Save 50% on the highest rated WordPress multipurpose theme! Find out more!
Wordpress Security

Beefing Up WordPress Security – A Complete Guide To Securing WordPress Sites

Post Series: WordPress Security

When you’re done with this post, I’ll guarantee your WordPress site will be immune from hacks and exploits.

Wait, I can’t guarantee that. Let me put it this way, you’ll be equipped with the knowledge necessary to keep your website relatively safe.

There is no such thing as full proof security. There are specific measures that you can take to greatly decrease the chance that your website falls victim a victim to a hack or an attack.

I previously wrote a small post about how WordPress websites get compromised and why you should invest in good security practices. You can either read it here or I’ll give you a small summary of WordPress vulnerabilities, before we discuss specific measures to beef up your WordPress website.

WordPress in and of itself has few vulnerabilities and when they are discovered, they are quickly patched up with an update. But when you take into account, your web host’s security practices or lack there of and the third party software that normally runs on WordPress websites, your website is more likely to become the victim of a hack due to other people’s mistakes.

51% of all hacked websites in 2012 were compromised by themes or plugins they were running. 41% were exploited because they picked the wrong web host and as a result their sites were hacked.

Running a plain WordPress site and keeping it safe isn’t too difficult. But when you add a melange of third party software and have to maintain your domain with the right host, it becomes a tad more difficult.

I’ve read plenty of blog posts by successful web entrepreneurs who were essentially business men and women who took their business online. And when their online ventures became successful they became targets. Although, it isn’t necessary that your website be successful or even have some traffic for it to become a target.

People who hack websites use automated tools that allow them to scour hundreds and thousands of websites for vulnerabilities. Your website may be one of those hundreds. So even if your website isn’t popular, you could still be a target.

Now many web entrepreneurs are aware of the necessary security standards and measures required to keep their websites and online businesses safe. But the great thing about WordPress and the web today, is you no longer need to be a tech expert or a web developer to start a website. And creating a website isn’t difficult at all, it’s very easy and I’ve even written an article about it on Colorlib (for those of you looking for a bit of help when you build your first WordPress website).

Creating a website isn’t too difficult, making it popular is a slightly more complicated proposition. But making it secure, especially for non-tech savvy web entrepreneurs whose primary preoccupation revolves around a non-web based product/service is rather challenging.

And sure, they could employ a web developer to help them out. But the reason there are many small scale web businesses thriving, is certainly directly related to their ability to keep costs low. And employing a web developer who charges $100 an hour, does not fall with their financial capabilities.

A web security professional is always the preferred option but unfortunately not everybody has the necessary business income to allow for that expense. And may be that’s okay, maybe it isn’t. But the crucial fact is we have to recognize that even small scale businesses collect sensitive personal information including stuff like your address of residence, your credit card details, phone numbers and email- IDs.

Not only is your customer’s information at risk due to possibly negligent security practices, but so will the very business you’ve built or will spend a great deal of time building. Building a business online is a rather daunting endeavor, your success relies on a number of factors, which include brand reputation and what Google thinks of your website. And trust me, no one will have a favorable view of your businesses or your services, if your website shuts down or becomes victim to an attack/hack.

Given all that and the stakes involved, what steps can “you” as a web entrepreneur take to make your website safe ?

This post is primarily aimed at people whose primary occupation isn’t running an online business. It is aimed at people who from different walks of life are starting business that rely partially or heavily on an online presence. And since more than 65% of the web is run by WP and WordPress is the CMS of choice for the non-tech savvy web entrepreneur, I’ll be focusing my efforts on arming you with the knowledge to keep your WordPress website safe and secure.   

#1. Choose The Right Host Service Provider

A lion’s share of vulnerabilities exist because of problems created at the server end of your website. I found this fact rather astonishing, your hosting service is potentially the greatest source of your website’s vulnerabilities.

And with a third party host you can not do much in the way of tinkering to protect your website.

So the next best thing you can do – Choose the right web hosting service provider.

There are far too many web host providers who run their systems on outdated software or software that isn’t currently being maintained. The problem with software that is no longer being maintained is, that while there may have existed no vulnerabilities in the past, there exists no guarantee for future safety. And if a vulnerability is detected which is almost certain, it may no longer be patched because the core team isn’t actively maintaining older versions of software.

When I talk of software, I mean anything that runs on your server to keep your site live and functional.

  • Apache
  • PHP
  • MySQL
  • MariaDB
  • PostgreSQL
  • PHPMyAdmin
  • SSL certificates

Even if they’ve update their software with a small delay, when software patches are released. The window of opportunity for hackers to exploit vulnerabilities which have only been patched in recent updates widens and puts your website at risk.

Shared hosting which is the choice of hosting for most newly started online businesses does have a couple of problems,

  • DOS attacks on any one IP on a server can affect all websites hosted on that particular server.
  • Shared IP addresses are a big problem. IP addresses that neighbor your own affect your website, if a shared IP gets blacklisted, your site suffers the consequences.
  • There is always the chance that some software loaded on a shared server can compromise the entire server, even though shared hosting service providers do take measures to prevent this from happening.

My pick for shared hosting,

  • Shared Hosting – SiteGround – They provide account isolation which protects you against websites on the same server which may be vulnerable. Automated updates for WP core and plugins, free SSL certificate & daily backups for the Grow Big Plan and upwards, protection against spam with a filtering system, a firewall, intrusion prevention systems and live monitoring. Using a CDN system like CloudFlare will protect your website against DDoS attacks.

SiteGround have had a good history in terms of responding quickly and incisively against vulnerabilities exposed in the past. In 2013, when bruteforce attacks were perpetrated from over 90,000 IP addresses SiteGround prevented the requests from even reaching their servers.

