What is Security?
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.
Why It Is Important To Secure Your WordPress Website?
WordPress is a very popular content management system used for website building which can be managed easily even by a non-technical person. However, it is really important to keep your WordPress site secure.
The reason for this is that WordPress is opensource and it’s code is available online.
So anybody who is smart enough to find a loophole can attack a website. Unfortunately hackers have a bit of an upper an upper hand here which makes it even difficult for the developers and website owners to keep it secure and prevent hackers from accessing their website.
In this tutorial we will go through some of the very basic security techniques to prevent hackers from attacking your WordPress website.
1 . Secure Your WordPress Site with a Firewall
A firewall is a software program that blocks an intruder. In my opinion, the best WordPress firewall is a plugin called Wordfence.
What Wordfence does is to check if a website visitor’s behavior matches that of an abusive bot. If the bot breaks certain rules, like asking for too many web pages in a short amount of time, Wordfence will then automatically block the bot.
Wordfence is also programmed to allow legitimate bots like Google and Bing on the site.
There are advanced features that let a publisher see what bots are attacking a site and to view where the bot is coming from, like if it’s bad bot coming from Amazon Web Services or Bluehost for example. Wordfence provides the publisher the ability to block the bot by their IP address, the entire IP address range or even by a fake browser user agent that the bot is using.
2 . Change the WordPress login URL
The default WordPress login page is wp-login. php, and a basic WordPress installation does not allow you to change this location. However, the Rename wp-login. php plugin allows you to change the WordPress login URL. Doing so can reduce the impact of brute force attacks, which are usually scripts that are programmed to hit the wp-login.php page over and over again with login attempts.
When you change the WordPress login URL, anyone who tries to access the wp-login. php page or wp-admin directory receives a “404 Not Found” error message.
To change the WordPress login URL, follow these steps:
- Log in to your WordPress site.
- Click Plugins, and then click Add New.
- In the Searchtext box, type rename wp-login, and then click Search Plugins.
- The Rename wp-login. phpplugin appears in the list of search results.
- Under Rename wp-login. php, click Install Now, and then click OKto start the installation.
- After the plugin installation finishes, click Activate Plugin. The Permalink Settingspage appears.
- Under Common Settings, select a permalink structure for your site. You cannot use the default permalink structure with the Rename wp-login.php plugin.
- Under Login, in the Rename wp-login. phptext box, type a URL for the login page, or accept the default value of login.
- Click Save Changes. The new WordPress login URL appears near the top of the Permalink Settings.
- Test your WordPress site to make sure that it still functions correctly, and that you can access the login page using the new URL. Additionally, if you try to access wp-login. phpor wp-admin, you should receive a “404 Not Found” error message.
3 . Backup Your WordPress Site
It is important to automatically create a daily backup of your website. Any catastrophic event that takes the site down can be recovered from with a backup.
There are many backup solutions but the one that I have found to be immensely useful is called UpdraftPlus WordPress Backup Plugin. UpdraftPlus is trusted by over two million users, it’s a well regarded choice.
It can be configured to email the backups every day or send them to a cloud storage location like Dropbox.
I once accidentally removed all the theme layout files from a site, completely removed the look of the site. But I was able to restore the site to exactly how it was before by using an UpdraftPlus backup. It was easy to do and I was so thankful.
4 . Don’t use common passwords
You would be surprised how many people use easily guessable passwords such as qwerty or password.
Passwords with sequential characters should also be avoided as password cracking software find them easy to figure out.
Creating a secure password is essential to fortifying your login page. In order to do so, ensure that you use a strong password generator that uses a combination of characters.
5 . Turn off file editing
Take a backup of your wp-config . php file and then amend the original by adding the text below:
define(‘DISALLOW_FILE_EDIT’, true);
By adding these useful few lines of code, you can prevent hackers from making changes to your site via the appearance editor in WordPress.
6 . Set Plugins and Themes to Update Automatically
Typically, plugins and themes are things you’ll need to update manually. After all, updates are released at different times for each. But again, if you’re not someone who makes site maintenance a regular thing, you may wish to configure automatic updates so everything stays current without necessitating your immediate intervention. According to WP White Security, 29% of hacked WordPress sites, were hacked via a security issue in their WordPress Theme, and 22% were hacked via a security issue in their WordPress Plugins.
You can use the Advanced Automatic Updates plugin or alternatively add the code below to your wp-config . php file to set up automatic updates:
add_filter( ‘auto_update_theme’, ‘__return_true’ );
add_filter( ‘auto_update_plugin’, ‘__return_true’ );
7 . Choose a Rock-Solid Hosting Company
With 41% of hacked WordPress sites hacked through a vulnerability on their hosting platform, it’s smart to pick a host with rock-solid security. Look for a hosting company that:
- Provides support for the latest versions of PHP and MySQL
- Is optimized for running WordPress
- Includes a firewall optimized for WordPress
- Provides automatic WordPress core, plugin, and theme updates
- Has malware scanning and intrusive file detection
- Trains their staff on critical WordPress security issues
8 . Protect SSH from brute-force attacks
One of my favorite tools for Linux servers is fail2ban. It is a brute force protection tool that blocks any IP address that fails login too many times. Installing it is incredibly easy (don’t type the text in parentheses):
- apt-get update (to update your apt database)
- apt-get install fail2ban.
