WordPress is open source and free for everyone to use. Plug-ins and themes are also available, making it the most used CMS in the world.
However, because it is open source, vulnerabilities are easily discovered and security measures are essential.
Therefore, to make it easy for anyone to set up, we introduce security settings using only plug-ins, with no programming.
Keep WordPress and plugin versions up-to-date.
It is recommended to keep WordPress up-to-date.
Because it is open source and anyone can use it, it is vulnerable to attacks from malicious people all over the world and vulnerabilities are easily discovered.
When vulnerabilities are discovered, version updates will be sent out each time, so keeping it up-to-date will prevent information leaks, etc.
However, if you are using a paid theme, or if there are parts of your website that depend on the functionality of plug-ins, version updates may cause them to stop working, so make sure you back them up in advance.
Strong passwords.
Passwords should be set with “a random alphanumeric string of at least 12 characters”.
Passwords can be subject to dictionary attacks, etc., so simply “make the number of characters longer” and “do not use simple numbers or words” can be expected to have a security effect.
Preventing username leakage [Edit Author Slug].
By default, WordPress shows the user ID if you add /?author=1 to the URL.
Also, if you add /wp-json/wp/v2/users to the URL, the user ID will be displayed.
Once the user ID is known, the possibility of unauthorised access to the administration screen increases, as all that is left is to guess the password.
Therefore, install ‘Edit Author Slug’.
By inserting Edit Author Slug and configuring the settings, it is possible to change the user ID that is displayed on the screen.
See here for installation instructions.
Stronger security by controlling the number of times login is enforced, etc. [SiteGuard WP Plugin].
The SiteGuard WP Plugin enhances security simply by installing and activating it.
In particular, it sets up a wide range of defences including brute force attacks, list attacks, etc. by using image authentication for bot protection, XMLRPC protection and login lock to control the number of times a login can be enforced.
See here for installation instructions.
Manage login history [WP Activity Log].
It allows you to manage the operation history of each account.
It is possible to acquire logs of unauthorised logins and operation change logs by a large number of people, so that incidents can be traced when they occur.
Change admin URL [WPS Hide Login].
The WordPress admin page is /wp-admin. It is advisable to change the URL to a different URL, as anyone can find out about it.
Simply installing and activating WPS Hide Login and changing the admin screen URL can have a considerable security effect.
See here for installation instructions.
Get Backup [All-in-One WP Migration].
Backups are essential for sites that are updated on a daily basis. Make regular backups and be ready to restore whenever an incident occurs.
All-in-One WP Migration is an easy-to-use plugin that can both take backups and restore them.
It can back up and restore not only databases such as articles, but also image files such as media, themes and plugins.
It is also used when moving the site itself, so be sure to include it.
See here for installation instructions.
さいごに
WordPress makes it easy to take security measures simply by using plugins.
As with any website, there is no such thing as ‘just do this and you’re good to go’, and measures need to be taken as technology evolves.
As an aside, if someone says to you, “WordPress is vulnerable to security, isn’t it?” If you are asked, “Isn’t WordPress vulnerable?”, you should say, “Yes, if you take proper measures. The White House in the US uses WordPress” with a smug look on your face.