Brute Force attacks may overwhelm the server with load but if you can’t send a sufficient number of requests to the server, you can not affect it. During the attack over 15 million attempts in under 12 hours were made against websites on their servers and yet none of their servers suffered any performance issues.

In fact, after some in housing brute forcing on their own client’s websites to find weak passwords, they found many websites on their servers with weak and unsafe passwords. They followed it up by enforcing strong passwords and their clients were informed via mail. They really seem to care about their security and ensuring the performance of their shared server environments even when under attack. The same can not be said for some of the largest shared web hosting companies.

If you want alternative options to SiteGround for shared hosting, I’ve listed quite a few in a previous post.

However, if you do not want to concern yourself with WordPress security and pretty much anything else remotely technical about creating, maintaining and growing a website, you will be better off with a managed WordPress host. I prefer managed hosting but the costs are considerably higher.

The price for managed hosting for one month will also buy you shared hosting for a period of 8 months. If you are running a cash strapped enterprise, this has a very monumental effect on your business’s sustainability. But anyone would be a fool to dismiss the benefits of a managed WordPress host, if they can afford it.

WPEngine security measures-

  • Disk write protection, any malicious code that creates vulnerabilities that can be exploited is severely limited by the disk write restrictions. Using plugins and themes with vulnerabilities is safer suddenly, given that they can not write code into your server that makes your WP vulnerable as easily anymore.
  • Disk write privileges for users logged in to their WP dash extend to standard functions like writing and editing posts, themes adding new style sheets and activating/disabling plugins.
  • To delete and write new files you need to be logged in via an SFTP client.
  • Adding generic PHP code isn’t permitted.
  • Scripts with known vulnerabilities which compromise WP can not be added to WordPress.
  • Certain plugins can be disallowed and even disabled, if their scanners pick up something in the plugin’s code that leaves your website less secure.
  • The basic plans in WPEngine will still involve some server sharing. In any dedicated hosting plan, the host provide an entire server fully dedicated to providing resources for only your website.
  • Backups via Amazon S3 and you do not have access to them. You couldn’t compromise your backups, even if you tried. An insurance policy for your site is always in place.
  • Physical access to servers is limited only to essential personnel. Their data centers sound like Fort Knox just reading about it.
  • They specialize in WP and know the ins and outs of creating a secure WordPress site.
  • Recovery in the case of a hacked account is easy and assured free of cost.
  • Regular code audits from WP security solutions provider – Sucuri.

Think of WPEngine this way, it costs you a bomb but a lot less than a hacked website can cost you. It makes it far more easier to rationalize costs.

Please do not overlook the fact that your website will not just be safer with WPEgnine, it will be a lot faster in all likelihood.  Even websites like Colorlib which use a virtual private server find it difficult to match the speed of a WPEngine run website.

If you still have doubts and can not choose between a shared web host and a managed WP host, that is a huge topic in itself. Please do read a piece a I wrote a while back. Hopefully that will answer all your questions regarding the suitability of a hosting plan for your website.

#2. Use Trusted Third Party Software – Premium Themes & Plugins

Plugins and themes are always suspect, be a skeptic, especially when they are poorly maintained and rarely updated. Now you can take numerous steps by discriminating against plugins based on security flaws, but it always pays to keep note of actions your plugins take with WP Security Audit Log.

A security log is very helpful to web development and security professionals keep track of changes on multi-site basis when they handle the needs of their clients. Every action by every user can be accounted for with the plugin. The Log also helps keep an eye on plugins, theme and other third party software behavior. This plugin may not prevent a security problem, but if something does go awry then you’ll find it easy to trace the source of the problem.

Another good practice is to have the plugin audited by a security expert. If you can not afford to do that, look for Sucuri’s (Sucuri is a leading provider of security solutions for WordPress users) stamps of confidence on plugins. Many plugins/themes voluntarily submit their products for code audits.

Elegant Themes have had their flagship theme Divi audited. Elegant Themes is one of the biggest, if not the biggest theme house in the WP niche and yet they have their flagship theme audited for security issues.

Divi Undergoes Intensive Security Audit

Stay away from free plugins and themes that haven’t a large number of downloads. Sometimes plugins with inordinately high download counts and high ratings, attract many more mischief makers. Protection in numbers isn’t really applicable. More people using a plugin makes it a bigger target, but at the same time having thousands of users will probably help identify and protect against zero day exploits through quick updates.

Using premium plugins and themes does not mean your site’ safety can be guaranteed. But you can be certain, that if any zero day exploits are discovered, the response is generally swift. Theme Houses and plugin developers have a great deal riding on their products, the last thing they want is the appearance of vulnerability.

Stick to plugins listed on the WordPress.org directory for free plugins.  Higher ratings and number of downloads make the plugin a safer bet to some extent. Check out the history of the plugins created by the same author in the past, a good indicator of the programmer’s pedigree. You’ll also come to see that certain author’s take extra care to ensure their plugin’s/theme’s security.

The last updated date is another factor worth taking into account. Ensuring that latest version of the plugin is compatible with the latest version of WordPress is another essential point to tick off the on the check list before installing and activating a plugin.

As you might have guessed what goes for plugins also goes for themes. A few things to remember, when it comes to using plugins and themes.

