How to Perform a Site Security Audit and Stop Attacks
We live in a world where WordPress sites are under constant threat of brute force attacks. If you are trying to make money from your website, it’s imperative you protect yourself as much as possible.
If you have ever wondered how to perform a site security audit, we’ve got you covered.
Put down the paper bag. Don’t panic. It’s not as hard as you think.
The 4 Most Common Problems
Why is your WordPress website under threat of a cyber attack? The answer is that this platform now powers roughly 35% of the world’s websites.
If a hacker is WordPress savvy, why wouldn’t they go after these sites? When people want to make money blogging, looking into building a secure website is usually low on their priority list. Until they’re attacked.
Here are some of the ways hackers can get into your website:
- Hosting
- Passwords
- Themes
- Plugins
These are all things that even new website owners can fix and control today.
1. Hosting
The top way hackers climb into your website is through your hosting provider.
Using a cheap host that doesn’t properly secure their servers is going to end up getting you hacked.
Or even worse, you could get your website cloned.
This problem is usually derived from disreputable companies trying to cut corners.
Finding a great secure WebHost is easy and relatively inexpensive.
The top names in the hosting business are companies you’ve probably heard of such as HostGator, DreamHost, Bluehost, and SiteGround.
Their payment structures differ slightly but most of them offer cheaper services if you agree to sign up for long-term, multi-year contracts. Setting up your affiliate website on a secure host is setting yourself up for success.
2. Passwords
It’s bizarre to think about passwords being so easy to hack in the modern era. However, you may be surprised at just how many people still have password1234, qwerty1234 or something “easy-to-guess” as their WordPress password.
What’s even worse is how many people use the same password for everything. Their WordPress site, their bank, their email, all with the same easy-to-crack password.
This is an easy problem to fix. Some people like to use password generators. While this is fine for the most part, I think there are better ways.
Come up with your own password formula and physically write down the formula as well as the password for each website. Then keep this in a safe place.
When coming up with your formula, use a combination of imagination and discretion. What means something to you that isn’t going to be easily found online? Let’s take your child’s middle name. Let’s say it’s Aiden.
You could go with something like “my son Aiden” but switch it up.
m$ndn2010 – This is “my son Aiden” with the vowels taken out and a $ symbol to replace the “s” along with the fictional birth year of my kid.
My$0n@id3n2010 – Here I used a combination of symbols and numbers to replace some of the letters
Ideally, your password won’t be anything like this.
In a perfect world, your password shouldn’t be a real word at all. This is why I recommend writing it down physically and not storing it anywhere online.
If password management is one of your main concerns, there are several tools out there that can help. LastPass is one of the best.
LastPass is a password management app that works kind of like your own personal storage unit for passwords.
You can keep passwords for Amazon, WordPress sites, and even streaming services. There is a free version and a free trial of the premium version, which is only $3-$4 a month.
Pro-tip: Change your username from “admin” to something else. While this isn’t a password, using “admin” as a username is taking one step away from your security.
Do yourself a favor. If something this simple can deter hackers, it’s worth the trouble every time.
3. Themes
Whenever you set up your first WordPress site, the first thing to do is delete the free themes that come pre-installed. Never use a free theme.
If you paid for a theme but you notice it hasn’t been updated in over a year, it’s time to find a replacement.
Theme developers update their work mostly to patch up holes in the theme’s security.
If they aren’t updating, this means security issues aren’t being fixed and with every WordPress core update, the holes could be getting larger.
The best recommendation is fitting in a quality, premium WordPress theme into your budget.
You want something with tech support and constant updates. I’m a big fan of GeneratePress.
It’s a regularly updated theme with lots of bells and whistles.
Even if you don’t want to personally use it, check out everything the developers offer and compare these features to something you do want.
Most websites that sell themes have information on how often they are updated.
You can find this information with a quick Google search and look for what pops up from wordpress.org. It should be near the top of the SERPs.
4. Plugins
One of the biggest issues in performing a site security audit is going to be with plugins.
Website owners are infamous for not only having too many plugins but also for keeping around unused plugins and not updating the ones they have and use.
Similar to WordPress themes, developers for plugins use updates to not only enhance performance but fix bugs and potential security problems.
Go through your website’s back end and find unused plugins.
Delete them and immediately update anything that’s out of date.
Next, go through all of your used plugins and do some research into how often they are updated.
If a plugin isn’t being updated at least once per year, it’s time to shop around for something better.
On a different note: stay away from the so called “nulled” plugins.
There are also nulled themes available online.
These are premium plugins and themes that have had their code altered to make them available for free.
These nulled plugins and themes are easy to hack and you should NEVER use them.
Speaking of plugins, there are some out there, free and premium, that can help with your security. Here are a few of the best.
Sucuri Security
Sucuri is a free plugin that also has a premium version. This plugin is owned by GoDaddy and has a dedicated team assigned to it.
It monitors activity, files, blocklists, and scans for malware.
You’ll also receive notifications about any security issues or updates.
My only issue is that the premium plans for this service are not cheap.
The plugin is technically free but you’ll need a premium plan to have access to their firewall system.
The cheapest plan is their Basic Platform, which costs roughly $200 per year.
iThemes Security
If you haven’t heard of this plugin before, maybe it’s because it used to be known as Better WP Security.
This plugin has over one million installations and more than 3,000 five-star ratings.
iThemes has a slightly different setup than Securi.
When you download this plugin, you’ll choose between six different templates so you can help them to help you.
The majority of people using this plugin will choose either the Blog or eCommerce option.
Some of the fantastic features included with this plugin are two-factor authentication when you log in to your website and password requirements that everyone with access to your website has to follow.
If you decide to spring for the Pro plan, you’ll get access to Google reCAPTCHA integration, which will help deter bots and hackers, as well as passwordless logins and the ability to identify trusted devices.
The Blogger plan is $80 a year. It’s worth the money.
Wordfence Security
This is the most popular security plugin for WordPress.
It has more than 4 million installations and 3,500 five-star ratings.
This plugin is known for combining simplicity and strong protection tools for websites.
What this means for you is that you can protect your blog or affiliate site without having to be a coder or cybersecurity professional.
The premium version of this plugin sells for $99 per website, but it honestly isn’t needed.
The free version will protect your website just fine.
With the free plan, you’ll have access to something a lot of other security plugins don’t have for free, which is a full firewall suite.
You can block entire countries as well as manual blocking.
Wordfence offers brute force protection and real-time threat defense.
If you want malware and spam protection, this plugin has you covered for free.
One of the coolest features is it monitors your plugins for you. It will let you know if your plugins aren’t being updated and you need to find a replacement.
Wordfence is the best overall bang for your buck. And by buck, I mean zero.
Conclusion – How to Perform a Site Security Audit and Stop Attacks
As you can see, with just a few changes, you can keep your website safe. Stay away from sketchy nulled plugins and themes and spend the extra time to come up with solid passwords.
The majority of hackers use ignorance and laziness to their advantage. You can keep yourself from being a victim with just 5-10 minutes a day.
by Gael Breton
Gael is one half of the Authority Hacker duo. He loves to test and play around with new ideas and concepts and is always working on experimenting with the latest and greatest marketing strategies.