Beefing Up WordPress Security – A Complete Guide To Securing WordPress Sites
When you finish this post, I guarantee your WordPress site will be immune from hacks and exploits.
Wait, I can’t guarantee that. Let me put it this way, you’ll be equipped with the knowledge necessary to keep your website relatively safe.
There is no such thing as fool-proof security. You can take specific measures to greatly decrease the chance that your website falls victim to a hack or an attack.
I previously wrote a small post about how WordPress websites get compromised and why you should invest in good security practices. You can read it here or I’ll give you a small summary of WordPress vulnerabilities before discussing specific measures to beef up your website.
WordPress in and of itself has few vulnerabilities and when they are discovered, they are quickly patched up with an update. But when you consider your web host’s security practices or lack thereof and the third-party software that normally runs on WordPress websites, your website is more likely to become the victim of a hack due to other people’s mistakes.
51% of all hacked websites were compromised by themes or plugins they were running. 41% were exploited because they picked the wrong web host and as a result, their sites were hacked.
Running a plain WordPress site and keeping it safe isn’t too difficult. But when you add a melange of third party software and have to maintain your domain with the right host, it becomes a tad more difficult.
I’ve read many blog posts by successful web entrepreneurs, essentially businessmen and women who took their business online. And when their online ventures became successful they became targets. Although, it isn’t necessary that your website be successful or even have some traffic to become a target.
People who hack websites use automated tools to scour hundreds and thousands of websites for vulnerabilities. Your website may be one of those hundreds. So even if your website isn’t popular, you could still be a target.
Many web entrepreneurs know the security standards and measures to protect their websites and online businesses. But the great thing about WordPress and the web today, is you no longer need to be a tech expert or a web developer to start a website. And creating a website isn’t difficult at all, it’s very easy and I’ve even written an article about it on Colorlib (for those looking for a bit of help when you build your first WordPress website).
Creating a website isn’t too difficult, making it popular is slightly more complicated. But making it secure, especially for non-tech savvy web entrepreneurs whose primary preoccupation revolves around a non-web-based product/service is rather challenging.
And sure, they could employ a web developer to help them out. But many small-scale web businesses thrive directly related to their ability to keep costs low. And employing a web developer who charges $100 an hour, does not fall with their financial capabilities.
A web security professional is always the preferred option but unfortunately, not everybody has the necessary business income to allow for that expense. And maybe that’s okay, maybe it isn’t. But the crucial fact is we have to recognize that even small scale businesses collect sensitive personal information, including stuff like your address of residence, your credit card details, phone numbers and email- IDs.
Not only is your customer’s information at risk due to possibly negligent security practices, but so will the business you’ve built or will spend a great deal of time building. Building a business online is a rather daunting endeavor, your success relies on several factors, which include brand reputation and what Google thinks of your website. And trust me, no one will have a favorable view of your businesses or services if your website shuts down or becomes a victim of an attack/hack.
Given all that and the stakes involved, what steps can “you” as a web entrepreneur take to make your website safe?
Main Tips To Improve WordPress Security
- #1. Choose The Right Host Service Provider
- #2. Use Trusted Third Party Software – Premium Themes & Plugins
- #3. Protect Your Login Page
- #4. Protecting Your WP Core, Database & Using Correct File Permissions
- #5. Security Plugin – Wordfence/iThemes Security/ Sucuri
- #6. Update ! Update! Update! And not just your WordPress
- #7. A Few More Things About WP Security – Firewalls, Audit Logs & Malware Scanners
- #8. Hiding Your WordPress Version – Is it necessary?
- #9. Back Up – Last Line Of Website Security
- Conclusion
This post primarily aims at people who don’t run an online business. It is aimed at people from different walks of life starting businesses that rely partially or heavily on an online presence. And since WP and WordPress run more than 65% of the web is the CMS of choice for the non-tech savvy web entrepreneur, I’ll be focusing on arming you with the knowledge to keep your WordPress website safe and secure.
#1. Choose The Right Host Service Provider
The lion’s share of vulnerabilities exist because of problems created at the server end of your website. I found this fact rather astonishing, your hosting service is potentially the greatest source of your website’s vulnerabilities.
And with a third party host you can not do much in tinkering to protect your website.
So the next best thing you can do – Choose the right web hosting service provider.
Far too many web host providers run their systems on outdated software or software that isn’t currently being maintained. The problem with software that is no longer being maintained is, that while there may have existed no vulnerabilities in the past, there exists no guarantee for future safety. And if a vulnerability is detected which is almost certain, it may no longer be patched because the core team isn’t actively maintaining older software versions.
When I talk of software, I mean anything that runs on your server to keep your site live and functional.
- Apache
- PHP
- MySQL
- MariaDB
- PostgreSQL
- PHPMyAdmin
- SSL certificates
Even if they’ve update their software with a small delay, when software patches are released. The window of opportunity for hackers to exploit vulnerabilities that have only been patched in recent updates widens and risks your website.
Shared hosting, which is the choice of hosting for most newly started online businesses does have a couple of problems,
- DOS attacks on any one IP on a server can affect all websites hosted on that particular server.
- Shared IP addresses are a big problem. IP addresses that neighbor your own affect your website, if a shared IP gets blacklisted, your site suffers the consequences.
- There is always the chance that some software loaded on a shared server can compromise the entire server, even though shared hosting service providers do take measures to prevent this from happening.
My pick for shared hosting,
- Shared Hosting – SiteGround – They provide account isolation which protects you against websites on the same server which may be vulnerable. Automated updates for WP core and plugins, free SSL certificate & daily backups for the Grow Big Plan and upwards, protection against spam with a filtering system, a firewall, intrusion prevention systems and live monitoring. Using a CDN system like CloudFlare will protect your website against DDoS attacks.
SiteGround has had a good history of responding quickly and incisively against vulnerabilities exposed in the past. In 2013, when bruteforce attacks were perpetrated from over 90,000 IP addresses SiteGround prevented the requests from reaching their servers.
Brute Force attacks may overwhelm the server with load, but you cannot affect it if you can’t send a sufficient number of requests to the server. During the attack, over 15 million attempts in under 12 hours were made against websites on their servers, yet none of their servers suffered any performance issues.
In fact, after some in housing brute forcing on their own client’s websites to find weak passwords, they found many websites on their servers with weak and unsafe passwords. They followed it up by enforcing strong passwords, informing their clients via mail. They seem to care about their security and ensuring the performance of their shared server environments even when under attack. The same can not be said for some of the largest shared web hosting companies.
If you want alternative options to SiteGround for shared hosting, I’ve listed quite a few in a previous post.
However, suppose you do not want to concern yourself with WordPress security and anything else remotely technical about creating, maintaining and growing a website. In that case, you will be better off with a managed WordPress host. I prefer managed hosting but the costs are considerably higher.
The price for managed hosting for one month will also buy you shared hosting for 8 months. If you are running a cash strapped enterprise, this has a monumental effect on your business’s sustainability. But anyone would be a fool to dismiss the benefits of a managed WordPress host, if they can afford it.
WPEngine security measures-
- Disk write protection, any malicious code that creates vulnerabilities that can be exploited is severely limited by the disk write restrictions. Using plugins and themes with vulnerabilities is safer suddenly, given that they can not write code into your server that makes your WP vulnerable as easily anymore.
- Disk write privileges for users logged in to their WP dash extend to standard functions like writing and editing posts, themes adding new style sheets and activating/disabling plugins.
- To delete and write new files you need to be logged in via an SFTP client.
- Adding generic PHP code isn’t permitted.
- Scripts with known vulnerabilities which compromise WP can not be added to WordPress.
- Certain plugins can be disallowed and even disabled, if their scanners pick up something in the plugin’s code that leaves your website less secure.
- The basic plans in WPEngine will still involve some server sharing. In any dedicated hosting plan, the host provide an entire server fully dedicated to providing resources for only your website.
- Backups via Amazon S3 and you do not have access to them. You couldn’t compromise your backups, even if you tried. An insurance policy for your site is always in place.
- Physical access to servers is limited only to essential personnel. Their data centers sound like Fort Knox just reading about it.
- They specialize in WP and know the ins and outs of creating a secure WordPress site.
- Recovery in the case of a hacked account is easy and assured free of cost.
- Regular code audits from WP security solutions provider – Sucuri.
Think of WPEngine this way, it costs you a bomb but a lot less than a hacked website can cost you. It makes it far more easier to rationalize costs.
Please do not overlook that your website will not just be safer with WPEgnine, it will be a lot faster in all likelihood. Even websites like Colorlib which use a virtual private server find it difficult to match the speed of a WPEngine run website.
If you still have doubts and can not choose between a shared web host and a managed WP host, that is a huge topic. Please do read a piece a I wrote a while back. Hopefully that will answer all your questions regarding the suitability of a hosting plan for your website.
#2. Use Trusted Third Party Software – Premium Themes & Plugins
Plugins and themes are always suspect, be skeptical, especially when they are poorly maintained and rarely updated. You can take numerous steps by discriminating against plugins based on security flaws, but it always pays to note your plugins’ actions with WP Security Audit Log.
A security log is very helpful to web development and security professionals keep track of changes on multi-site basis when they handle the needs of their clients. Every action by every user can be accounted for with the plugin. The Log also helps keep an eye on plugins, theme and other third party software behavior. This plugin may not prevent a security problem, but if something goes awry, you’ll find it easy to trace the source of the problem.
Another good practice is to have the plugin audited by a security expert. If you can not afford to do that, look for Sucuri’s (Sucuri is a leading provider of security solutions for WordPress users) stamps of confidence on plugins. Many plugins/themes voluntarily submit their products for code audits.
Elegant Themes have had their flagship theme Divi audited. Elegant Themes is one of the biggest, if not the biggest, theme house in the WP niche, yet they have their flagship theme audited for security issues.
Stay away from free plugins and themes that haven’t many downloads. Sometimes plugins with inordinately high download counts and ratings attract many more mischief-makers. Protection in numbers isn’t applicable. More people using a plugin makes it a bigger target, but at the same time, having thousands of users will probably help identify and protect against zero-day exploits through quick updates.
Using premium plugins and themes does not mean your site’ safety can be guaranteed. But you can be certain, that if any zero day exploits are discovered, the response is generally swift. Theme Houses and plugin developers have a great deal riding on their products, the last thing they want is the appearance of vulnerability.
Stick to plugins listed on the WordPress.org directory for free plugins. Higher ratings and number of downloads make the plugin a safer bet. Check out the history of the plugins created by the same author in the past, a good indicator of the programmer’s pedigree. You’ll also see that certain author’s take extra care to ensure their plugin’s/theme’s security.
The last updated date is another factor worth taking into account. Ensuring that latest version of the plugin is compatible with the latest version of WordPress is another essential point to tick off the on the check list before installing and activating a plugin.
As you might have guessed what goes for plugins also goes for themes. There are a few things to remember when using plugins and themes.
- Premium Plugins are better in a sense, their teams are likely to respond to any security vulnerability a lot quicker than free plugins.
- Use WP Security Audit Log and track everything under your website’s hood.
- There is certainly safety in numbers because a security threat is far more likely to be reported and dealt with. But I can’t help feeling that this is a double edged sword, plugins/themes will large download counts are also far more likely to become targets of hackers.
- WP.org’s plugin directory can be manipulated to provide excellent ratings for plugins with smaller numbers of downloads & ratings.
- Check out the author of the plugin, their history and previous products. If they’ve had security issues in the past, they do not necessarily indicate that their plugins/themes are bad, but it isn’t a good sign.
- Discriminate against plugins/themes ruthlessly, read reviews, especially the ones that provide bad ratings for the product (be sure to look into why these products were poorly rated) on marketplaces like Envato, even for premium plugins. Read comment sections from product reviews for plugins and themes. When writing reviews about specific WordPress products or creating a list post of themes, I always look at the comments section for complaints from users who’ve downloaded/purchased the product. This exercise is always fruitful, you will almost always learn something about the product you intend to buy or download.
- If the plugin/theme has had their code audited by Sucuri or another reputable WP security solution provider, it adds to the likelihood that the product is pretty rock solid in terms of security.
- You can protect yourself against rogue plugins with security plugins like Wordfence or iThemes Security. Additionally you can use Sucuri free site scan feature which looks through your WP code for malicious scripts.
None of the above steps guarantee that you’ll never download a bad plugin or theme, but it does reduce the chances you will be affected by security issues.
Now, assuming you’re using the right host, theme and plugins. I will be describing and explaining the necessary security measures you need to take to make your website secure.
Whilst describing individual security measures, please note that I recommend standalone plugins designed for specific security applications.
Later in this post, I’ll discuss Wordfence a full-fledged freemium security plugin and Sucuri’s security solutions. You should know that both accomplish almost all the security functions that may have been previously discussed in the post and more in some cases.
So unless you want to learn about individual security measures in detail, you can skip to the last part where I discuss the functions of a security plugin and security solution providers like Sucuri.
But if you’re a first time WordPress user, I highly recommend you read through the entire post to fully understand the significance of each different security measure.
#3. Protect Your Login Page
The WordPress Login Page is a prime target for brute force attacks. Your login page is a vulnerable part of your website if you do not get the appropriate security measures to hinder attackers.
I’ll discuss the importance of maintaining a strong and secure login page with multiple security measures that protect your site against brute force attacks.
Strong Passwords & Unusual Username
Admin is not a good username. WordPress previously had admin as the default username of the primary admin account. Today however, when you install WordPress you can choose a different username. But when people generally start using WordPress, especially for the first time many keep to stick to admin as the username. “admin” is an extremely predictable username and it makes your site far easier to break into.
Passwords, picking unusual random string of characters will help create the first line of defense against people who mean to harm your website or get a hold of sensitive information stored on your site’s servers.
A list of the 5 most common passwords as compiled by CNBC.
- 123456
- password
- 12345
- 12345678
- qwerty
A highly motivated thirteen-year-old can guess admin and 123456. With passwords like those above, your site is a goner, especially if you receive decent traffic.
The best passwords are a melange of upper & lowercase with punctuation and special characters. Preferably, use something with no meaning and ensure it is at least more than 10 characters. There is no particular reason for 10 characters, but remember it gets exponentially harder to crack them if the passwords are longer.
It is harder to guess if your password doesn’t make sense and there is no logical or sentimental reason behind it. Remember, how Sherlock guesses Irene Adler’s mobile password – “I AM _ _ _ _ LOCKED”. Even Sherlock would have difficulty guessing passwords that can not be reasoned out!
If you are having difficulty figuring out what password to use, try tools like Strong Password Generator are freely available online tools to figure out a good password for your website’s admin login.
Security plugins also enforce strong passwords for the admin and all users. This is important, even if your users do not have administrator status and accompanying privileges, someone with access to a compromised editor-level account on WordPress could do quite a bit of mischief.
Another good tip to always remember, change your passwords frequently. If you have difficulty remembering all your passwords, use a password manager. You can try 1Password or LastPass to store all your passwords securely.
As far as usernames and passwords are concerned, the less they make sense and are more random, the better the security they can offer your website.
Limit The Number Of Login Attempts
Brute force attacks target login pages of WordPress websites. If you are unaware, most brute force attacks involve trying different alphanumeric combinations to crack the site’s password for a particular username.
Even if you assume that a brute force attack is unsuccessful, you must recognize that it consumes enormous amounts of server memory and processing power. This will almost certainly slow your website and bring it to a crawl. Many hosts also offer protection against brute force attacks. This is because your site consuming undue resources on a shared server could affect everyone.
But the easiest technique to ward off brute force attacks is to limit the number of login attempts. If someone cannot repeatedly hit your server with multiple username and password combinations then, a brute force attack will not work.
Login Lockdown aim to prevent access to your website via brute force hack attempts. Brute Protect has been acquired by team Automattic and is now a part of Jetpack and it offers protection against brute force attacks.
Almost all the login protection plugins have a similar interface.
These plugins track IP addresses that repeatedly attempt and fail to achieve login. Following multiple failed login attempts, the particular IPs are prevented from accessing your site’s login page.
Login Security Solution forces a WordPress email authentication and password change via email, if it determines the user currently logged in is rather suspicious.
The plugin can enforce strong passwords and mandate frequent changing of passwords on users. Also hack attempts are tracked by IP ranges that repeatedly try to gain access illegitimately. They are locked out for a longer periods to dissuade them from trying to break into your website.
Two – Step Login Authentication
Authenticating a login, adds an extra layer of security and a strong password, an unusual username and a limited number of unsuccessful login attempts.
