WordPress is the most widely used Content Management System (CMS) and basically everyone can have access to its default code no matter if that person is a simple user, hacker or a developer. The default code of the WordPress platform is secured enough and there are no reports recently for weak elements that might cause your website to be compromised.
Also read: 7 Security Tips for a WordPress Website
In some cases however, the users or the developers uses resources which are distributed not by the authors of the platform but from 3rd parties which might not pass the required integrity test. Usually using a free resource such as plugin or a template on your website does not always mean that it will lack security or you will face similar issues with it. However commonly used free templates or plugins are not secured enough and they are in some cases providing security holes which the attackers of your website might take serious advantage of to break into your website and cause problems.
Basically there are few ways to deface or hack user website build with WordPress. The most commonly used method is for a malicious file to be uploaded on the website and then executed directly so it can provide a web interface to the hackers. With the help of that web interface the attackers can basically do anything with your website..
To improve the security of your WordPress, here are the basic steps you need to follow:
Step 1: Disable PHP Execution
Step 2: Protect Account Registration and Contact Forms
Step 3: Activate the Akismet Plugin
Disable PHP execution
There are two directories in your WordPress that are writable by default. The /wp-includes/ directory contains themes and plug-ins which can create files on their own and the /wp-content/uploads/ directory is used by the users to upload content on your website so both of these folders must be writeable. Unfortunately, this brings security vulnerability with the PHP files in those folders. A malicious PHP file can be uploaded and executed in order to compromise your website and even the entire server on which it is situated. As changing the write permissions is not a good solution in this case, you can instead remove the execution permissions on files with the extension PHP. In this tutorial, we will show you a few ways to do this depending on your configuration, rights and specific needs using the .htaccess file or the Apache configuration file.
If an .htaccess file is not available for you to edit, you can create a new one via your cPanel>File Manager. Make sure to check the Show Hidden Files (dotfiles) option when selecting a directory.
- Accessing your website directory
- You will now need to click on the +File section.
- Creating a new File in FIle Manager
- Name the file .htaccess and hit the Create New File button.
- Name and Create the new file
- Now open the file with the Code Editor tool.
- Editing the file using the code editor
You could also create a text file named .htaccess on your local computer, fill the required lines of code and then upload the file with your favorite FTP client to the server on which your WordPress website is hosted.
More advanced users with SSH access can use this command to create a new .htaccess file in the directory they are.
Note that you can use a main .htaccess for the whole website or local .htaccess in the directory you want to change depending on what method you choose. For a local .htaccess file in the directory you don’t want the PHP files to be executed nor accessed copy the following lines in the .htaccess:
deny from all
A similar setup but for the main .htaccess file will look like this:
deny from all
The following code cannot be used in an .htaccess file as it will lead to an Internal Server Error message. You can copy this to your php.ini file (the php.ini file operates on a local level and won’t affect any other directories except the one he is in):
php_admin_value engine Off
Any directive type set with php_admin_value can not be overridden by .htaccess or ini_set(). To clear a previously set value use none as the value.
If you have control over the Apache configuration file (located in /usr/local/apache/conf/httpd.conf) you can use the following code to disable the handler and turn off PHP globally RemoveHandler .php
If the PHP is enabled by AddType you will need to write RemoveType .php
Note that if you want to use php_flag engine off you will have to make sure the hosting environment is suitable and you will also not be able to turn it back on by using php_flag engine on
You will need to write php_flag engine 1 to represent a positive value.
Our servers run PHP as a CGI script, so you won’t be able to use the php_flag commands in .htaccess files. If you try to do so, you'll see an internal server error message.
If you are still concerned about yourWordPress website’s security, we suggest you check our hosting service which comes with a custom build Firewall and other security layers specifically set up with one purpose – to protect your content hosted on our servers.
Protect Account Registration and Contact Forms
Since we have mentioned malicious file upload, this can be achieved if your users have the option to upload files on your website. If you are convinced that they should be allowed to you will then need to secure all of the forms on your website not only for preventing malicious files to be uploaded but also to make sure that no spam bots will use your website as a spam script and they will launch massive outgoing spam emails campaign.
This can be easily achieved by adding a reCaptcha to your WordPress based website so all of the forms such as registration or contact us forms will require from the user to enter a code displayed as an image on the page where the concrete form is located.
In order to activate this feature you will need to generate a pair of keys called “Public Key” and also “Private Key”. This can be easily achieved if you access the reCaptcha official page.
Then by using the Signup Now button and filling the required information you will be promptly provided with the above mentioned keys.
Now that you have the required keys you will need of course to add a plugin which will enable the feature on your website. This can be easily done if you navigate to your WordPress admin area -> Plugins -> Add new and search for a plugin called wp-recaptcha.
Once you install and activate the plugin you should configure its settings via your WordPress admin area -> Settings -> WP-reCAPTCHA.
At that page you will need of course to add the Public and Private Keys you have received when you were signing up for the reCaptcha service.
By default the reCaptcha will be enabled for the Comments and the Registration features of your website and you should keep it that way so you will not need to change any other settings on this page. Therefore simply navigate to the bottom of the page and use the Save reCAPTCHA Changes button to save the changes so the plugin can be working properly.
Activate Akismet Plugin
Akismet is plugin provided with the default WordPress setup and it serves for filtering the spam comments/posts on your website. In order to activate the plugin since it is already installed on your WordPress based website you will need to login into your WordPress admin area and navigate to Plugins -> Installed Plugins. Once there you should simply use the Activate link bellow the name of the Akismet plugin.
Once the plugin is activated you will notice a large banner appearing at the top of your admin area. If you click on the button “Activate your Akismet account” you will be redirected to a page where you should choose between the options to “Create a new Akismet Key” or you can choose the option “I already have a key”. If you choose the create a new key you will be redirected to the Akismet home page where you will be able to register an account and to receive a key for your plugin. Once you have the key return to the same page in your admin area where you have just chosen to create a new key and click on the other option – “I already have a key” so you can input the Akismet API key on the next page.
Once you save the changes you are done configuring the plugin and your Akismet guardian will be activated and it will guard your website from spam comments or posts.
Password Protection in WordPress
The wp-admin area of your website should be accessed only by the admin user and you do not need to allow access to anyone else for security reason and also to avoid password brute force issues with your admin user. Activating the password protection for that folder is quite easy since your cPanel includes such feature. In this tutorial we will discuss how you should create such a protection and how you should enable a user to access the protected folder.
In order to activate the password protection feature via the cPanel service you will need to of course login into the cPanel service. Next you will either need to use the search option at the top left area of the cPanel service or search on your own for the icon called Directory Privacy.
Once you access this feature you will be presented with a directory structure for all of the directories of your WordPress website and there you will need to click on the wp-admin folder link.
Configuring Directory Privacy
Once you click on that link you will be redirected to the actual interface where you will need to check the Password protect this directory checkbox, set the name of the protected directory and click the Save button.
Activating Directory Privacy
Then you will be provided with a message indicating that this folder has been password protected and you will need to scroll down to set the username and password for the user who will have access to that directory.
Configuring the user credentials for accessing a protected directory
When the user is added successfully you will be able to login with the username and password you have just created in the password protection interface when you access the wp-admin folder.
With the security methods discussed in this tutorial you will be able to increase the security of your WordPress website!