make sure your admin and editor users use strong passwords.
  • use a non-standard installation by putting WordPress in a secondary directory.
  • turn off remote connections using define('WP_HTTP_BLOCK_EXTERNAL', true); but make sure an allow any third party host using define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com' );

User Accounts

If you want a real challenge, create a social network BuddyPress or Multisite install that allows user registrations. Monitoring your users can be tricky enough. I alway add in a default feature on every site that displays the last login for the list of users because it’s an easy way to see who’s in and out. Otherwise, these are my recommendations:

  • make sure your admin and editor users use strong passwords.
  • use define(‘FORCE_SSL_ADMIN’, true); so that cookies and passwords are encrypted.
  • don’t allow multiple admin accounts unless needed.
  • add more granular user permissions if you will have lots of users.
  • use a captcha for user registrations and the login form.

Email

One of my first recommendations server side is not to run Mail on your web host. I’ve learned this the hard way running all kinds of incarnations of email on a server. It’s ok if you don’t want to use a third party provider, just run it from a dedicated box. Trust me, folks want to use your mail server. Otherwise, it’s important not to print email addresses online without obfuscating them. The same can be said of phone numbers too. Save your business, staff, and/or company the time of dealing with it.

  • obfuscate email addresses and phone numbers

Spam

Email spam, comment spam, form spam… spam, spam, and spam. I’ve written about this on several occasions and it’s one of the most common questions I get. Here are some basic recommendations:

  • always include a modern captcha on all form fields.
  • password protect forms that do not need to be public
  • if you have a lot of commenting and do not want to use a captcha, install Askimet.

References:

Relevant Posts: