WordPress security is not necessarily something that most users think about until their own website gets hacked. It doesn’t have to be this way.
There are plenty of decent security measures that can be taken which prevent the vast majority of attempts to infiltrate a WordPress website. In most cases, these can be actioned by the use of WordPress plugins rather than needing to delve into the inner workings of the WP installation to harden the defences.
Here are some of our best ideas for how to improve WordPress security:
Choose an Appropriate Web Host
Web hosting is a difficult service to understand. After all, few buyers have every hosted a website themselves. With WordPress-specific web hosting, a different level of service is being provided that is more tailored to the needs of the WP back-end. This can help improve security and provide boost performance too.
For example, HostGator offer managed WordPress hosting with a scalable model which is 2.5 times faster than their regular shared server hosting. Malware scans are performed daily to ensure WP files and content are not infected. A global content delivery network (CDN) is also included to help static content load faster from any of multiple servers situated around the world.
There are several plans for managed WP hosting with HostGator. The service and pricing is more tiered to a virtual private hosting package than a shared hosting package which is a good thing for owners of WP web sites who don’t mind paying up a little bit extra for something more robust.
WPEngine is another popular choice for custom WordPress hosting. They are significantly more expensively, particularly with either a collection of websites or a high monthly bandwidth usage, but what you get with this is WP specialisation.
The service includes security protections against code that accesses the WP installation unnecessarily. Backups are performed to Amazon S3 cloud services which the user cannot directly access. Code audits are performed by Sucuri. Insecure code and WP plugins are disabled or their rights severely restricted.back to menu ↑
Be Careful With Themes & Plugins
Both WordPress plugins and WordPress themes should be viewed with scepticism rather than be universally accepted. Adding them to a WP installation can open up a can of worms, grant unnecessary access to the WP structure, and cause long-term vulnerabilities that are difficult to route out. Free themes and plugs are usually more of a risk.
Create a Readable Security Log
Use the WP Security Audit Log plugin to add easily accessible security logs of everything that is happening on the back-end that is not seen by the user or the administrator. Whether managing a single site or multiple sites for yourself or for clients, this plugin can make it much easier to track changes and potentially malicious actions. Tracing the source of the problem, routing it out, and then fixing the damage becomes easier from there.
Safety In Numbers
Free plugins and themes that have few downloads and do not come from a reputable developer or a safe source should be considered questionable. Beyond the matter of whether their code might be malicious, free plugins and themes are often not updated frequently (if at all) and therefore do not receive changes to protect from newly discovered vulnerabilities. When new versions of WordPress get released, the plugin or theme may also develop a fresh vulnerability that was not present before, yet the original developer may already be AWOL by that time.
If in doubt, use the WordPress plugin or theme directories to be safer. These have reviews which can be checked before choosing whether to install the package. Check previous products by the same developer to see if they have had security issues noted by commenters in the past. If so, this should be a warning for all their future plugins or themes.
Sucuri Site Scan
Sucuri is active in WP security with a number of products available. They offer a free site scan from their website. Whilst a security plugin and other measures taken are also a very good idea, this at least is a good first step.back to menu ↑
Get Creative with Your Login Page
The structure of a WordPress site is well known which includes where the login page is located. This makes it an easy target for amateur and professional hackers looking to make a name for themselves.
Change the Game
The Admin Renamer Extended plugin changes the username commonly associated with a new WordPress installation. This protects from hackers who assume that you’re still using the original admin username.
The WPS Hide Login plugin can provide a modified way to access the WP admin login page. This prevents other users from knowing which page to load to attempt to login, while not changing the underlying structure of WordPress itself. The Stealth Login Page plugin is another option which will change the login page location and also blocks bots from trying to access this login too.
Be Smart About Passwords
Avoid using obvious passwords. Hackers use dictionary password apps that run through the most common passwords used and also combine dictionary words in random ways to guess passwords that only use common English (and other languages) words.
Consider using a password generator to come up with much stronger passwords that cannot easily be guessed by lucky hackers.
Use a Password Manager
Trying to use a tough password is great, but it makes it extremely difficult to remember it later. This leads to writing it down or doing something else which is insecure. Instead, why not use a secure password manager like LastPass or KeePass.
Both of these apps use a single master password method to unlock their password vault and then log the user into different websites automatically. This means the user only has to remember the master password and is free to use extremely strong passwords for websites including their own WordPress ones.
Protect Against Brute Force Attacks
It is possible to stop users who are trying to repeatedly log into a WP installation. This includes blocking their originating IP address after a certain number of failed attempts.
A newer option which is most welcome is the Google Authenticator app which runs on a mobile device. When accessing certain websites, they will ask for a code from the Google Authenticator app to confirm identity. This links up a mobile device with a Gmail account and confirms the identity of the user beyond just entering the username and password to login to WordPress.
The Google Authenticator plugin can add this functionality into a WP site so that the site admin needs to open the Google Authenticator app to pull up the latest security code to verify they should be granted access to login.back to menu ↑
4. Locking Down WordPress to Improve Security
Protecting the basic WP core structure is important in order to avoid the most common security risks.
Add a Password to WP Folders
Depending on the web host, the user will either have access to their web host’s dashboard or the cPanel which provides control panel access. If using cPanel, just open up the “Security” section and select “Password Protect Directories”. This will then display all the folders used on the WP installation.
The most important folder to protect is the wp-admin folder. Select this folder and initiate the password protection which will bring up a dialog box to fill in a username and password. This a completely separate username and password combination to either the one used for the web hosting account or the WP installation.
Once set, whenever attempting to access the WP admin folder, a password prompt will show up to request folder login before the web host will allow access. However, the user will still need to actually log into WP admin as well.
Use SFTP Access Rather Than FTP
To access the web hosting account to transfer files directly by uploading them, outside of the WP admin access, it is necessary to connect via file transfer protocol (FTP).
As an alternative to using FTP, it is possible to setup access for Secure FTP which uses encryption to better protect what is being uploaded from prying eyes on the internet.
A FTP software package like FileZilla has the capability to use SFTP to access web hosting accounts.
It will be necessary to check with your web host for information on how to connect securely to their FTP services. Their help pages will usually cover this information. Alternatively, the FTP section of their control panel may also cover this issue. The host will often generate a SSH key which can be used by FileZilla (or another FTP package) to properly access the FTP server securely.
Disabling Error Reporting
Error reporting for execution errors on PHP code is commonly turned on. This will display complete error codes, the PHP file name, and the line number that the error occurred. This can be a boon to hackers looking for any information that may provide a way into the server and the site.
Access the wp-config.php file which should be simple to locate within the WP installation.
Add the following lines to the wp-config.php file to prevent error reporting:
In some situations, the error reporting is not turned off when using this code. Under these circumstances, try contacting your web host to see how they can disable error reporting for the WP installation on their end.
Alter The WP_Table Prefix
When using tables within a WordPress, they all start with “wp_” which makes them easy to predict and a juicy target for hackers. Instead of continuing with this naming tradition, change it by altering the wp-config.php:
Search in the wp-config.php file for this code:
$table_prefix = ‘wp_’;
Replace it with the following code:
$table_prefix = ‘utjd_’;
The “utjd” is utterly random and can be modified, however do not use a dictionary word. From now on, every table for WordPress will no longer use the wp_users, wp_posts structure and will instead be something like utjd_users, utjd_posts, etc.
Turn off XMLRPC
If you do not have a reason for needing it turned on, consider disabling XMLRPC. Hackers use DDOS attacks to try all known web pages on a WordPress website. By turning off XMLRPC, it makes this a little bit harder for them.
To turn this feature off more easily, use the Disable XML RPC plugin.back to menu ↑
5. Best Security Plugins
A security plugin (or two) protects users from themselves. For the know-nothing WP user, a security plugin ensures that many basic measures (and some advanced ones) are taken to make a standard WP installation more secure.
Depending on the plugin, some of the security suggestions made in this article will be performed automatically when it has been installed and is now operational. However, not all suggested changes in this article will have been made by every security plugin. For this reason it is helpful to verify the features and capabilities of each plugin to fix any gaps in their security features.
Wordfence is a good starting point for a security plugin. It can:
- Block malicious attack networks and stop hackers
- Stop users who try to get around security preventions
- Prevent brute force attacks
- Enforce two-factor authentication via SMS messages and better login page security
- Limit the access of site crawlers, automated bots, and site scrapers
- Compare plugin and theme code with the version of the package on the WordPress.org site to ensure the code hasn’t become infected
- Geo-locate threats indicating the city and country origin
- Block fake Google bots
- Use heuristic checks for code that looks dangerous or is acting suspiciously when running
- Real-time live monitoring
- Falcon caching of data for faster load times
- IPv6 compatible
- Multi-site compatible
There is a free and premium version which is billed as a low-cost monthly subscription. Some of the above features are only supported in the premium product.
Whilst a security plugin is a good idea, a specialist WordPress web host that implements their own more advanced security measures at the hosting level is going to be more secure when done correctly.back to menu ↑
6. Don’t Forget To Update
WordPress is frequently updated. It is fair to say that there are numerous vulnerabilities that have been discovered in previous versions of WP that have since been rectified with the release of a WP update.