Two step login authentication process makes your site more than just doubly secure. Logging into your WordPress site requires an authentication code that can only be received via a mobile message. It is rather unlikely that a hacker will steal your mobile in preparation, your website will remain secure against brute force and other hack techniques that rely on getting past your website’s login page.
Google Authenticator is a useful plugin that relies on an app installed on your Android/iPhone/Blackberry that provides you with the necessary authentication code to login successfully on your website. You can enable this app for admin only privilege level or employ it on a user by user basis.
I like the next plugin a lot, they intend to send people who attempt to login without the authentication code to a redirect with a customizable URL.
The login attempt is rejected if a user fails to comply with the complete login sequence. Another technique that can be used to block bots is using captcha on the login pages, you can use Login No Captcha reCaptcha to prevent bots from logging in.
Change Your WordPress Login Page URL
We’ve discussed limiting login attempts, authenticating logins and the importance of using a strong password and an unusual username.
Now we’re going to hide or change the login page, this type of security mods are also known as security via obscurity. I know this seems a bit overkill. But stay with me here, because this step is no more difficult than the previously suggested security measures to secure your login page.
Brute force attacks are effective only if they can find the login page. Leaving your login page unchanged permits would be hackers to find your login pages.
Let’s try to hide the login page from them. You can change the login page’s URL with WPS Hide Login. The plugin doesn’t change anything, it simply intercepts page requests and makes the wp-admin directory and the wp-login.php pages inaccessible. You’ll need to remember the new login page as set during the plugin activation.
Alternative options for changing your login page URL include two other plugins, Protect Your Admin.
SSL
Although I mention SSL under protecting your login page, SSL is an extremely important and necessary feature of any page on which you deal with sensitive information. And this includes every page on many websites, as though there are blog subscription forms on all web pages.
If you or your visitors/customers ever share sensitive private information like addresses, credit card details or even share their email ID’s with you. Then you owe to them to protect their information.
SSL is an extra layer of protection (Secure Socket Layer) that turns the http to https and makes all the information shared much safer.
This is how the edit post page I work on, for Colorlib looks with SSL. Notice the green colored “https:” on the URL bar?
SSL scrambles your information into something that can not be read like we do plain text. So when information travels between your servers and any browser, anyone who gains access to it can not make any sense of it. There is a private key and a public key. Once SSL makes the information flowing all funny and illegible, we need to make sense of it again at the browser end. This is where the private key comes in to make things readable again. The mechanism in play is very similar to a mathematical lock and key.
SiteGround, our recommended shared host provides SSL protection for free. You can also buy an SSL certificate from a Certificate Authority. If you run security plugins like Wordfence, SSL can be enabled.
I’d recommend site wide SSL, many WordPress sites ColorLib included site-wide SSL. You should force SSL for login pages at a bare minimum if not site-wide SSL.
Browsers like Chrome block access to websites with bad/expired SSL certificates on SSLs.
You may have to figure out if your CDN delivers content easily over SSL and sometimes ad networks may present problems when serving over SSL. Adding SSL site wide may present significant difficulties, you should read this very insightful article about the difficulties of enabling site wide SSL.
If you use SSL on your websites, Google gives you a small boost (1%) in your search rankings. This fact, in of itself should warrant using SSL. Why? As most web development professionals do, Google understands the importance of ensuring the security of your reader’s/visitor’s data.
SSL can also be enforced on your login screen by Wordfence security plugin. It is also expected that security certificates will be made freely available..
Read more about administration over SSL on WordPress.org.
#4. Protecting Your WP Core, Database & Using Correct File Permissions
In many of these security measures we will be modifying your WP core and you’ll need to be familiar with how to use and FTP client to make changes and upload it. And since most of these security tips involve changing or modifying your WP core, it might just break your website. Backup your WordPress core and all its contents before you proceed any further, a mistake can easily be undone with a backup.
WordPress Security Keys
WordPress uses cookies to identify and verify users logged in for commenting and making changes from the WP dash.
These cookies contain login information and your authentication details. The password is hashed out which means a mathematical formula is applied to make it illegible and can not be read without applying the math once more to make it readable.
We can add an extra layer of protection around this cookie with WP Security Keys. These random variables improve the security of information stored on a user cookie. There are 4 keys namely, AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.
A non-encrypted password such as WordPress or 12345 can easily be broken, if someone one can reconstruct the authentication cookie. But encrypting with WP security keys makes this a lot harder.
How Do You Add WP security keys?
- Open the wp-config.php file.
- Search for “authentication unique keys and salts”.
- Use an online automatic keys generator tool.
- Copy the keys from the online tool and replace the existing keys, overwriting it in wp-config.php.
- Save it.
- You can repeat the same process every month or so.
Remember, every time you change the security keys, users will be logged out and have to log into their accounts again.
iThemes Security provides the necessary tools to do this from the WP dash. And they will also send you a monthly reminder to change your security keys.
Password Protect Your WP Directories
This can be done from your cPanel or any web host’s dashboard. In the cPanel, open Security > Password Protect Directories. You’ll find a list of all the folders on your site. Start with an important folder like wp-admin.
You’ll find a dialog box that asks to create a user by providing a username and password. Now create the new user. After this, if you need to access to wp-admin folder on your website, the username and password needs to be entered to access the website.
This adds an extra layer of password based protection to your the most important parts of your website.
Use Secure FTP (SFTP)
A file transfer system is required to carry your website’s data to your web host when you add changes you’d like to incorporate. With a normal file transfer protocol or an FTP, someone may intercept and find vulnerabilities to exploit your website increases.
You’ll need the right client to use an SFTP connection to upload new files and modified code. You can use FileZilla to help you get started.