  • Premium Plugins are better in the sense, their teams are likely to respond to any security vulnerability a lot quicker than free plugins.
  • Use WP Security Audit Log and track everything that runs under your website’s hood.
  • There is certainly safety in numbers because a security threat is far more likely to be reported and dealt with. But I can’t help feeling that this is a double edged sword, plugins/themes will large download counts are also far more likely to become targets of hackers.
  • WP.org’s plugin directory can be manipulated to provide excellent ratings for plugins with smaller numbers of downloads & ratings.
  • Check out the author of the plugin, their history and previous products. If they’ve had security issues in the past, they do not necessarily indicate that their plugins/themes are bad, but it isn’t a good sign.
  • Discriminate against plugins/themes ruthlessly, read reviews especially the ones that provide bad ratings for the product (be sure to look into the reasons these products were poorly rated) on marketplaces like Envato, even for premium plugins. Read comment sections from product reviews for plugins and themes. When writing reviews about specific WordPress products or creating a list post of themes, I always look at the comments section for complaints from users who’ve downloaded/purchased the product. This exercise is always fruitful, you will almost always learn something about the product you intend to buy or download.
  • If the plugin/theme has had their code audited by Sucuri or other reputable WP security solution provider, it adds to the likelihood that the product is pretty rock solid in terms of security.
  • You can protect yourself against rogue plugins with security plugins like Wordfence or iThemes Security. Additionally you can use Sucuri free site scan feature which looks through your WP code for malicious scripts.

None of the above steps guarantee that you’ll never download a bad plugin or theme, but it does reduce the chances you will be affected by security issues.

Now, assuming you’re using the right host, theme and plugins. I will be describing and explaining the necessary security measures you need to take to make your website secure.

Whilst describing individual security measures, please note that I recommend standalone plugins designed for specific security applications.

Later on in this post, I’ll discuss Wordfence a full fledged freemium security plugin and also Sucuri’s security solutions. You should know that both accomplish almost all the security functions that may have been previously discussed in the post and more in some cases. 

So unless you want to learn about individual security measures in detail, you can skip to the last part where I discuss the functions of a security plugin and security solution providers like Sucuri.

But if you’re a first time WordPress user, I highly recommend you read through the entire post to fully understand the significance of each different security measure. 

#3. Protect Your Login Page

The WordPress Login Page is a prime target for brute force attacks. Your login page is definitely a vulnerable part of your website, if you do not get the appropriate security measures in place to hinder attackers.

I’ll discuss the importance of maintaining a strong and secure login page with multiple security measures that make your site safe and protect against brute force attacks. 

Strong Passwords & Unusual Username

Admin is not a good username. WordPress previously had admin as the default username of the primary admin account. Today however, when you install WordPress you can choose a different username. But when people generally start using WordPress, especially for the first time many keep to stick to admin as the username. “admin” is an extremely predictable username and it makes your site far easier to break into.

Read about how you can change your username on SiteGround. The process is similar with most other providers of hosting services. You can also try Admin Renamer Extended plugin which can change your username.

Passwords, picking unusual random string of characters will help create the first line of defense against people who mean to harm your website or get a hold of sensitive information stored on your site’s servers.

A list of the 5 most common passwords as compiled by SpashData.

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty

A highly motivated thirteen year old can guess admin and 123456. With passwords like the aforementioned, your site is a goner especially, if you receive any decent traffic.

The best passwords are a melange of upper & lowercase with punctuation and special characters. Preferably, use something that holds no meaning whatsoever and ensure it is at least more than 10 characters. No particular reason for 10 characters, but remember it gets exponentially harder to crack them, if the passwords are longer.

If your password doesn’t make any sense and there is no logical reason or sentimental reason behind your password, it is obviously a lot harder to guess. Remember, how Sherlock guesses Irene Addler’s mobile password – “I AM _ _ _ _ LOCKED”. Well, even Sherlock would have difficult guessing a password that can not be reasoned out!

If you are having difficulty figuring out what password to use, try tools like Strong Password Generator or Secure Password Generator both are freely available online tools to figure out a good password for your website’s admin login.

Security plugins also enforce strong passwords for the admin and all users. This is important, even if your users do not have administrator status and accompanying privileges, someone with access to a compromised editor level account on WordPress could do quite a bit of mischief.

Another good tip to always remember, change your passwords frequently. If you have a difficult time remembering all your passwords, use a password manager. You can try One Password, Last Pass, KeePass or DashLane to store all your passwords securely.

As far as usernames and passwords are concerned, the less they make sense and the more random they are, the better the security they can offer your website.

Limit The Number Of Login Attempts

Brute force attacks target login pages of WordPress websites. If you are unaware, most brute force attacks involve trying different alphanumeric combinations to crack the site’s password for a particular username.

Now even if you assume that a brute force attack is unsuccessful, you need to recognize the fact that it consumes enormous amounts of server memory and processing power. This will almost certainly slow your website and bring it to a crawl. Many hosts also offer protection against brute force attacks. This is because on a shared server, your site consuming an undue amount of resources could potentially affect everyone.

But the easiest technique to ward off brute force attacks is to limit the number of login attempts. If someone cannot repeatedly hit your server with multiple username and password combinations then, a brute force attack will not work.

Login Lockdown, Login Security Solution and Brute Force Login Protection all aim to prevent access to your website via brute force hack attempts. Brute Protect has been acquired by team Automattic and is now a part of Jetpack and it offers protection against brute force attacks.

Almost all the login protection plugins have a similar interface.

LoginProtection

All these plugins basically work by tracking IP addresses that repeatedly attempt and fail to achieve login. Following multiple failed login attempts, the particular IPs are prevented from accessing your site’s login page.

Login Security Solution forces a WordPress email authentication and password change via email, if it determines the user currently logged in is rather suspicious.

The plugin can enforce strong passwords and mandate frequent changing of passwords on users. Also hack attempts are tracked by IP ranges that repeatedly try to gain access illegitimately, are locked out for a longer periods of time to dissuade them from trying to break into your website.

Two – Step Login Authentication

Authenticating a login, adds an extra layer of security in addition to a strong password, an unusual username and a limited number of unsuccessful login attempts.

Two step login authentication process makes your site more than just doubly secure. Logging into your WordPress site requires an authentication code that can only be received via a mobile message. Given that, it is rather unlikely that your mobile will be stolen by a hacker in preparation, your website will remain secure against brute force and other hack techniques that rely on getting past your website’s login page.

