WordPress affiliate sites are prime targets for hackers who are looking to spread malware, create a botnet, or maliciously generate a passive income over time.
But there are certain things that you can do in order to drastically reduce your chances of becoming a target of such a malicious attack.
So let’s delve into these easy-to-implement hacking countermeasures, so that together we can improve the security of your WordPress affiliate site!
Don’t Pass On Strong Passwords
The first layer of protection for your WordPress affiliate site is your password. Don’t be satisfied with the bare minimum level of security. Pick a password that is strong.
Want to know a secret? A mixed case password with numbers and special characters is great… but it isn’t the strongest option. Password length is even more effective. An easy to remember phrase like ‘Janet found the teddy bear in the toy box.’ would take the average hacker 4 hundred octodecillion years to crack with brute force. The same hacker would brute force ‘ymJl99%a!’ in around 3 weeks. Length matters.
Of course you can have the best of both worlds in the form of long and complex passwords if you use a central password manager. Then you only need to remember a single long password to have access to infinitely secure passwords for every site and account that you use.
Finally, turn on Two Factor Authentication (2FA)! Then someone will need both your password and your authentication device to make headway. You can find many different free plugins for 2FA on the WordPress plugins directory.
WTF Is WAF?
A Web Application Firewall, or WAF, allows you to have a measure of protection for your WordPress affiliate site right out of the box. It basically filters requests coming into your site, looking for some of the most common attack vectors that hackers use.
Cloudflare announced that they want everyone to have free WAF protection, so you might as well take advantage of it! And while your at it, your free Cloudflare account can give you some basic DDOS protection as well. Neat, isn’t it
SSL Should Be Automatic
Secure Sockets Layer (SSL) is vital for securing your WordPress site, especially if it’s an eCommerce or affiliate platform.
SSL encrypts data between the server and browser, safeguarding sensitive information and boosting visitor trust.
To enable SSL on your WordPress site, first contact your host to check if SSL is included or if special instructions are required. Then, choose and install a certificate such as Let’s Encrypt, configure WordPress to use ‘https’, and finally, confirm the secure connection by looking for the padlock icon in the browser’s address bar.
If you encounter any issues, your web host’s support team can assist you.
Stop Affiliate Fraud
Sometimes your worst enemy poses as a friend. That’s why you should be using an affiliate management tool that prevents everything from click fraud to cookie stuffing attacks.
The Coupon Affiliates plugin has built in WordPress affiliate site security tools, including anti-fraud measures. You can read more about that here.
Once you install Coupon Affiliates, the vast majority of affiliate fraud attacks should be nipped in the bud… if you keep your software up to date! But what’s the best way to do that?
Patch It Up!
Keeping your WordPress plugins, themes, and core up to date is essential for website security.
These updates often include patches for known vulnerabilities that could be exploited by hackers. When you run outdated versions, you leave your site susceptible to malware, data breaches, and other malicious attacks that can severely impact your website’s functionality and your users’ information. Regularly updating not only enhances security but also provides new features and improvements that can optimize your website’s performance and user experience.
If you don’t want to manually scan for new software patches periodically, you can use a patch management system. For example, Patchstack has a free tier that will help you keep everything up to date for your small or medium WordPress site. If you hit the big time, paid tiers are available to automate more complex installations.
It should be noted that Coupon Affiliates is part of the Patchstack Vulnerability Disclosure Program. That means reporting and integration of Coupon Affiliate security bugs and updates is automatically reported to, and managed by, Patchstack.
Turn It Around
One more component that you need to consider is bot protection. There’s nothing worse than automated attacks that create fake users, fake queries, and fake chatbot interactions. It’s a massive time waster.
Cloudflare’s Turnstile is a free CAPTCHA alternative that will let you weed out most of the common malicious bots with ease. If you get bigger (and thus become more of a target), you can opt for one of the paid plans in order to shut down the more sophisticated bots with additional levels of protection.
We have a WordPress Affiliate Turnstile guide here. That will show you the entire implementation process, so that you’re properly protected from common automated attacks on your forms.
Boot The Idlers
To reduce potential headaches from users that might carelessly leave themselves logged in at guest terminals, as well as potential denial of resource attacks, you’ll want to install something that automatically forces a logoff if someone is idle for too long.
The Inactive Logout plugin is great for this. You can set custom timeouts for more elevated roles, if you want administrators to have longer valid idle periods. It also works with WooCommerce, providing that extra layer of protection.
Don’t Allow Brute Force Attacks
It’s wise to have a more strict failed login policy than the default WordPress setup. You don’t want anyone to feasibly be able to guess a user’s password. So it’s wise to have more strict login attempt limits and longer timeouts for multiple failures.
A plugin such as Login LockDown is your best friend in this case. This will allow you to customize darn near everything about failed login attempts.
Get Professional Help If You Need It
Finally, if you just want someone else to handle your security, you can get a WordPress care plan.
One example of this is RelyWP. Their package includes managing the WordPress installation and maintenance, automated testing, and malware scans.
You also get secure Cloud backups, which is helpful because it serves as a simple disaster recovery plan. If the worst happens (which might range from your hosting provider going out of business to a massive, zero-day hack that hits millions of WordPress sites across the globe), you’ll have a backup copy of your site on an independent Cloud service, and it can be restored as soon as a safe host is available.
Check out RelyWP’s service plans here.
A Final Word
Remember that scammers will often try social engineering attacks, hoping that you’ll simply tell them your password or Two Factor Authentication data. Never share this information with anyone. Real support techs that manage your website can simply reset your password for you, they never need to ask you for it. Be careful out there!
Bill Ricardi is a former Silicon Valley sysadmin, and uTest’s 2010 Performance Tester of the Year. He was test manager for Deloitte before becoming a full time author in 2017, and is also a regular contributor to the Coupon Affiliates blog.