In addition, you’ll need some specific details about your web hosting account. Generally, every host will provide specific information to help you set up a secure file transfer protocol. You’ll normally have an SSH key which the host generates, this key has to be added to your SFTP client like FileZilla and it is straightforward to set up a secure connection for file transfer.
Using Correct File Permissions
The access to your files need to have the right permissions. It is possible to write on your WordPress from the web server. The problem arises when you share that environment with multiple websites who may also have their websites on a shared server.
Generally, WordPress folders and WordPress files have specific permissions on different hosts. With shell access you can run to the following two commands to keep your WordPress folders and files secure and accessible only to the correct user.
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \; find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
Protecting WordPress using .htaccess
While editing .htaccess file, please add code before # BEGIN WordPress or after # END WordPress. WordPress can overwrite any code added within these two hashtags and we wouldn’t want any new security protocols we’ve added to disappear. So when you add any code to the .htaccess file, please remember to stay out of the section starting with # BEGIN and ending with # END.
The wp-includes contains files that aren’t necessary for any user, but it contains files necessary for running WP. We can protect it by preventing access and adding some text to the .htaccess file. Keeping in mind to stay out of the code within hashtags.
Add this little snippet of code to the .htaccess file.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress <-- Always add code outside, before this line in your .htaccess file -->
This wouldn’t work for wp multi sites. Remove this line – RewriteRule ^wp-includes/[^/]+\.php$ – [F,L], this will offer less security but it will work for multisite.
Your wp-config.php file contains sensitive information about your connection details and the previously discussed WP security keys. Modifying your .htaccess will protect your website against hackers, spammers and significantly beef up your website’s protection.
This process involves moving your .htaccess file out of your WP install and to a location accessible only with an FTP client or cPanel or from the web server.
Add this to the top your .htaccess file.
<files wp-config.php> order allow,deny deny from all </files>
This will prevent access to anyone who surfs for the wp-config.php file and only access from the web server space will be permitted.
All this added protection is great, but remember all of this was accomplished from your .htaccess file. If someone can access your .htaccess file, all your added security isn’t helpful.
Add the following to the top of your. htaccess file. It will prevent access to your .htaccess file.
<files .htaccess> order allow,deny deny from all </files>
You can add more modifications to .htaccess file, if you’d like.
You could, restrict files, by file types and extension. This piece of code will not only restrict access to your wp-config but it will prevent access to ini.php and your log files.
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)"> Deny from all </FilesMatch> #Code courtesy - WPWhiteSecurity
Next we can disallow browsing of the WP directory contents.
Options All -Indexes
Apart from that we can add a few other changes to improve security by changing the .htaccess file in WordPress.
- Block IPs and IP ranges. You can limit access to your login pages by IP range, I would have covered it in the Login section but login page protection plugins already block IP ranges that try to access login pages through brute forcing techniques.
- Keep bad bots at bay.
- Prevent hot linking.
This is quite extensive and we are starting to get off point. If you’d like to do the other stuff as well, for which I haven’t presented the code here, you can use this piece of custom code from WP White Security.
Please remember to keep track of which files you have moved to root directory of WP. You’ll need to be aware of where each file/folder is, so that you can not only edit them but also be sure not create multiple copies in different locations which again jeopardizes the point of the entire exercise.
Turn Off PHP Error Reporting & PHP execution
PHP executions need to be kept to a minimum. Why? A good example of a hack would be the Mailpoet Newsletter hack which could be used to add files which are run from the wp-content/uploads folder.
We can deny PHP any room to run on WordPress to prevent such vulnerabilities. Add this code snippet to the .htaccess file.
https://gist.github.com/puikinsh/c8bf229921dbf6af4625
This code detects PHP files and denies access. You need to add it to the following wp folders.
- wp-includes
- wp-content/uploads
- wp-content
You’ll need to create a .htaccess in the other folders. By default, it may be available in the root directory but to prevent PHP execution the .htaccess file needs to be created and added to the aforementioned folders. The three folder mentioned are primarily folders where content is uploaded and is particularly vulnerable to a PHP script that can cause a lot of problems.
PHP error reporting is a signal to all hackers who are looking for vulnerabilities that there is something not working on your website.
Adding these two lines of code to your wp-config.php file should resolve the problem.
error_reporting(0); @ini_set(‘display_errors’, 0);
Although having read multiple threads and discussions about PHP error reporting, it may not work. In which case your best option is to contact your web host and ask for instructions on how you can accomplish the same.
Change the wp_ table Prefix
All WordPress tables begin with a wp_ prefix. Change this wp table prefix across your entire website, making it more difficult for hackers to infiltrate your website.
In your wp-config.php, you’ll find this line of code.
$table_prefix = 'wp_';
Change that to something completely random,
$table_prefix = 'jrbf_';
Now every table like, wp_posts, wp_users, etc will change to jrbf_posts, jrbf_users and so on.
Almost all security plugins do this for you and changing wp table prefixes may be time-consuming. You can do this with PHPMyAdmin or other database managers, but I’d much rather use a security plugin like iThemes Security.
Similarly, you can take it a step further by changing the name of your WordPress database. This way, not only do you change the prefix but you will also be changing the names of what follows the prefix. This will make it nearly impossible for hackers to randomly guess your database name and you can not access what you can not find.
Disable XMLRPC
Generally, DDOS attacks target all web pages of WordPress websites indiscriminately. But this particular part of WordPress can become a target for DDOS attacks. I’ll explain, XMLPRC is used for pingbacks and trackbacks. But it has, in the past been exploited to launch DDOS attacks on websites.
You can use a plugin like Disable XMLPRC. But you will not need it, if you use security plugins or a login protection plugin. They generally protect this particular vulnerability.