That’s it. That will install and activate fail2ban and you have instant brute-force protection.
9 . Remove WordPress Version Information
WordPress themes used to automatically output the WordPress version number you’re using in the <head> tag of the site. However, WordPress itself now inserts this information and while it’s useful for WordPress to know when analyzing who is using what, leaving this information so it’s available to anyone who takes a peek at your code is a security hazard.
Why? Because giving a hacker the version number outright makes their job easier. And you don’t want to make a hacker’s job easier! Instead, just insert this code into the functions . php file for your theme:
function remove_wp_version() {
return ”;
}
<span style=”line-height: 1.8em;”>add_filter( ‘the_generator’, ‘remove_wp_version’ );
This will remove the version number and add another layer of security to your site.
10 . Choose a secure theme
Choosing the right theme for your site is crucial. Of course, it needs to have the right look and features for your organisation. But it also needs to be robust and secure.
A secure theme will:
- Be updated and patched regularly
- Follow good coding standards
- Not be associated with bugs or compatibility errors
- With more than 7,000 WordPress themes available, it can be tricky to know where to start!
- The best way to choose a secure theme is by looking on WordPress.org. There, you can browse theme reviews, check how many installations a theme has had, and see when the theme was last updated – all good indications of security.
- You may also want to ask your WordPress agency for theme recommendations that will meet your particular website and organisation’s needs.
11 . Use HTTPS & SSL
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP which is the protocol through which data is sent between your browser and the website that you are connected to. To ensure that HTTPS is actually working, you are going to need something called SSL.
Secure Sockets Layer (SSL) is a technology that is used to create an encrypted link between a web server and a web browser. This is particularly useful on websites where sensitive information like credit card details are used for transactions.
Now you are going to need an SSL certificate for this and you can use a free service like lets encrypt to get one. Alternatively, many web hosting companies like SiteGround offer this service from the control panel and will require only a couple of clicks to get it working on your site.
12 . Use Two-Factor Authentication
Consider using a plugin like Google Authenticator to set up two-factor authentication for your site. This means that in addition to entering your password, you will also have to enter a code generated by a mobile app to log in to your site. This can stop brute-force attacks so it’s a good idea to set it up now.
13 . Disable Error Reporting
Error reporting is useful for troubleshooting and determining which specific plugin or theme is causing an error on your WordPress website. However, once the system reports an error, it will display your server path as well. Needless to say, this is a perfect opportunity for hackers to discover how and where they can take advantage of vulnerabilities in your site.
You can disable this by adding the code below to your wp-config . php file:
error_reporting(0);
@ini_set(‘display_errors’, 0);
14 . Remove Unused Plugins and Themes
Over time, your WordPress site will require some housekeeping.
As you start to accumulate themes and plugins, you should go through and dispose of the ones you no longer use. Getting rid of unnecessary clutter is likely to make your site run faster, as well as remove security vulnerabilities from stagnant or outdated add-ons.
If using WordPress multisite, try using a plugin like Plugin Activation Status to perform a plugin audit and detect unused plugins across all sites in the multisite network.
See the codex on WordPress housekeeping for more information on how to remove unused plugins and themes.
15 . Install a WordPress Security Plugin
A lot of WordPress security plugins will have most of the features highlighted above. WordPress security plugins are great, because you just have to install the plugin, configure it, and your site will now be secure from most risks lurking online.
A lot of WordPress security plugins will have features like:
- Malware scanning
- Built-in firewall protection
- Login screen protection
- Letting you know what plugins and themes are out of date
- DDos and protection from other online attacks
- Anti-spam protection for a clean comments section
Here are a few WordPress security plugins worth installing:
16 . Don’t Change WordPress Core
The moment you or a developer edits WordPress core source files, you can no longer easily and automatically update WordPress to the latest version since you’ll lose changes you made to your site
This leaves your website dead in the water as soon as a security vulnerability is discovered in your version of WordPress. You’ll either have to figure out how to implement the specific fixes yourself, or just leave it unpatched. The former is a lot of hassle and a logistical nightmare; the latter is a serious security risk.
What should you do if you need to change WordPress functionality? Write a plugin of course. This gives you the ability to do whatever you need without compromising WordPress core.
Of course, the same logic applies to plugins and themes. The moment you perform any core tweaking of plugins and themes you lose the ability to update to the latest version. This leaves your site open to hacking.
There are ways and means of getting the desired functionality you need without actually changing the core. If any developer you work with suggests making any such changes, run a mile.
17. Secure wp-config. php
Lock down wp-config. php—it’s one single location that contains a wealth of critical data regarding your database, username, and password. Only you should have access.
To deny access to this file, you should add the code below at the top of the .htaccess file:
<files wp-config. php>
order allow,deny
deny from all
</files>
18. Move wp-config. php
Move the wp-config. php file into the folder above your WordPress installation. This will make it inaccessible to anyone using a browser, meaning a cracker has less chance of locating it.
Conclusion
WordPress security involves a learning curve, an initial setup where you configure a secure website and then ongoing maintenance activities as you maintain a secure website. We hope this guide has provided you with and excellent foundation in your WordPress security knowledge and given you specific guidance on how to configure a new secure WordPress website and what you need to do to maintain that website.
Well there you have it, my best tips to keep your WordPress website safe and secure from hackers and malware.
You can never be 100% secure but you can make it as hard as possible for your website to be hacked.