Google Authenticator is a useful plugin that relies on an app installed on your Android/iPhone/Blackberry that provides you with necessary authentication code to login successfully on your website. You can enable this app for admin only privilege level or employ it on a user by user basis.

I like the next plugin a lot, they intend to send people who attempt to login without the authentication code to a redirect with a customizable URL. Stealth Login Page also completely blocks out bots.

Login Authentication

 

If a user fails to comply with the complete login sequence, the login attempt is rejected. Another technique that can be used to block bots is using captcha on the login pages, you can use Login No Captcha reCaptcha to prevent bots from logging in.

Change Your WordPress Login Page URL

We’ve discussed limiting login attempts, authenticating logins and the importance of using a strong password and an unusual username.

Now we’re going to hide or change the login page, this type of security mods are also known as security via obscurity. I know this seems a bit overkill. But stay with me here, because this step is no more difficult than the previously suggested security measures to secure your login page.

Brute force attacks are effective only if they can find the login page. Leaving your login page unchanged permits would be hackers to find your login pages.

WPSHideLogin

 

Let’s try to hide the login page from them. You can do this by changing the login page’s URL with WPS Hide Login. The plugin doesn’t really change anything, it simply intercepts page requests and makes the wp-admin directory and the wp-login.php pages inaccessible. You’ll need to remember the new login page as set during the activation of the plugin.

Alternative options for changing the URL of your login page include two other plugins, Protect Your Admin and Rename wp-login.php.

SSL

Although, I mention SSL under protecting your login page, SSL is an extremely important and necessary feature of any page on which you deal with sensitive information. And this pretty much includes every page on many websites, seeing as though there are blog subscription forms on all web pages.

If you or your visitors/customers ever share sensitive private information like addresses, credit card details or even share their email ID’s with you. Then you owe to them to protect their information.

SSL is an extra layer of protection (Secure Socket Layer) which turns the http to https and in the process makes all the information shared a whole lot safer.

This is how the edit post page I work on, for Colorlib looks with SSL. Notice the green colored “https:”  on the URL bar ?

HTTPS

SSL is basically something that scrambles your information into something that can not be read like we do plain text. So when information travels between your servers and any browser, anyone who gains access to it can not make any sense of it. There is a private key and a public key. Once SSL makes the information flowing all funny and illegible, we need to make sense of it again at the browser end. This is where the private key comes in to make things readable again. The mechanism in play is very similar to a mathematical lock and key.

SiteGround, our recommended shared host provides SSL protection for free. You can also buy an SSL certificate from a Certificate Authority. If you run security plugins like Wordfence, SSL can be enabled.

I’d recommend site wide SSL, many WordPress sites ColorLib included use site wide SSL. If not site wide SSL, you should definitely force SSL for login pages at a bare minimum.

Browsers like Chrome even block access to websites with bad/expired certificates on SSLs.

expired-security-certificate

You may have to figure out if your CDN delivers content easily over SSL and sometimes ad networks may present problems when serving over SSL. Adding SSL site wide may present significant difficulties, you should read this very insightful article about the difficulties of enabling site wide SSL.

Google gives you a small boost (1%) in your search rankings, if you use SSL on your websites. This fact, in of itself should warrant using SSL. Why ? Well Google understands as most web development professionals do, the importance of ensuring the security of your reader’s/visitor’s data.

SSL can also be enforced on your login screen by Wordfence security plugin. It is also expected that security certificates will be made freely available sometime in 2015.

Read more about administration over SSL on WordPress.org.

#4. Protecting Your WP Core, Database & Using Correct File Permissions

In many of these security measures we will be modifying your WP core and you’ll need to be familiar with how to use and FTP client to make changes and upload it. And since most of these security tips involve changing or modifying your WP core, it might just break your website. Backup your WordPress core and all its contents before you proceed any further, a mistake can easily be undone with a backup.

WordPress Security Keys

WordPress uses cookies to identify and verify users who are logged in for commenting and making changes from the WP dash.

These cookies contain login information and your authentication details. The password is hashed out which means a mathematical formula is applied to make it illegible and can not be read without applying the math once more to make it readable.

We can add an extra layer of protection around this cookie with WP Security Keys. These are a set of random variables that improve the security of information stored on a user cookie. There are 4 keys namely, AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.

A non-encrypted password such as WordPress or 12345 can easily be broken, if someone one can reconstruct the authentication cookie. But encrypting with WP security keys makes this a lot harder.

How Do You Add WP security keys ? 

  1. Open the wp-config.php file.
  2. Search for “authentication unique keys and salts”.
  3. Use an online automatic keys generator tool.
  4. Copy the keys from the online tool and replace the existing set of keys, overwriting it in wp-config.php.
  5. Save it.
  6. You can repeat the same process every month or so.

Remember, every time you change the security keys, users will be logged out and they will have to log into their accounts again. 

iThemes Security provides the necessary tools to do this from the WP dash. And they also will send you a reminder every month to change your security keys.

Password Protect Your WP Directories

This can be done from your cPanel or any web host’s dashboard. In the cPanel, open Security > Password Protect Directories. You’ll find a list of all the folders on your site. Start with an important folder like wp-admin.

You’ll find a dialog box that asks to create a user by providing a username and password. Now create the new user. After this, if you need to access to wp-admin folder on your website, the username and password needs to be entered to access the website.

This adds an extra layer of password based protection to your the most important parts of your website.

Use Secure FTP (SFTP)

A file transfer system is required to carry your website’s data to your web host when you add new changes that you’d like to incorporate. With a normal file transfer protocol or an FTP, the chances that someone may intercept and find vulnerabilities to exploit your website increases.

You’ll need the right client to use an SFTP connection to upload new files and modified code. You can use FileZilla or FireFTP to help you get started.