#5. Security Plugin – Wordfence/iThemes Security/ Sucuri
An effective security plugin is essential in ensuring your WordPress site’s security, for the non-tech savvy at least. Security plugins perform the various functions many of which have already been discussed here, all of these added security measures add up to build a fortress around your website and its contents.
Wordfence performs many functions crucial to site security on a WordPress powered site,
- Real time blocking of attackers, blocking entire malicious networks and certain countries.
- Limit crawlers, bots and scrapers.
- Block users who trespass on your security rules.
- Two factor authentication via SMS, greatly improves security on login pages.
- Strong password enforcement for all users (non-admins).
- Protect against brute force attacks.
- Scan site for malicious scripts, back doors and phishing URLs on your site masquerading as comments on your website.
- Compare plugin/theme core files with files of the same listed on WordPress.org’s directory.
- Run heuristics for Trojans, suspicious scripts and other potentially security endangering activities on your site.
- Firewall to block fake Google bots sent by hackers to scan for vulnerabilities.
- Real time awareness and live content access monitoring to enhance situational awareness.
- Geo-located down to a city level the threats to your website to find out the point of origin of threats to site security.
- Monitor DNS for unauthorized access.
- Keeps an eye on disk space consumption to prevent and react to Denial of Service attacks.
- It is multisite compatible.
- Falcon caching system to reduce server load.
- Full IPv6 compatibility for WHOIS lookup, location and security functions.
Some features are restricted to the premium version of the plugin. The premium version of the plugin is priced at $3.25/mo.
That being said, the free version of this plugin is a very capable site defender for your WordPress website. And you shouldn’t be too apprehensive about the free version of the plugin, given that it has a rating of 4.9 on a five point scale and has been downloaded nearly a million times.
Security plugins require configuring and this can be an elaborate and long process. With Wordfence, you can at least customize all your security settings from Options under WordFence on your WordPress site menu.
Other options you can consider, if you still haven’t settled on a security plugin for your WordPress site.
- Bullet Proof Security – 80,000+active users
- iThemes Security – 1M+ active users
- Sucuri Security & Sucuri Cloudproxy For Firewall – 800,000+ active users
- All In One WP Security & Firewall 1M+ active users.
I do not think Wordfence is the best overall security system out there. I mean there are better security solution providers/ managed hosting services that offer better overall security solutions for WordPress sites. But when it comes to simple security plugins that enforce good protection and security protocols, Wordfence is certainly one of the best. The not too distant second position would probably go to iThemes Security.
In the coming weeks, I’ll probably write a post about all the security solutions available for WordPress, so stay tuned to Colorlib 🙂 But right now, we’ll stick to Wordfence as the recommended security plugin.
#6. Update ! Update! Update! And not just your WordPress
There are hundreds of WordPress vulnerabilities in the previous/non-current versions.
Websites tend to be slow, when it comes to updating their WordPress platform. For example, in August of 2023, only 80% of websites had updated to WordPress 6.2, despite being released more than two months before February.
Whenever a software vulnerability is discovered, typically the vulnerability is reported to the software vendor. The software vendor then modifies the software and adds some added protection or deletes unnecessary code. This is released as a software update or a patch. This is the best case, but if someone with less than noble intentions discovers a vulnerability in any web based or non web based software, then he/she is likely to exploit it to the fullest.
January 2023, Mail Poet Newsletters previously known as Wysija Newsletters, a plugin which had been downloaded over 2 million times was compromised as a result of which 50,000 websites were made vulnerable to attack. An automated attack where in, an injected PHP backdoor would allow for eventual control of the site by the hacker.
In January 2023, 100,000+ websites were compromised by the Revolution Slider plugin targeted by the SoakSoak.ru campaign. This particular malware injected JavaScript into the wp template-loader.php file. A thousand themes were affected as they had been sold with this plugin as an add-on via Envato and other WordPress marketplaces.
I included the XSS vulnerability in WP Super Cache, a plugin in my round up for the Top 6 Caching Plugins. The list of vulnerabilities in top notch free plugins is quite concerning. But there are many steps you can take to decrease your chances of using a vulnerable piece of code theme or plugin on your website.
You should know that most plugins with vulnerabilities have been patched. But you need to stay fully updated at all times. Updating your site to the latest versions is an extremely important part of your site defense strategy. All the previously mentioned security measures are useless, unless you update as and when the updates for WordPress and other third party software are available.
Enable Automatic Updates For Your WordPress, Plugins & Themes.
You do not want your website’s update page looking like this page on a test site.
WordPress introduced automatic background updates with the release of WordPress version 3.7.
You can enable auto updates for WP, by making a change to the WP_AUTO_UPDATE_CORE constant. This change needs to be made in the wp-config.php file.
define( 'WP_AUTO_UPDATE_CORE', true );
This will ensure that all updates major or minor are updated as soon as they are made available.
Change the update core constant to “false” and you will disable all updates. Changing it to “minor” will enable auto updates for minor changes, normally includes security patches.
You can update plugins and themes similarly, by editing the auto_update$type filter.
For automatic plugin updates,
add_filter( 'auto_update_plugin', '__return_true' );
And to enable automatic theme updates,
add_filter( 'auto_update_theme', '__return_true' );
If you do not enjoy fiddling with code, you can use a plugin to help yourself out. You have another option in the form a plugin, when it comes ensuring the smooth update of your WP and all themes/plugins on your site. Advanced Automatic Updates allows you to enable major updates and minor/security updates individually. And the plugin also provides auto update solutions for themes and plugins.
For multisite update solutions, if you need help handling updates with WordPress plugins and themes, you can try out Easy Updates Manager. Some hosting providers also offer a premium service that provides auto updating solutions for premium plugins and themes.
