11 ways to secure your WordPress website

When it comes to websites, there’s no such thing as too much security. With so many security techniques available, you may wonder which security measures should be implemented for your WordPress website. We recently tested our own website with the Mozilla Observatory Tool to determine our security rating. Here are the top 11 ways to secure your WordPress Website.

1. Content Security Policy

   A Content Security Policy (CSP) is implemented using an HTTP header that allows site operators to control the site resources that may be loaded. These policies help to prevent cross-site scripting by disabling the use of inline JavaScript. CSPs are not easily implemented into existing sites, but the policies have become mandatory for all new sites. Implementation of a valid CSP is a recommended retrofitting for all high-risk existing sites.

2. Cookies

   All cookies used on a site should be created so that their access is limited to prevent cross-site scripting. Cookie headers should include ‘Secure’ or ‘Host’ so that they cannot be overwritten by unsecured sources. The site cookies headers should include the ‘Secure’ identifier to indicate that the cookies should be transmitted using the HTTPS protocol only. Cookies should also expire as soon as they are no longer needed.

3. Cross-Origin Resource Sharing

   Cross-Origin Resource Sharing determines which foreign origins may access your page content. This security technique should only be included if necessary. If employed on your site, it should be limited to as few origins as possible.

4. HTTP Public Key Pinning (HPKP)

   HPKP is necessary for high-risk sites and should be implemented with extreme caution. HPKPs help to prevent certificate authorities from assigning a security certificate to unsecured sites and help to prevent cyber attackers from impersonating a trustworthy site.

5. HTTP Strict Transport Security (HSTS)

   HSTS instructs browsers to only connect to a specific site using an HTTPS connection. A user will automatically be redirected to a site via an HTTPS connection if a browser has an HTST header set for that specific website. This header has one required parameter of ‘max-age’ that determines the length of time before the user is redirected to HTTPS.

6. Redirection

   Users may still access existing websites via an HTTP when the URL is entered directly into the address bar as a way to prevent a disruption in a user’s connection. Once the initial request is complete, the HTTP site should redirect to the HTTPS version allowing the HSTS to automatically route any future HTTP requests to the secure site. These redirections should be completed via 301 redirects.

7. Referrer Policy

   When a user navigates to a website via a hyperlink or an external resource is loaded from a website, an HTTP Referer header notifies the destination site of the origin of the request. The use of a Referer Policy does have several risks including compromising user privacy and revealing links that were not intended for that specific user. When utilizing the Referrer Policy, site operators are able to control how and when the Referer policy is used.

8. Subresource Integrity

   Subresource Integrity is a standard used to protect against attackers modifying JavaScript libraries that are accessed by multiple websites. Subresource Integrity locks a JavaScript library content at a specific point in time. If it is modified at any time after this lock, the script resource will not load.

9. X-Content-Type-Options

   X-Content-Type-Options is a header that instructs a browser not to load scripts or stylesheets without a correct MIME type. This security header helps to protect against cross-site scripting.

10. X-Frame-Options

    X-Frame-Options allows site operators to specify how their site is framed within an iframe. This security technique defends against clickjacking attacks. Clickjacking is an attack that tricks users into clicking non-existent links on your site. X-Frame-Options is mandatory for all new sites and is expected to be adopted on all existing sites as soon as possible.

11. X-XSS-Protection

    X-XSS-Protection is a feature present in popular web browsers that stops pages from loading if a cross-site scripting attack is detected. Although unnecessary on most modern browsers that use CSP, X-XSS-Protection can provide protection for users utilizing older browsers.

Ensuring your website is as secure as possible for your users is a huge responsibility and might seem like an impossible task. Team TechArk prides itself on staying up-to-date on the latest industry knowledge in all aspects of web design including website security. To see what steps you need to take, try testing your website with this tool: Mozilla Observatory. At TechArk, we’re here to help! Contact us to learn how we can improve your website’s security.

About TechArk Solutions

For over 10 years, TechArk Solutions has offered website design, digital marketing, and custom software solutions to businesses across the United States and beyond. Headquartered in Norfolk, Virginia, the company comprises a global team of experts dedicated to growth, innovation, and quality. To learn more, email hello@gotechark.com or visit https://gotechark.com.