In addition, you’ll need some specific details about your web hosting account. Generally, every host will provide specific information to help you set up a secure file transfer protocol. You’ll normally have an SSH key which is generated by the host, this key has to be added to your SFTP client like FileZilla and it is straightforward to set up a secure connection for file transfer from there on.

Using Correct File Permissions

The access to your files need to have the right permissions. It is possible to write on your WordPress from the web server. The problem arises when you share that environment with multiple websites who may also have their websites on a shared server.

Generally, WordPress folders and WordPress files have specific permissions on different hosts. With shell access you can run to the following two commands to keep your WordPress folders and files secure and accessible only to the correct user.

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Protecting WordPress using .htaccess

While editing .htaccess file, please add code before # BEGIN WordPress or after # END WordPress. Any code added within these two hashtags can be overwritten by WordPress and we wouldn’t want any new security protocols we’ve added to disappear.  So when you add any code to the .htaccess file, please remember to stay out of the section starting with # BEGIN and ending with # END.

The wp-includes contains files that aren’t necessary for any user, but it contains files necessary for running WP. We can protect it by preventing access and adding some text to the .htaccess file. Keeping in mind to stay out of the code within hashtags.

Add this little snippet of code to the .htaccess file.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>


# BEGIN WordPress <-- Always add code outside, before this line in your .htaccess file -->

This wouldn’t work for wp multi sites. Remove this line – RewriteRule ^wp-includes/[^/]+\.php$ – [F,L], this will offer less security but it will work for multisite.

Your wp-config.php file contains sensitive information about your connection details and the WP security keys we previously discussed. Modifying your .htaccess will protect your website against hackers, spammers and significantly beef up your website’s protection.

This process involves moving your .htaccess file out of your WP install and to a location accessible only with an FTP client or cPanel or from the web server.

Add this to the top your .htaccess file.

<files wp-config.php>
order allow,deny
deny from all
</files>

This will essentially prevent access to anyone who surfs for the wp-config.php file and only access from the web server space will be permitted.

All this added protection is great, but remember all of this was accomplished from your .htaccess file. That means if someone can access your .htaccess file, all your added security isn’t helpful.

Add the following to the top of your. htaccess file. It will prevent access to your .htaccess file.

<files .htaccess>
order allow,deny
deny from all
</files>

You can add more modifications to .htaccess file, if you’d like.

You could, restrict files, by file types and extension. This piece of code will not only restrict access to your wp-config but it will prevent access to ini.php and your log files.

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)">
Deny from all
</FilesMatch>
#Code courtesy - WPWhiteSecurity

Next we can disallow browsing of the WP directory contents.

 Options All -Indexes

Apart from that we can add a few other changes to improve security by making changes to the .htaccess file in WordPress.

  1. Block IPs and IP ranges. You can limit access to your login pages by IP range, I would have covered it in the Login section but login page protection plugins already block IP ranges which try to access login pages through brute forcing techniques.
  2. Keep bad bots at bay.
  3. Prevent hot linking.

This is quite extensive and we are starting to get off point. If you’d like to do the other stuff as well, for which I haven’t presented the code here, you can use this piece of custom code from WP White Security.

Please remember to keep track of which files you have moved to root directory of WP. You’ll need to be aware of where each file/folder is, so that you can not only edit them but also be sure not create multiple copies in different locations which again jeopardizes the point of the entire exercise.

Turn Off PHP Error Reporting & PHP execution

PHP executions need to be kept to a minimum. Why ? A good example of a hack would be the Mailpoet Newsletter hack which could be used to add files which are run from the wp-content/uploads folder.

To prevent such vulnerabilities, we can deny PHP any room to run on WordPress. Add this code snippet to the .htaccess file.

https://gist.github.com/puikinsh/c8bf229921dbf6af4625

This code detects PHP files and denies access. You need to add it to the following wp folders.

  • wp-includes
  • wp-content/uploads
  • wp-content

You’ll need to create a .htaccess in the other folders. By default, it may be available in the root directory but to prevent PHP execution the .htaccess file needs to be created and added to the aforementioned folders. The three folder mentioned are primarily folders where content is uploaded and is particularly vulnerable to a PHP script that can cause a lot of problems.

PHP error reporting is a signal to all hackers who are looking for vulnerabilities that there is something not working on your website.

Adding these two lines of code to your wp-config.php file should resolve the problem.

error_reporting(0);
@ini_set(‘display_errors’, 0);

Although having read multiple threads and discussions about PHP error reporting, it may not work. In which case your best option is to contact your web host and ask for instructions on how you can accomplish the same.

Change the wp_ table Prefix

All WordPress tables begin with a wp_ prefix. Change this wp table prefix across your entire website and make it more difficult for a hacker to infiltrate your website.

In your wp-config.php, you’ll find this line of code.

$table_prefix  = 'wp_';

Change that to something completely random,

$table_prefix  = 'jrbf_';

Now every table like, wp_posts, wp_users, etc will change to jrbf_posts, jrbf_users and so on.

Almost all security plugins do this for you and furthermore changing wp table prefixes may be time consuming. You can do this with PHPMyAdmin or other database managers, but I’d much rather use a security plugin like iThemes Security to accomplish it.

Similarly, you can take it a step further by changing the name of your WordPress database. This way, not only do you change the prefix but you will also be changing the names of what follows the prefix. This will make it nearly impossible for hackers to randomly guess your database name and you can not access what you can not find.

Disable XMLRPC

Generally, DDOS attacks target all web pages of WordPress websites indiscriminately. But this particular part of WordPress can become a target for DDOS attacks. I’ll explain, XMLPRC is used for pingbacks and trackbacks. But it has, in the past been exploited to launch DDOS attacks on websites.

