WordPress Security: The Complete Guide
WordPress still remains the most popular Content Management System (CMS) with about 34percent of the web being powered by WordPress. WordPress popularity has also made it a target for hackers, with tens of thousands of websites getting infected with malware, becoming the sources of phishing schemes and getting blacklisted by search engines. In this guide, we will put our best efforts to cover everything you need to know about WordPress security, including a comprehensive list of do-it-yourself WordPress security tips for hands-on website owners. We will try to equip you with the knowledge and tools you need to protect your website against even the most determined attacker.
- A checklist against cybercrime
- Joomla Security - The Complete Guide
- WordPress Maintenance Tasks You Need to Perform Regularly
WordPress security is important
Running on the latest version, core WordPress is very secure, the CMS is audited by hundreds of expert coders who write security into WordPress. Nonetheless WordPress can still be hacked and often it is due to a lack of basic security practices.
WordPress sites that are hacked can be very damaging for the owner as it inevitably leads to a loss of reputation while also leading to financial loss. A hacker can rob a business of its confidential user data, can install software that leads to further damage down the road or even install malicious programs on your user’s PCs.
Once your website is compromised, its reputation is at stake as Google can exclude potentially hacked websites from its search results. Google can further blacklist the website. Google also warns users away from infected sites by displaying a warning in Chrome. The resulting warnings can lead to a huge drop in traffic for website owners.
The responsibility for securing a website lies, of course, with the website owner. It’s no different from business security at a physical place of business. Essentially, your website is your premises and you need to ensure that it is secured.
- WordPress Performance: How to Find a Slow Plugin
- How to Reduce Security Risks From WordPress Plugins
- 7 Steps to Reduce the Disc Space Used by Your WordPress Website
General Tips for WordPress Security
Let's acknowledge that it is very difficult to achieve complete elimination of risks. You can take consolation in reports of attacks on government and military websites that are secured by the most capable security regimes. However, you need not be afraid, protection for your WordPress has become more solid than before. These steps are critical to implementing a successful risk management practice for your WordPress website:
Pick a Trusted Web Host
This is one element that you will likely not control, yet, it significantly has a strong impact on your website security. In fact, it can be argued that picking a secure shared hosting provider is your very first step in getting WordPress security up to scratch.
With shared hosting you share the physical and software hosting environment with many other users. So, when one user’s website gets hacked it can spread across to yours. This is called cross-contamination and can mean that your site gets infected through no fault of your own.
Therefore, you need to select a host that you can really trust. One option is to use a managed WordPress hosting company which can offer a range of services that help you secure your WordPress site, including advanced security configurations and firewalls
User permissions and passwords
Compromised passwords had been one of the common causes of hacks. One way to “steal” a password is to guess it, if you use a weak password a hacker can easily guess it and get access to your WordPress instance.
It is important to choose strong passwords for both your WP logins as well as every other area of your hosting solution including FTP and MySQL. This goes for your email addresses too as a hacked email account can be used to reset passwords.
Also watch out for user permissions. Where your website works using a larger team including contributors you need to ensure you control access by limiting user privileges to the absolute minimum. Don’t give users full administrator access unless they really need it.
Maintain Updated WordPress Website
Some web hosts run automated WordPress updates. If your host doesn’t provide automatic WordPress updates you should make sure you implement these updates yourself on a regular basis. As open-source software the WordPress codebase is regularly updated, with minor changes to the code automatically installed. However major new releases of WordPress require user intervention for the update to install.
Updates also stretch across to the stacks of plugins and custom themes that so many websites make use of. Here, too, you must ensure that 3rd-party updates are tested and installed in a timely manner. Both WordPress core updates and 3rd-party updates are key to ensuring your WordPress website is secured from hackers.
Third Party Security
We’ve outlined some of the basic elements of good WordPress security. Another way to ensure your WordPress site is really secure is to make use of a third party security service.
In this section we will cover the WordPress security tips you can follow that don't require an understanding of how WordPress works, and which you can implement just by pointing and clicking. For beginner users these steps are ideal as they are easy to implement yet effective. Let’s take a look.
Activate an automatic backup solution
We earlier highlighted how difficult it is to make a website 100% secure against hacker attacks. So, website owners must assume there is a chance of a successful attack. Maintaining a healthy backup Effective backups are the most important defence against a successful attack as it allows you to restore your website should the worst happen.
