Easy ways to secure your WordPress website for free
Website security is the difference between you losing control of your website, or standing strong. Not all security goals need to cost money, and in this guide, you’ll learn about some free tried and true ways to secure your WordPress website.
All In One WP Security
I’ve only ever used the free version of the AIO WP Security plugin, as it has everything I need, and I’ve been using it for as long as I have been building WordPress websites. It literally does a huge amount of work for in a security plugin. Here are some things it does that are very important, but there are many more.
- Blocks user enumeration
- Provides a Web Application Firewall (WAF)
- Makes the login system use generic error messages so you’re not leaking as much intel to hackers.
- Blocks brute force login attacks
- Prevents your site from appearing inside of someone else’s website through Iframes. (Ex. A phishing site)
- Provides 2FA options
OWASP Top 10
OWASP and SANS are synonymous with application security. If you have been in the field for any length of time, you will have heard about these businesses. Both provide things for free, and both provide loads of free information to help you secure your business.
The OWASP Top 10 is the list of the most prevalent security problems as of the year they come out with the list. (About every 3-4 years) The list for 2021 is the latest as of writing this, and below are the items on that list. These are in order of most prevalent, to least prevalent, starting with the most prevalent first.
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
You’ll want to deep dive into these to make sure that you’re not affected by these, by using things like the OWASP Zed Attack Proxy (ZAP)
OWASP ZAP
OWASP Zed Attack Proxy (ZAP) is a tool to test your website for vulnerabilities, including those on the Top 10. The Top 10 is more of an abstract list of items, including ones you may be unfamiliar with, so the free OWASP ZAP tool will use its implementations of ways to investigate if you’re vulnerable to any of those items. Website Security is a field of its own, but if you just want to know where your website is weak, and use one of the tools many hackers user, then check out OWASP ZAP.
Other Things To Use
These are just some of the tools you can use, and I recommend looking into the following other tools you could use to secure your website.
- W3 Total Cache – There are lots of security heads, such as CSP, HSTS, and others.
- CloudFlare Free – Protects your DNS, and protects you from DDoS attacks, and more.
- Metasploit – A very powerful professional-grade tool to test your website for vulnerabilities. (OWASP Zap on steroids)
- Reduce how much your server does by uninstalling and deleting unneeded plugins and themes, and only keeping the ones you’re using.
Conclusion
These security measures do not guarantee that your site is bulletproof. In fact, your site will never BE bulletproof, as there’s always a way to hack everything. However, it’ll significantly reduce your chances of being hacked, as botnets will scan for vulnerable sites, and when they find a weak site, they’ll run some exploits to attack it. Then the hacker can see which ones they now have control of, and perhaps they’d make YOUR site part of their botnet. So, don’t let that happen to you.
Want us to do a Free Security Audit on your website? Just pop in your URL and we’ll do that for you.
Has your website every been hacked? How did you handle it?