You can use a plugin like Disable XMLPRC. But you will not need it, if you use security plugins or a login protection plugin. They generally provide protection against this particular vulnerability.

#5. Security Plugin – Wordfence/iThemes Security/ Sucuri

An effective security plugin is absolutely essential in ensuring your WordPress site’s security, for the non-tech savvy at least. Security plugins perform the various functions many of which have already been discussed here, all of these added security measures add up to build a fortress around your website and its contents.

Wordfence

Wordfence performs a number of functions crucial to site security on a WordPress powered site,

  • Real time blocking of attackers, blocking entire malicious networks and certain countries.
  • Limit crawlers, bots and scrapers.
  • Block users who trespass on your security rules.
  • Two factor authentication via SMS, greatly improves security on login pages.
  • Strong password enforcement for all users (non-admins).
  • Protect against brute force attacks.
  • Scan site for malicious scripts, back doors and phishing URLs on your site masquerading as comments on your website.
  • Compare plugin/theme core files with files of the same listed on WordPress.org’s directory.
  • Run heuristics for Trojans, suspicious scripts and other potentially security endangering activities on your site.
  • Firewall to block fake Google bots sent by hackers to scan for vulnerabilities.
  • Real time awareness and live content access monitoring to enhance situational awareness.
  • Geo-located down to a city level the threats to your website to find out the point of origin of threats to site security.
  • Monitor DNS for unauthorized access.
  • Keeps an eye on disk space consumption to prevent and react to Denial of Service attacks.
  • It is multisite compatible.
  • Falcon caching system to reduce server load.
  • Full IPv6 compatibility for WHOIS lookup, location and security functions.

Some features are restricted to the premium version of the plugin. The premium version of the plugin is priced at $3.25/mo.

WordFencePremiumFeatures

That being said, the free version of this plugin is a very capable site defender for your WordPress website. And you shouldn’t be too apprehensive about the free version of the plugin, given that it has a rating of 4.9 on a five point scale and has been downloaded nearly a million times.

Security plugins require configuring and this can be an elaborate and long process. With Wordfence, you can to an extent at least customize all your security settings from Options under WordFence on your WordPress site menu.

Other options you can consider, if you still haven’t settled on a security plugin for your WordPress site.

I do not think Wordfence is the best overall security system out there. What I mean by this is, there are better security solution providers/ managed hosting services that offer better overall security solutions for WordPress sites. But when it comes to simple security plugins that enforce good protection and security protocols, Wordfence is certainly one of the best. The not too distant second position would probably go to iThemes Security. 

In the coming weeks, I’ll probably write a post about all the security solutions available for WordPress, so stay tuned to Colorlib 🙂 But right now, we’ll stick to Wordfence as the recommended security plugin.

#6. Update ! Update! Update! And not just your WordPress

There are hundreds of WordPress vulnerabilities in the previous/non-current versions of WordPress.

Websites tend to be slow, when it comes to updating their WordPress platform. For example, in February of 2015 only 7.4% of websites had updated to WordPress 4.1, despite the fact that it had been released more than two months prior to February.

Whenever a software vulnerability is discovered, typically the vulnerability is reported to the software vendor. The software vendor then modifies the software and adds some added protection or merely deletes some unnecessary code. This is released as a software update or a patch. This is the best possible case, but if someone with less than noble intentions discovers a vulnerability in any web based or non web based software, then he/she is likely to exploit it to the fullest.

July 2014, Mail Poet Newsletters previously known as Wysija Newsletters, a plugin which had been downloaded over 2 million times was compromised as a result of which 50,000 websites were made vulnerable to attack. An automated attack where in, an injected PHP backdoor would allow for eventual control of the site by the hacker.

December 2014, 100,000+ websites were compromised by the Revolution Slider plugin which was targeted by the SoakSoak.ru campaign. This particular malware injected JavaScript into the wp template-loader.php file. A thousand themes were affected as they had been sold with this plugin as an add-on via Envato and other WordPress marketplaces.

The XSS vulnerability in WP Super Cache, a plugin I included in my round up for the Top 6 Caching Plugins. The list of vulnerabilities in top notch free plugins is quite concerning. But there are a number of steps you can take to decrease your chances of using a vulnerable piece of code theme or plugin on your website.

You should know that most plugins with vulnerabilities have been patched. But you need to stay fully updated at all times. Updating your site to the latest versions is an extremely important part of your site defense strategy. All the previously mentioned security measures are useless, unless you update as and when the updates for WordPress and other third party software are available.

Enable Automatic Updates For Your WordPress, Plugins & Themes.

You do not want your website’s update page looking like this page on a test site.

WpUpdates

Well, at least it has the latest WordPress version.

WordPress introduced automatic background updates with the release of WordPress version 3.7.

You can enable auto updates for WP, by making a change to the WP_AUTO_UPDATE_CORE constant. This change needs to be made in the wp-config.php file.

define( 'WP_AUTO_UPDATE_CORE', true );

This will ensure that all updates major or minor are updated as soon as they are made available.

Change the update core constant to “false” and you will disable all updates. Changing it to “minor” will enable auto updates for minor changes, normally includes security patches.

You can update plugins and themes in the same manner, by editing the auto_update$type filter.

For automatic plugin updates,

 add_filter( 'auto_update_plugin', '__return_true' );

And to enable automatic theme updates,

 add_filter( 'auto_update_theme', '__return_true' );

If you do not enjoy fiddling with code, you can use a plugin to help yourself out. You have another option in the form a plugin, when it comes ensuring the smooth update of your WP and all themes/plugins on your site. Advanced Automatic Updates allows you to enable major updates and minor/security updates individually. And the plugin also provides auto update solutions for themes and plugins.

For multisite update solutions, if you need help handling updates with WordPress plugins and themes, you can try out Easy Updates Manager. There is also a premium service offered by WP Updates which provides auto updating solutions for premium plugins and themes.

