4 Security Checkpoints for Hardening WordPress

What can you do to make your WordPress website secure

making WordPress website secure

These question comes up every now and then in any of these varieties:

  • How do I harden WordPress to make it hack-proof?
  • Which security plugins do I need?
  • Do I need all these security plugins?
  • Is there a security plugin that does it all?

Before we begin demystifying things, here’s the rule of thumb, especially as far as security is concerned.

Security is not a plugin — Security is a mindset.

That’s because security is more of an outcome of security “practices” than software “functionality”. No software is perfect but we make do and that’s what determines the outcome… pretty much like everything else in life.

Stopping a Real-Life Hacker

Let’s keep things simple. Instead of focusing on advanced attack vectors, here’s a simple diagram of how an attacker tries to get inside your website. And there’s a solution for each step along the way.

1. Firewall for Network

A hacker needs to access the website using the network. This is the first step along the way. A firewall will prevent attacks before they hit your website. There are several types of firewall. At the very least you need a software firewall which could come as a plugin, module, addon etc. Wordfence, Sucuri, Ninja Firewall are some of the best plugins for setting up a firewall.

2. Server, Application Hardening

No firewall is perfect. This implies that a certain amount of malicious traffic will still manage to reach your hosting, website or application. If your hosting or website is misconfigured, chances are that the hackers will be able to get in. In order to implement proper security at the hosting and application level you need either manual audit and configuration or you can use a software plugin to help you do that. That’s where you can use a plugin which can automate in part the security hardening. Other configurations will still need to be done manually.

3. Security Breach: The Hackers Are in Already

Once the attackers are in, the best you can do is to clean up your website and reinstate it. In the worst case you throw it away and start afresh: on a new hosting and fresh code.

If you do want to clean up a hacked website, you can again either do it manually or use a software plugin to automate some steps. That’s where malware removal plugins come in.

4. Is There a Plugin That Implemented Firewall, Security Hardening as Well as Malware Scan / Removal?

We all wish there was a one stop solution to keep things simple. However that would be a challenge to build, implement and still maintain to deliver top level functionality.

To quote Doug McIlroy on Unix programming philosophy:

Write programs that do one thing and do it well. Write programs to work together.

The idea behind this is to kill software bloat and deliver top-quality functionality.

So the short answer is, while you can install one or more security plugins, you should be careful on what you need and what works. Installing multiple plugins without any afterthought would result in bloat and software conflict even slowing your website or making it dysfunctional.

Installing one plugin and leaving the entire security domain to it would result in huge security gaps.

Installing one plugin for each specific security levels is your best bet.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.