How to secure your Divi website
In the past months, I noticed a lot of questions in the Divi communities surrounding security. Some websites have been breached and some are asking what plugin they should use. There are a lot of security plugins that do well for most websites. One of my favorites is iThemes’s iThemes security plugin. It offers a free version and a paid version. Most of the times the free version will do good for your website. In this blog post, we will talk about how to protect your Divi website from invaders and malicious people that are snooping around to breach into your website using WordPress’s vulnerabilities.
Preventing is better than curing
Hackers regularly try to hack WordPress websites. If such a break-in attempt succeeds, hackers can add malicious code or steal data.
It also happens that a hacked website is used to send spam messages on a large scale. This will put your website on the Google blacklist and they put a security notification in the search results, saying that your site might have been hacked.
How can you prevent your Divi website from being hacked by malicious people?
First good advice: Keep everything up-to-date!
In the first place, you have to make sure that your site is running on the latest version of WordPress. New versions of the CMS regularly appear and can be installed from the dashboard without much difficulty.
Keep in mind that major versions often require some bug fixing so be sure to check the compatibility. Minor updates are often security updates for keeping WordPress secure.
If you run the latest version, you run the least chance of problems because previously discovered vulnerabilities have been fixed.
Also, ensure that you regularly update your plugins too and that they are activated.
Remove unnecessary plugins and themes
Avoid dubious plugins and do not download themes from unknown newsgroups or via bit-torrent. Also, do never install ‘nulled’ themes or plugins. They are often filled with malicious code.
Removing unnecessary plugins and themes reduces the number of places hackers can exploit to place unwanted malicious code.
To avoid access to these themes and plugins I recommend two things. The first is to understand the use of strong passwords.
Out of complacency, users sometimes seem to choose easy passwords. This increases the chance that malicious parties will later gain access to your site. The second is to Thorough secure your Divi website with iThemes Security.
Thorough security of WordPress with iThemes Security
If you have previously implemented security measures, you can install a special plugin that protects your site.
A popular plugin is iThemes Security, formerly known as Better WP Security. There is a free and paid version of the plug-in. In most cases, the free variant is sufficient.
I prefer iThemes security over other security plugins because it is easy to use and has a lot of good options that other plugins do not offer. iThemes Security will do its best to protect, detect, obscure and recover your Divi website.
Setting up iThemes Security
You need to have the latest version of WordPress. Go to ‘Plug-ins’, choose ‘New plug-in’. In the search box, tap iThemes Security. Press ‘Plug-in Search’.
Themes Security appears in the overview and press ‘Install Now’. Unpacking and installing takes some time. Press ‘Activate Plug-in’ to active iThemes Security.
After activation, you are asked to receive a free API-key. This will enable the Network Brute Force Protection and it will ban users who have tried to break into other sites from breaking into yours. The iThemes Brute Force Attack Protection Network will automatically report IP addresses of failed login attempts and will block them for a length of time necessary to protect your site based on the number of sites that have seen a similar attack.
Run the site security and iThemes Security will set some basic settings to get you started. But we want our Divi website better secured than basic. For that to happen, we need to tweak the settings.
Tweak Your Security Settings
These are advanced settings that may be utilized to further strengthen the security of your WordPress site.
Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.
Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.
Configure basic settings that control how iThemes Security functions. Thse settings modify the behavior of many of the features offered by iThemes Security.
Automatically block users snooping around for pages to exploit. Enable this option to further enhance your security. 404 detection looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 errors. 404 detection assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (presumably a vulnerability) and locks them out accordingly. This also gives the added benefit of helping you find hidden problems causing 404 errors on unseen parts of your site. All errors will be logged in the “View Logs” page. You can set thresholds for this feature below. You can leave the default settings or tweak them to your own preferences.
Local Brute Force Protection
If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible to as, by default, the system doesn’t care how many attempts a user makes to login. It will always let you try again. Enabling login limits will ban the host user from attempting to login again after the specified bad login threshold has been reached.
- Automatically ban “admin” user: Immediately ban a host that attempts to login using the “admin” username.
SSL is an important feature for every site. It protects user accounts from being compromised, protects the content from modifications by ISPs and attackers, protects potentially-sensitive information submitted to the site from network sniffing, could speed up performance of your site (depending on server configuration), and could improve your site’s search engine rankings.
- Redirect All HTTP Page Requests to HTTPS: Enabled.
Advanced settings that improve security by changing default WordPress behavior.
- System Files: Prevent public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess. These files can give away important information on your site and serve no purpose to the public once WordPress has been successfully installed.
- Directory Browsing: Prevents users from seeing a list of files in a directory when no index file is present.
- Filter Request Methods: Filter out hits with the trace, delete, or track request methods. This should not be enabled if you use the WordPress REST API.
- Long URL Strings: Limits the number of characters that can be sent in the URL. Hackers often take advantage of long URLs to try to inject information into your database.
- Disable PHP in Uploads: Disable PHP execution in the uploads directory. This blocks requests to maliciously uploaded PHP files in the uploads directory.
Advanced settings that improve security by changing default WordPress behavior.
- Windows Live Writer Header: This is not needed if you do not use Windows Live Writer or other blogging clients that rely on this file.
- EditURI Header: Removes the RSD (Really Simple Discovery) header. If you don’t integrate your blog with external XML-RPC services such as Flickr then the “RSD” function is pretty much useless to you.
- Reduce Comment Spam: This option will cut down on comment spam by denying comments from bots with no referrer or without a user-agent identified.
- Disable File Editor (This option is already enabled, disabled it if you want to access files via the WordPress editor): Disables the file editor for plugins and themes requiring users to have access to the file system to modify files. Once activated you will need to manually edit theme and other files using a tool other than WordPress.
Hide WordPress Backend
This section can be found under the advanced tab at the top-right corner of the iThemes Security Dashboard (right next to the “Search Modules”).
iThemes Security offers to Hide the login page by changing its name and preventing access to wp-login.php and wp-admin. This will make it harder to find your WordPress backend login for automated attacks and making it easier for users unfamiliar with the WordPress platform.
When you enable this feature you get more options:
- Login Slug: Enter your custom url slug on which you and your users can access the default login.
- Enable Redirection: This will redirect your users to a custom location when they try to access wp-admin or wp-login.
- Redirection Slug: The slug to redirect users to when they attempt to access wp-admin while not logged in.
I think that hiding the backend is one of the strong selling points that iThemes Security has to offer. It helps you to prevent unwanted access to your WordPress dashboard by hiding it.
All these options should keep your Divi website safe from most hackers. I never have experienced a break-in on one of my websites. Although I receive an email from time to time that a certain user has been banned who was trying to gain access. I think that iThemes Security is one of the best, maybe the best, security plugin to protect your website. It has a clear interface, clear instructions and provide good features to secure and protect your Divi website.
If you have used iThemes before or going to start using iThemes, please leave a comment down below tell us how you like or dislike iThemes!