Using plugins like ManageWP or a managed WP host like WPEngine will also help resolve issues with updating your WordPress and the third party software that you use on your website.

Updating WordPress core automatically becomes problematic when things start to break down. This can happen either because of customized code which gets erased during an update or compatibility issues that arise with third party software (plugins & themes). This is one reason which may give you pause, perhaps enabling minor updates may be a better idea.

If you have problems with your automatic WordPress updates, then I’d recommend you give Background Update Tester a try. The plugin checks for and explains any compatibility issues.

Always run a backup before you update. Always! This to protect your website against things going horribly wrong, in which case you end up making a mess of your website. A good practice to follow, to protect against automatic updates causing havoc through compatibility issues with plugins, themes and sometimes customized code on your WP core.

#7. A Few More Things About WP Security – Firewalls, Audit Logs & Malware Scanners

I haven’t discussed firewalls for WordPress. A good firewall will accomplish a great deal and mitigate the most common forms of attack on your websites.

  • Mitigate effects of a DDoS attack.
  • Brute force attacks are stopped dead in their tracks.
  • Protect against software vulnerabilities.
  • Stops code injection attacks like SQL or XSS attacks.
  • Patch up and defend against zero day vulnerabilities.

Just to illustrate, here’s a snapshot of what Sucuri firewall does for a WordPress website.

Sucuri_ CloudProxy Website Firewall

Firewall isn’t the term Sucuri uses to describe its protection system, they refer to it as the CloudProxy which is a combination of a web application firewall and an intrusion detection system. All malicious traffic is filtered out and anomalous activity is monitored.

Firewalls traditionally were developed to monitor connections, however Sucuri’s CloudProxy will not only keep out the bad guys but they’ll also create virtual patches against vulnerabilities. Once a request from a visitor passes through the firewall, it reaches the intrusion prevention and detection system, where the system sifts through the requests for possible patterns of attack.

I think the virtual patching feature to protect you against vulnerabilities is a highly effective and invaluable asset for any website with too much customization (means a lot can go awry when compatibility issues ensue). It is always better to apply the update to WordPress in a staging area and check if your website functions smoothly. And if it does, you can take the updated version of your website live. But in the interim, your website is genuinely at peril. Protecting against zero day exploits is possible only through updates to fix vulnerabilities, however this does not have to be the case while using Sucuri CloudProxy.

And apart from that, they also maintain logs of all activity on your website and look for possible signs of mischief.

Think of the firewall as a last measure, it is the wall a hacker needs to breach to access the sensitive contents of your website. Good practices in large part are designed so that you do not need to use the firewall as much.

Malware scanning software or websites like Sucuri SiteCheck can scan your websites for vulnerabilities and possible security loopholes. Security plugins also have malware scanning software to track any changes that look abnormal and are sources of potential security problems.

I had also mentioned WP Security Audit Log previously, while stating that it is a necessary plugin to track all changes on your website. I’d like to reiterate that point, it is an extremely useful plugin not to only track changes effected by themes and plugins but also actions by other users. It is very important that you either use WP Security Audit Log or run some other data logging plugin to keep track of all changes.

Logging is also a key feature of Sucuri’s protection system. Despite their overzealous attempts to ensure security sometimes bad things do happen and websites get hacked. When that happens, their logging system is very useful to help dig websites out of a ditch.

Firewalls, Malware Scanners and Audit Logs are very handy against threats that can not be predicted and zero day exploits. They are not substitutes for good WordPress security practices.

#8. Hiding Your WordPress Version – Is it necessary ?

I’ve read on a few websites that hiding your WordPress version will add to your security against malicious hackers. The problem is, there is an assumption that the knowledge of vulnerabilities associated with a particular WordPress, make it more likely that someone will exploit them. This is not necessarily true. Generally people who steal information from websites use automated tools to scan websites for known vulnerabilities. And if your WordPress version is vulnerable, then they’ll know it. It isn’t as if hackers check one site at a time and sort them by WordPress version.

As stated previously update your WordPress, themes and plugins as soon as possible. Hackers do not discriminate between sites that display WordPress version and websites that do not.

In the unlikely event, that a hacker manually visits every website and checks the WordPress version and then attempts to find vulnerabilities, you may find it fruitful to hide your WordPress version.

Use Remove Version Plugin to remove your WordPress version. If that doesn’t work for you, then you’ll need to make a few minor modification and this blog post should aid you.

#9. Back Up – Last Line Of Website Security

You should always be prepared for the eventuality that your WordPress site despite all your security measures becomes compromised. If that happens you need to step in and fix things. Now there are multiple ways in which site recovery can be accomplished. Backups with one click restorations are an easy fix for a compromised website, assuming the security loophole or vulnerability has already been fixed.

Automatic backups are a necessary and essential part of every WordPress website’s security arsenal. Think of the security plugins as your sword and the backup as your shield. Should your offense fail you, your shield in this case the backups, becomes your last line of defense.

Remember, I am making the assumption that it is only your WordPress that is compromised and not your server, which is a completely different bag of worms. But most hosting service providers have a strong security team protecting their servers against malicious elements constantly and especially during global attacks. I wrote a post a few weeks back, about the different providers of shared hosting services, if you are interested.

Backups- If you decide you’d like a free plugin without paying a dime for backup services, then I’d say you can start with Updraft Plus which is a freemium plugin.

UpdraftPlus

 

With this plugin you can backup and save a copy of your website on storage provided by a number of different services. It includes Google Drive, Amazon S3, Dropbox, Rackspace Cloud, FTP & SFTP and Email. You should also note that the free plugin only permits backup on any one location. You’ll need a premium add on, if you wish to utilize the plugin to save your website on multiple places.

