Rock-solid free security for WordPress

Keeping your WordPress website very secure is free. Yes, for whatever reason people perceive free things as of a lower quality. This is a big mistake when it comes to WordPress as your website can be near unbreakable for, well, free!

Mandatory WordPress security basics

If you’re not already doing so, here are three things you should and must be doing. The items below aren’t optional in my opinion:

1. Apply all WordPress, plugin and theme updates as they become available.
2. Have a regular backup taken of your website.
3. Only use good quality plugins and themes listed at the WordPress free and commercial theme repositories and the plugin pages.

Three products and services that will totally protect your website

The above three items are really non-negotiable security items that every WordPress website owner should be doing or having done. The below three services and products will make your website far more secure and, best of all, they are free.Use the

Prevent password cracking

Back in the early days of WordPress.org, the primary administrator username was always ‘admin’. To hack a WordPress website was therefore as simple as guessing the password (as we already knew the username for every WordPress install). Fortunately the default username is no longer ‘admin’. Brute force attacks are however ongoing; in a brute-force attack a hacker essentially tries many username password combinations in quick succession until a valid username/password combination allows access to the WordPress dashboard.

The team at Jetpack (a plugin of various functionality developed by Automattic) include a module that protects against these bot-net attacks. Jetpack is free to install and use.

Stop hackers from seeing your website

As above, using Jetpack, we can stop bot-net attacks as they happen. But what if we could stop hackers (and their bots) from even reaching our website? Hello CloudFlare.

CloudFlare is a CDN with various web optimizations as well as really fantastic security. How it works is that traffic to and from your website are routed through CloudFlare (and their many servers all over the world including in Sydney, Australia). CloudFlare has data from tens of millions of websites and therefore has a database of hacker and bot methods, characteristics and IP addresses. If CloudFlare identified a hacker then they won’t allow the hacker to even view your website.

CloudFlare has a free account that is very good!

SSL Certificate (HTTPs)

HTTPs protects the data as it flows between your website and the customer (and vice-versa). An SSL Certificate is the means of ensuring that the content can be delivered reliably via HTTPs. This is important to ensure that what your visitors see is in fact from you and hasn’t been manipulated en-route. It’s also vital in ensuring that sensitive and private data isn’t read en-route. Google announced last year that they would start using HTTPs as a ranking for SEO. This has seen a huge uptake of website content being delivered via HTTPs.

CloudFlare (mentioned above) provides free Flexible HTTPs which means that your data between the CloudFlare servers and your visitors is encrypted. The data between your server and CloudFlare isn’t however encrypted using this model. Flexible SSL is free but isn’t a perfect solution (although it’s far between than no HTTPs at all).

A certificate authority that looks extremely promising will launch soon. Let’s Encrypt is a free and automated SSL certificate issuer that is backed by Mozilla, Automattic (the people behind WordPress), EFF, Cisco and other big names. Once Let’s Encrypt goes live there will be few reasons not to secure your website traffic with HTTPs.