Using plugins like ManageWP or a managed WP host like WPEngine will also help resolve issues with updating your WordPress and the third party software that you use on your website.
Updating WordPress core automatically becomes problematic when things start to break down. This can happen either because of customized code which gets erased during an update or compatibility issues that arise with third party software (plugins & themes). This is one reason which may give you pause, perhaps enabling minor updates may be a better idea.
If you have problems with your automatic WordPress updates, I’d recommend you try Background Update Tester. The plugin checks for and explains any compatibility issues.
Always run a backup before you update. Always! This to protect your website against things going wrong, in which case you end up making a mess of your website. A good practice to follow, to protect against automatic updates causing havoc through compatibility issues with plugins, themes and sometimes customized code on your WP core.
#7. A Few More Things About WP Security – Firewalls, Audit Logs & Malware Scanners
I haven’t discussed firewalls for WordPress. A good firewall will accomplish a great deal and mitigate the most common forms of attack on your websites.
- Mitigate effects of a DDoS attack.
- Brute force attacks are stopped dead in their tracks.
- Protect against software vulnerabilities.
- Stops code injection attacks like SQL or XSS attacks.
- Patch up and defend against zero day vulnerabilities.
Just to illustrate, here’s a snapshot of what Sucuri firewall does for a WordPress website.
Firewall isn’t the term Sucuri uses to describe its protection system, they refer to it as the CloudProxy which is a combination of a web application firewall and an intrusion detection system. All malicious traffic is filtered out and anomalous activity is monitored.
Firewalls traditionally were developed to monitor connections, however Sucuri’s CloudProxy will not only keep out the bad guys but they’ll also create virtual patches against vulnerabilities. Once a request from a visitor passes through the firewall, it reaches the intrusion prevention and detection system, where the system sifts through the requests for possible patterns of attack.
I think the virtual patching feature to protect you against vulnerabilities is a highly effective and invaluable asset for any website with too much customization (means a lot can go awry when compatibility issues ensue). It is always better to apply the update to WordPress in a staging area and check if your website functions smoothly. And if it does, you can take the updated version of your website live. But in the interim, your website is genuinely at peril. Protecting against zero day exploits is possible only through updates to fix vulnerabilities, however this does not have to be the case with Sucuri CloudProxy.
And apart from that, they also maintain logs of all activity on your website and look for possible signs of mischief.
Think of the firewall as a last measure, it is the wall a hacker needs to breach to access the sensitive contents of your website. Good practices in large part are designed so that you do not need to use the firewall as much.
Malware scanning software or websites like Sucuri SiteCheck can scan your websites for vulnerabilities and possible security loopholes. Security plugins also have malware scanning software to track any abnormal changes and are sources of potential security problems.
I had also mentioned WP Security Audit Log previously, while stating that it is a necessary plugin to track all changes on your website. I’d like to reiterate that point, it is an extremely useful plugin not to only track changes effected by themes and plugins but also actions by other users. You must either use WP Security Audit Log or run another data logging plugin to keep track of all changes.
Logging is also a key feature of Sucuri’s protection system. Despite their overzealous attempts to ensure security sometimes bad things do happen and websites get hacked. When that happens, their logging system is very useful to help dig websites out of a ditch.
Firewalls, Malware Scanners and Audit Logs are very handy against threats that can not be predicted and zero day exploits. They are not substitutes for good WordPress security practices.
#8. Hiding Your WordPress Version – Is it necessary?
I’ve read on a few websites that hiding your WordPress version will add to your security against malicious hackers. The problem is, there is an assumption that the knowledge of vulnerabilities associated with a particular WordPress, make it more likely that someone will exploit them. This is not necessarily true. Generally people who steal information from websites use automated tools to scan websites for known vulnerabilities. And if your WordPress version is vulnerable, then they’ll know it. It isn’t as if hackers check one site at a time and sort them by WordPress version.
As stated previously update your WordPress, themes and plugins as soon as possible. Hackers do not discriminate between sites that display WordPress version and websites that do not.
In the unlikely event, that a hacker manually visits every website and checks the WordPress version and then attempts to find vulnerabilities, you may find it fruitful to hide your WordPress version.
Use Remove Version Plugin to remove your WordPress version. If that doesn’t work for you, then you’ll need to make a few minor modifications and this blog post should aid you.
#9. Back Up – Last Line Of Website Security
You should always be prepared for the eventuality that your WordPress site is compromised despite all your security measures. If that happens you need to step in and fix things. Now there are multiple ways in which site recovery can be accomplished. Backups with one click restorations are an easy fix for a compromised website, assuming the security loophole or vulnerability has already been fixed.
Automatic backups are a necessary to every WordPress website’s security arsenal. Think of the security plugins as your sword and the backup as your shield. Should your offense fail you, your shield in this case the backups, becomes your last line of defense.
Remember, I am assuming that only your WordPress is compromised and not your server, which is a completely different bag of worms. But most hosting service providers have a strong security team constantly protecting their servers against malicious elements, especially during global attacks. I wrote a post a few weeks back about the different shared hosting service providers, if you are interested.
Backups- If you’d like a free plugin without paying a dime for backup services, then I’d say you can start with Updraft Plus, a freemium plugin.
With this plugin you can backup and save a copy of your website on storage provided by several different services. It includes Google Drive, Amazon S3, Dropbox, Rackspace Cloud, FTP & SFTP and Email. You should also note that the free plugin only permits backup on any one location. You’ll need a premium add on, if you wish to utilize the plugin to save your website on multiple places.
