1. What are some of the security vulnerabilities with WordPress websites?

Most plugins and themes are made by third party sources. This means that there is a risk they could be made vulnerable to exploits, due to lacking security practices, or perhaps even contain malware themselves. A more specific security vulnerability would be cross-site scripting attacks where malicious code is inserted into your website from which it can run and wreak havoc. And another would be SQL injection, whereby SQL statements are inserted into a website URL and able to interact with the server.

2. How do you harden WordPress website? Mention at least 15-20 different settings or techniques or tricks.

1. Complex passwords (using letters, symbols, uppercase and lowercase, avoiding dictionary words)

2. 2 factor authentication

3. Security plugins

4. Using secure file connections (SFTP)

5. Update themes, plugins, and WordPress itself as soon as updates are released

6. Only give permissions/roles that meet user requirements, but no more than that (Principle of Least Privilege)

7. Limit number of login attempts

8. Make backups on a regular basis

9. Make plans to recover your site if it is compromised

10. Disable your default admin login URL and replace it with a custom one

11. Keep track of dashboard activity (the WP Security Audit Log plugin can help with this)

12. Block bad actors from your site

13. Sanitize all data received from users before it is displayed/used

14. Use SSL

15. Don’t use more plugins than necessary. If you overdo it, you are creating more potential entry points for hackers

16. Limit vulnerabilities on your computer itself. For example, make sure to keep your operating system and browser up to date, as well as ensure general security on your computer

3. What plugins/resources are available for WordPress Security? Name at least five plugins or resources and what services or benefits do they provide.

• WordFence – Scans and detects security threats. Provides a firewall, and has additional features such as brute force attack protection.
• WPS Hide Login – Allows you to change your default admin login page, so attackers can’t just append “wp-admin/” to the URL and attempt to log in.
• WP Limit Login Attempts – Restricts the number of failed login attempts allowed before a user is locked out.
• WP Security Audit Log – Allows you to monitor dashboard activity, this can help you discover suspicious changes being made to your site and react accordingly.
• Keyy Two Factor Authentication (like Clef) – Provides two factor authentication using RSA public-key cryptography and a mobile app.

4. Which plugin(s) do you think you will use and why?

I’m already using WordFence because I appreciate it’s threat scanning and firewall features. I am also using WP Limit Login Attempts because I want to prevent brute force attacks. And finally, I’m using WPS Hide Login to make it harder for hackers to find my admin login page.

6. What would you do if you are hacked? (call the experts is not an answer)

I would run a WordFence security scan, change any appropriate passwords, remove any plugins that may be to blame, repair/recover my site with a backup if needed, and put in a support ticket to web hosting if absolutely necessary.

5. What is SSL? How would you activate it in your domain? Submit a screenshot of your activation.

SSL stands for “Secure Sockets Layer” and is a vital protocol for securing a website. What SSL does is encrypt information passing between a web server and browser. In order to activate SSL using cPanel, click on “SSL/TLS” in the Security section. From there, follow the prompts and you’ll get certified in no time.

Plugin Screenshots