Thankfully it’s not hard to get WordPress backups into place, and you have a choice of paid-for and free solutions. However, you must save your backups in a remote location – not in your main hosting account. Otherwise, if your hosting account is compromised, your backup is simultaneously compromised. Instead store your backups in cloud storage such as OneDrive, Dropbox or AWS.
Backup frequency is also important, depending on how often your site is updated it should be at least once a week but for many scenarios ongoing backups that mirror all site changes are the better option, especially where user registrations are involved. Some of your best no-coding backup solutions include VaultPress as well as Backup Buddy.
Install a third-party WordPress security plugin
Backups are your first step, but you should go further when setting out your WordPress security measures. Understanding what happens on your site is important, so you need a monitoring tool that can audit everything from failed access attempts, scanning efforts performed by malware and the integrity of WordPress core files.
We have given a detailed post on Security Plugins for WordPress in an earlier post. Click here to read the post.
One very good solution to harden your WordPress security is the Sucuri Plugin. These options are typically for the more technically savvy. Overall Sucuri is really easy to set up because, once you’ve ticked all the “Harden” boxes, it’s job done, you don’t need to change much else. However we do suggest that you customise the email notifications that Sucuri sends as these can be bothersome. To stop your inbox cluttering up too much with notifications you should edit the settings in Sucuri so you only get a message when there is a major change, for example when a new plugin is installed or when a new user registers.
Overall the Sucuri plugin is a top choice for automatic WordPress protection and we encourage you to browse through the different sections of the plugin including its malware monitoring, logs and the list of failed logins. However, you can take Sucuri to the next level if you are willing to pay for a subscription.
Get a firewall for your website
Commonly called Website Application Firewall or WAF, a firewall for your website is one of the best ways to keep your website safe and secure. This is because a firewall protects your website from malicious traffic before this traffic even reaches your website.
Clearly, stopping intruders from reaching your site in the first instance is top WordPress security priority. In the unlikely chance that intrusion succeeds, applications can also do a cleanup and help you remove your sites from blacklists.
It’s not cheap to get a hacked website fixed and it can take a long time, which makes hacks costly. For example, Sucuri’s technicians charge over $200 per hour, but you get access to the full Sucuri service for just $199 in subscription fees. Note that you have other choices for website application firewalls, some examples would be Cloudflare and .CWatch.
The DIY WordPress security guide
With the pointers we have discussed so far, that should get your WordPress site to a point where it is reasonably safe from attack, but if you are more technically minded you can go further and do a few more things to help you get your WordPress site as safe as it can be. Some of the following instructions require a bit of knowledge of coding, but other steps are simple to complete. Let’s take a look.
Stop PHP file execution where it’s not needed
Some WordPress directories are not intended to run code, instead these just store files. For example, /wp-content/uploads/. Hackers can, for example, upload PHP code to these directories and then execute the malicious code. Stop hackers from doing so by blocking PHP code execution where WordPress doesn’t need it.
It’s simple to do so, open a pure text editor such as Windows’ Notepad and paste this text:
deny from all
You then need to save the code to a file called .htaccess and upload it to the directory you want to block PHP code execution in, such as /wp-content/uploads/. However don’t add this code to just any WordPress directory as it can stop your site from working.
Alternatively, simply use a plugin like the Sucuri security plugin to help you, blocking PHP file execution in unnecessary directories is one of the hardening options included in the plug-in.
Change file editing permissions
WP comes with a code editor built-in which allows you to edit the files used by plugins and themes. We recommend that this is turned off. This direct access can cause problems when used by a rogue actor. It’s easy to switch off the ability to edit plugin and theme files. Just add this code to your wp-config.php file:
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
If you have a Sucuri plugin installed, it allows you to change this setting right in the Sucuri plugin’s control panel, ideal if you’re not keen on editing configuration files.
Don’t use “admin” for the administrator account
Older WordPress installations started out with “admin” as the username for the main administrator account so many WordPress website owners still access their sites via the “admin” account. This matters because a lot of automated WordPress attacks rely on hitting “admin” with a guessed password to get into the WordPress dashboard.