This plugin like most backup providers of WordPress backup, saves everything including your content, themes & plugins settings and it can also run a WordPress database backup separate from your normal backups.

If you’d like to use a premium WordPress backup service, I’d recommend that you have a look at BackUp Buddy, VaultPress or BlogVault (I’ve worked with them in the past and they have an awesome service).

Keep more than one copy of your website available and always have one on a physical drive that isn’t reliant on an internet connection. Backups are a good idea even from a non security standpoint. When you experiment with themes and plugins, when you update themes, plugins or your WordPress, there always exists the possibility for a compatibility issue to arise and break your website.

And from my experience with automatic backups, you need to keep deleting copies of backups in a manner consistent with the frequency with which you keep adding new content and keep making backup copies.

When it comes to my PC, I always prefer backup solutions that offer incremental/differential backups as opposed full backups, but you also note that with the former reconstitution for restoration takes a longer time. The same is definitely applicable to a WordPress backup system. Although, unless your backup provider charges extra with strict constraints on data storage limits, you shouldn’t worry about it.

Conclusion

I can’t help it, this quote from the Harry Potter series seems so apt.

“Constant Vigilance!” – Mad-Eye-Moody

Moody is a dark wizard catcher in the series, if you were wondering.

As I’ve already mentioned before there is no such thing as full proof security on the web. You can take numerous security measures and still have your website hacked. But ensuring that your website runs on SSL, that your login pages are hardened, your passwords & usernames are remarkably unfamiliar, your website is fully updated and protected against known threats and fully backed up on a daily basis, greatly improves the odds in your favor.

If you want a complete hack/exploit free WordPress, following all the aforementioned security measures will ensure your website has air tight security. But even then, you can not protect against zero day exploits or a smart hacker hell bent on breaking your website, although this is a very unlikely event.

Think of it this way. If my website gets hacked, how much business and revenue will I loose ? Will I put my customer’s information at risk ? Will that make me liable for lawsuits ? When it gets to the point where you see that the costs of having your website hacked are reasonably high, then I’d suggest you use either a managed WordPress hosting service or a really big web bouncer in the form of Sucuri’s security services.

Your website does not necessarily need to be popular to become a target. And it will never become a high traffic website, if it continually falls victim to hacks and attacks.

As I’ve said previously about hosting. If you’re reasonably certain of your ability to create a revenue generating website which will pay for the costs of the best hosting/security services, then go with the best. If you’re able to afford the best web hosting/security services, it will be worth it in the long run, assuming you aren’t a web developer by profession.

If you can not afford the best managed web hosting or top notch security, then put in place the aforementioned security measures. Chances are, your website will be safe.

If you have some additional insight on WordPress security or have different ideas on how to protect your WordPress website, I’d love to hear your ideas in the comments below. Cheers 🙂

 

 

Aigars Silkalns

Frontend web developer and web designer specialized in free and premium WordPress theme development. Started to learn to code 2 years ago and now I am familiar with CSS/HTML/JavaScript (jQuery) and PHP. Obsessed with application performance, user experience and simplicity.

This Post Has 11 Comments
  1. Great information, Vishnu!

    For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
    From the ones you mentioned, I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
    Tested and happy with it!

  2. I used to HATE WordPress, I would always get attached and shut down for malware no matter what I did. Each time I was told it was my website not being updated soon enough… those hackers be quick! Definitely recommend doing all these things, but I also decided to stop paying for malware cleanups and hired a company to monitor my site and keep it secure. The great thing is they clean it for free if it does get hacked…. saved so much time and for me so much money! If your website is important and needs to stay up, definitely recommend doing something like that. There are many companies that do this, I personally use Sucuri.

  3. Hi Vishnu,
    Thank you for mentioning UpdraftPlus in your post here. Great writing. As you can imagine, here at UpdraftPlus we are very enthusiastic about WordPress security.

    I would just like to take a minute to point out that we are now compatible with more remote storage locations than any other WordPress backup. Now including (in addition to those you have listed here) Google Cloud Storage, OneDrive,Microsoft Azure, WebDAV, DreamObjects and our own UpdraftPlusVault. When using out UpdraftPlus Premium service you can get 1Gb for free and the full suite of add-ons which allows you to store backups in multiple locations along with back-up scheduling, multisite/network abilities, our popular migrator add-on and of course access to our very talented team of developers for any support questions.

    Thank you very much
    Abbie

  4. Nice post, good checklist. Some points are really new and very useful.
    Well i have one question my blog is hosted @ Hostgator Shared hosting, can you describe lil bit more which setting to be checked for shared hosting.

  5. Hi Vishnu, thanks for these great tips! Limiting login attempts is a good one & lots of people still don’t know about it.
    We’ve been working on suspicious login detection for a few years now and recently built a WordPress plugin. It’s just now come out of beta and it’s in the WP directory here: https://en-au.wordpress.org/plugins/thisdata/. I’d really appreciate feedback from anyone who gives it a try.

    Thanks!!
    Nicole
    Co-founder ThisData

  6. Nice sharing. This is really an important article. You have shared some crucial tips to improve the security of WordPress site. I knew before about some tips here. But some tips are totally new to me. I want to make my site more secure by using your tips. We know that we are living under the threat of hackers and they can exploit our sites anytime. So we need to take immediate steps against hackers. This is our most important responsibility to take care of our websites. Your article will be really helpful. Thank you very much for your great article.

  7. Good article. You’re right that complete protection should be a complex thing. For this purpose I use W.tools service. I’ve setup there everyday backup with file changes monitoring and FireCDN as prevention of malicious requests.

  8. One possible way to prevent an unauthorized entity from accessing your website is keep update your WordPress, plugins & themes. Here are a few things discussed will really help you to improve the security of WordPress website.

Leave a Reply

Your email address will not be published. Required fields are marked *