WP administrators and site owners tend to be rather slow at updating WordPress to the latest version. Typically even after a couple of months following a new major release of WordPress, fewer than 10 percent of WP sites have been updated yet.
Additionally, plugins are often regularly updated and need to be patched too. There are a number of cases where well known plugins like Revolution Slider and WP Super Cache posted updates which users failed to add soon enough. This resulted in thousands of WP sites being hacked and taken over.
Users must stay on top of updates to WordPress, WP themes and WP plugins. Be particularly aware that free plugins and themes are less likely to be updated to address new security vulnerabilities. Developers of free products often lack sufficient financial resources to update the product. This can leave a site open to attack.
Automatic Updater is a plugin that can help to automatically update WordPress, WP plugins and themes. The user can select whether to update for minor improvements or only major upgrades to WordPress. WP themes and plugs also get some update love too.
The Background Update Tester plugin is also useful. It can perform tests on a plugin to see whether it will be compatible with the currently-installed version of WordPress once updated.
Please note that it is a good idea to perform a WordPress backup before updating the website in case the update breaks the installation in some unforeseen manner (see point 8 for more information about backups).back to menu ↑
7. Firewalls, Malware Scans & Audits
A firewall for the WordPress installation is not a bad idea. This goes one step beyond any hardware or software firewall offered by the web host.
A good firewall can protect against some or all of the following issues:
- Brute force attacks
- Reduce the impact of DDOS attacks that try to flood a server with requests which could shut the server down completely
- Prevent code injection attempts that exploit code vulnerabilities in XSS and SQL
- Stop zero day attacks
One solution is the Sucuri Cloudproxy which provides a firewall that aims to keep out hackers, SPAM, DDOS distributed attacks, malicious bots, SQL injection attempts, and brute force attacks.
The service also can provide a virtual patch against known vulnerabilities. The system looks for patterns in how attackers are trying to access WordPress. The intrusion detection system can help to prevent attackers from being successful even if they are using a known exploit or a brand new one.
Whilst site scanners like Sucuri SiteCheck and the Cloud Proxy service described above are important measures to take, nothing improves security better than updating WordPress, WP plugins and themes in a timely manner.
Tracking activities via logs (like the aforementioned WP Security Audit Log) is also a good idea to get an overview of what is happening behind the scenes. It is always possible that an attacker can get past even the most hardened defences and therefore regularly reviewing the log files is still important.back to menu ↑
8. Don’t Forget to Backup!
When considering backups, it is generally not a good idea to rely on the backup performed by the web host. After all, they may have their own technical difficulties which prevented a backup being performed and you only discovered this too late. Don’t let this happen to you!
There are many kinds of backup plugins that enable the owner of a WP site to backup locally, to a cloud provider, a FTP server or other solution. The majority of backup solutions will backup all existing content, the structure of the live site, and installed plugins and themes. WordPress database backups are also possible and are sometimes performed apart from the rest of a backup.
UpdraftPlus is a “fremium” plugin solution that offers an effective backup service in their free version. Backups can be created and sent via email, uploaded via FTP or SFTP, or sent to the cloud via Google Drive, Dropbox, Rackspace Cloud or Amazon S3. Multiple backup locations can also be used for more data protection but this requires the premium version.
It is recommended to maintain multiple versions of a site backup and also previous versions in case the latest version is corrupted. An offline version is also useful to have on-hand because backups including the WordPress database can become quite large and time-consuming to download. This would enable the site owner to re-install the local copy without needing to wait for the cloud-based copy to download first before being able to re-install it to the live site.
Be aware that when adding new WP themes or plugins, there is always the risk that either the themes or plugins will mess up design layouts or site functionality, or both. Therefore, backups are essential prior to making significant changes that could badly affect a live site.back to menu ↑
WordPress security is not a subject matter than should be overlooked. It doesn’t take much time to address the issue properly and you’ll be surely glad you did later on.
Just think about the amount of traffic and money that would be lost if your site was hacked. The loss of confidence of visitors and future damage to both professional reputation and income could be significant. Not to mention the fact that should the site have malware added to it, Google could start warning searchers against visiting the site (or simply de-index the offending page). Infected users could also end up litigating against the site owners for damage caused.
Anyone who runs a WordPress site of any size should be careful with security. Sites both large and small are easy prey for hackers looking to take them over to use for their own nefarious purposes. Make sure you’re not their next victim by protecting your WordPress site today.