Recent versions of WordPress force users to choose a different administrator username so that “admin” is no longer the default for a new installation. That said, some auto-installers that do a one-click install can still make use of “admin”. If you see that your administrator username is “admin” you should change it.
You do have three options to change this. First, you can create a new administrator account with a different name and delete the old one. The “Username Changer” plugin can also do it for you. Finally, you could simply hack into the WordPress database via phpMyAdmin and make the change yourself.
Change the WordPress database name
WordPress assigns a “wp” prefix to the WordPress database, and all its tables. This hasn’t changed and hackers can try and search for WordPress tables using this prefix. Changing it can trip up hackers, but you must be extremely careful when you make this change as it can break your WordPress site.
Set a password for the WordPress login and admin pages
Make life harder for hackers by setting up further password protection server-side that asks for login details before your server presents the WordPress wp-admin directory and the login page inside of it.
Each hosting solution will have a different way of making this change, but it can prevent hackers from running a DDoS attack or some other tricks that try to access the WordPress admin directory.
Stop directory browsing and indexing
Hackers can try to find out whether your site has a vulnerability by browsing the content of your site’s directories. Many hosting solutions leave directory browsing enabled by default providing an opportunity for hackers.
It’s not just hackers you need to be worried about. Directory browsing lets anyone who is curious hunt through the files on your website to find images and other documents or to copy down your directory structure. We strongly suggest that you disable the ability to browse directories as there is rarely any purpose for doing so.
To stop directory indexing you need to edit the .htaccess file for the root directory on your website. You can do so using the file manager on your website’s control panel. You need to add this line to the .htaccess file:
Do that and you will stop unwanted users from exploring the file content of your website’s directories.
Disable XML remote procedure calls
XML remote procedure calls, or XML-RPC, can magnify the impact that a brute-force hacker attack has on your WordPress website. It is a powerful protocol and though it is useful on the one hand (you can connect other websites and apps using XML-RPC) it does carry risks.
XML-RPC has been enabled by default since WordPress 3.5 but it can open the door to hackers. Instead of using 500 individual password attempts on your site, a hacker can simply use system.multicall, a function in XML-RPC, to try these login attempts. In fact this function can try thousands of passwords with just twenty to fifty XML-RPC requests.
If you are not using XML-RPC the general recommendation is to disable it so that it does not open the door to hackers. You have three options: the most direct and least resource-heavy is doing so by using .htaccess. Alternatively, you can use the Sucuri WAF to do it for you.
Put a cap on the number of chances to login
Hackers often use a technique called “brute force” to try and get into a website if they don’t know the password. They simply keep trying the username against a list of potential passwords. WordPress usually allows users to try to log in as many times as they like, but you can change this. First, a website application firewall can do this for you as it will automatically block brute force attempts.
Alternatively, download a plugin called Login LockDown and install it. You have to set up the plugin once you’ve installed it, visit the Settings > Login LockDown page to do so.
Put a time limit on idle users
Hackers don’t always work from faraway corners in the world. When your administrator walks away from their PC while logged into WordPress they can open your site to security risks. Just as a lot of important sites like financial services force a log out after a period of inactivity you should also consider forcing a log out when a user is idle.
One way to do so is using the “Idle User logout” plugin. Once you’ve installed it go to the Settings > Idle User Logout page and set up the plugin. Here you can set the time duration that you prefer. Make sure to uncheck the “Disable in wp admin” option for maximum security.
Mix up the WP login screen with a security question
Again, you can make it more difficult to get past your WordPress login screen by setting up a separate security question which hackers won’t expect.
Thwart unauthorised access by installing a plugin. We recommend “WP Security Questions”, again easy to install as a plug-in if you follow our simple instructions. To activate this plugin go to Settings and then to the Security Questions page where you can customise the security question.
What If Every WordPress Security Effort Fails?
There are so many facets to protecting your website against WordPress hacking threats. It is not uncommon for even the most switched-on website owners to trip up when they set up protection for their sites and that is why it is so important to have a dependable backup solution and reliable website security partners.
Should the worst happen you should consider letting a security expert do the clean-up as it can be difficult to get rid of everything a hacker installs. It is easy for intruders to leave what is called a “backdoor” which can enable future intrusion attempts. A backup of your site is important because it makes the repair and clean-up process far easier.