This plugin like most backup providers of WordPress backup, saves everything including your content, themes & plugins settings. It can also run a WordPress database backup separate from your normal backups.
If you’d like to use a premium WordPress backup service, I’d recommend looking at BackUp Buddy, VaultPress or BlogVault (I’ve worked with them in the past and they have an awesome service).
Keep more than one copy of your website available and always have one on a physical drive that isn’t reliant on an internet connection. Backups are a good idea even from a non security standpoint. When you experiment with themes and plugins, when you update themes, plugins or your WordPress, there always exists the possibility for a compatibility issue to arise and break your website.
And from my experience with automatic backups, you need to keep deleting copies of backups in a manner consistent with the frequency with which you keep adding new content and keep making backup copies.
When it comes to my PC, I always prefer backup solutions that offer incremental/differential backups as opposed full backups. Still, you also note that with the former reconstitution for restoration takes a longer time. The same applies to a WordPress backup system. Although, unless your backup provider charges extra with strict constraints on data storage limits, you shouldn’t worry about it.
Conclusion
I can’t help it, this quote from the Harry Potter series seems so apt.
“Constant Vigilance!” – Mad-Eye-Moody
Moody is a dark wizard catcher in the series, if you were wondering.
As I’ve already mentioned, there is no foolproof security on the web. You can take numerous security measures and still have your website hacked. But ensuring that your website runs on SSL, that your login pages are hardened, your passwords & usernames are remarkably unfamiliar, your website is fully updated and protected against known threats and fully backed up daily, greatly improves the odds in your favor.
If you want a complete hack/exploit-free WordPress, following all the above security measures will ensure your website has airtight security. But even then, you can not protect against zero-day exploits or a smart hacker hell-bent on breaking your website, although this is a very unlikely event.
Think of it this way. If my website gets hacked, how much business and revenue will I loose? Will I put my customer’s information at risk? Will that make me liable for lawsuits? When it gets to the point where you see that the costs of having your website hacked are reasonably high, then I’d suggest you use either a managed WordPress hosting service or a really big web bouncer in the form of Sucuri’s security services.
Your website does not necessarily need to be popular to become a target. And it will never become a high traffic website, if it continually falls victim to hacks and attacks.
As I’ve said previously about hosting. If you’re reasonably certain of your ability to create a revenue generating website which will pay for the costs of the best hosting/security services, then go with the best. If you can afford the best web hosting/security services, it will be worth it in the long run, assuming you aren’t a web developer by profession.
If you can not afford the best managed web hosting or top-notch security, then put the security above measures in place. Chances are, your website will be safe.
If you have some additional insight on WordPress security or have different ideas on protecting your website, I’d love to hear your ideas in the comments below. Cheers 🙂
Great information, Vishnu!
For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
From the ones you mentioned, I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
Tested and happy with it!
I used to HATE WordPress, I would always get attached and shut down for malware no matter what I did. Each time I was told it was my website not being updated soon enough… those hackers be quick! Definitely recommend doing all these things, but I also decided to stop paying for malware cleanups and hired a company to monitor my site and keep it secure. The great thing is they clean it for free if it does get hacked…. saved so much time and for me so much money! If your website is important and needs to stay up, definitely recommend doing something like that. There are many companies that do this, I personally use Sucuri.
Hi Vishnu,
Thank you for mentioning UpdraftPlus in your post here. Great writing. As you can imagine, here at UpdraftPlus we are very enthusiastic about WordPress security.
I would just like to take a minute to point out that we are now compatible with more remote storage locations than any other WordPress backup. Now including (in addition to those you have listed here) Google Cloud Storage, OneDrive,Microsoft Azure, WebDAV, DreamObjects and our own UpdraftPlusVault. When using out UpdraftPlus Premium service you can get 1Gb for free and the full suite of add-ons which allows you to store backups in multiple locations along with back-up scheduling, multisite/network abilities, our popular migrator add-on and of course access to our very talented team of developers for any support questions.
Thank you very much
Abbie
Abbie,
If you want to get exposure on post or otherwise reach our audience, please feel free to check our advertising options.
Nice post, good checklist. Some points are really new and very useful.
Well i have one question my blog is hosted @ Hostgator Shared hosting, can you describe lil bit more which setting to be checked for shared hosting.
Great tutorial Vishnu. You have explained everything in detail.
Nice sharing. This is really an important article. You have shared some crucial tips to improve the security of WordPress site. I knew before about some tips here. But some tips are totally new to me. I want to make my site more secure by using your tips. We know that we are living under the threat of hackers and they can exploit our sites anytime. So we need to take immediate steps against hackers. This is our most important responsibility to take care of our websites. Your article will be really helpful. Thank you very much for your great article.
I found all the security measures at one place,thank you sir for giving that kind of information
Good article. You’re right that complete protection should be a complex thing. For this purpose I use W.tools service. I’ve setup there everyday backup with file changes monitoring and FireCDN as prevention of malicious requests.
One possible way to prevent an unauthorized entity from accessing your website is keep update your WordPress, plugins & themes. Here are a few things discussed will really help you to improve the security of WordPress website.
Great sharing. These tricks are really useful for WordPress users. We are under the threat of hackers to increase security is a big problem. You have done a good job
Such a great post. It really helped me a lot. You gave a detailed explanation and it is very easy to understand.
After reading this article i realize i have save my money on my website but didn’t thought for security but next time i’ll follow the points which you have mentioned
I counted the 5 most popular security plugins. It is very difficult to choose the most suitable one, especially if I am a beginner) Your article helped me understand this issue, thank you!
Plugin that we use ourselves and recommend to others is iThemes Security Pro. It is a great plugin that does everything to protect your website from malware and hacks.