Guide to Securing A WordPress Sites

Running a simple WordPress site and keeping it safe isn’t too difficult. But when you are adding some third party software or plugins and have to maintain your domain to the right host, it gets more difficult to handle.

WordPress is the most popular and user-friendly platforms available online and is also the target by hackers and spammers.

A blog posts about successful web entrepreneurs who were essentially businessmen and women who took their business online. And when their online ventures became successful they became targets. Although, it isn’t necessary that your website be successful or even have some traffic for it to become a target.

These people who hack websites use automated tools and plugins that allow them to scour hundreds and thousands of websites for vulnerabilities. Your website could be one of those and even if your website is not that popular.

Why do hackers target Wordpress more than other websites?

There are three main reasons:

  1. They want to use it to send out spam email.
  2. They want to gain access to your data, mailing list, credit card information, etc.
  3. They want to gain access to your site and cause it to download malicious software onto your end user’s machine or they want to install malicious software for use on your site.

​In some cases hacked websites can be monetized in various malicious ways.

Now most of the web owners and entrepreneurs are aware of the necessary security standards and measures required to keep their websites and online businesses secure.

Here are the guides to keep your WordPress website safe and secure.

1. Choose The Right and Secure WordPress Hosting

Some vulnerabilities come up because of problems created at the server of the website.

Third party hosting will not let you do much of protecting your website.

And shared hosting does have a couple of problems also like DOS attacks and shared IP addresses which gives you a big problem because whenever the owner of the IP gets blacklisted your site will suffer the same consequences.

There are some web host providers whose system used outdated software or that is not currently maintained. Unmaintained system or outdated software does not guarantee you of future safety.

To make sure that the hosting you choose, check for the following software that they run on the server:

Apache
PHP

MySQL
MariaDB

Postgre SQL
PHPMyAdmin
SSL
certificates

Here is a list of hosting that we suggest:

HostGator
Cloud
A2 Hosting
SiteGround
WPEngine

2. Secure your computer against any viruses and malware.

If your computer is infected with virus or malware software, a potential attacker can gain access in your login details and could make a valid login to your site bypassing all the measures you've taken before.

This is why it is very important to have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress dashboard site on a high level.

Here are a few list of anti malware and anti-virus software:

ESET Nod32
AVG Free
Ad-aware - Spyware/Adware removal
Avast

3. Use Trusted Third Party Software - Premium Themes & Plugins

The themes and plugin you used or you will be using are also very important in your wordpress site. Poorly maintained and rarely updated themes or plugins could also be a suspect to the problems.

Now you can take numerous steps by discriminating against plugins based on security flows, but it always pays to keep note of actions your plugins take with WP Security Audit Log.

Security log is very helpful in tracking every changes that happen to your wordpress site. This log also helps keep an eye on plugins, theme and other third party software behavior. Although this plugin may not prevent a security problem, but if something does go awry then you’ll find it easy to trace the source of the problem.

A very good practice is to have the plugin audited by a security expert. If you cannot afford to do that, look for Sucuri’s (Sucuri is a leading provider of security solutions for WordPress users) stamps of confidence on plugins. Many plugins/themes voluntarily submit their products for code audits.

How to find quality plugins and themes?

Stay away from free plugins and themes that don't have a large number of downloads. Sometimes plugins with inordinately high download counts and high ratings attract many more mischief makers. Protection in numbers isn’t really applicable. More people using a plugin makes it a bigger target, but at the same time having thousands of users will probably help identify and protect against zero day exploits through quick updates.

Using premium plugins and themes does not mean your site’ safety can be guaranteed. But you can be certain, that if any zero day exploits are discovered, the response is generally swift. Theme Houses and plugin developers have a great deal riding on their products, the last thing they want is the appearance of vulnerability.

Get plugins listed on the WordPress.org directory for free plugins. Higher ratings and number of downloads make the plugin a safer bet to some extent.

Check out the history of the plugins created by the same author in the past, a good indicator of the programmer’s pedigree. You’ll also come to see that certain author’s take extra care to ensure their plugin’s/theme’s security.

The last updated date is another factor worth taking into account. Ensuring that latest version of the plugin is compatible with the latest version of WordPress is another essential point to tick off the on the check list before installing and activating a plugin.

4. Protect Your Login Page

Your login page is the entrance to every hacker who does a brute force attacks and is the vulnerable part of your website.

Follow the following security measures we will be discussing below to make your site safe and protect against brute force attacks.

Strong Password and Unique Username

An ‘admin’ username is not good. Today however, when you install WordPress you can choose a different username. But when people generally start using WordPress, especially for the first time many keep to stick to admin as the username. “admin” is an extremely predictable username and it makes your site far easier to break into.

Don't use admin as a username but instead provide a unique one that you can save and remember.

If you are having difficulty creating password, try tools like Strong Password Generator or Secure Password Generator both are freely available online tools to figure out a good password for your website’s admin login.

Security plugins also enforce strong passwords for the admin and all users. This is important, even if your users do not have administrator status and accompanying privileges, someone with access to a compromised editor level account on WordPress could do quite a bit of mischief.

Another good tip to always remember, change your passwords frequently. If you have a difficult time remembering all your passwords, use a password manager. You can try One Password, Last Pass, KeePass or DashLane to store all your passwords securely.

Limit the number of Login Attempts

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

The easiest way to avoid brute force attacks is to limit the number of login attempts. If someone cannot repeatedly hit your server with multiple username and password combinations then, a brute force attack will not work.

Login Lockdown, Login Security Solution and Brute Force Login Protection all aim to prevent access to your website via brute force hack attempts. Brute Protect has been acquired by team Automatic and is now a part of Jetpack that also offers protection against brute force attacks.

All these plugins basically work by tracking IP addresses that repeatedly attempt and fail to achieve login. Following multiple failed login attempts, the particular IPs are prevented from accessing your site’s login page.

For more information and plugin tutorials about stopping brute force attack read the post on How to Prevent Brute Force Attack.

Two Step Login Authentication

Two step login authentication process makes your site more than just doubly secure. Logging into your WordPress site requires an authentication code that can only be received via a mobile message. Given that, it is rather unlikely that your mobile will be stolen by a hacker in preparation, your website will remain secure against brute force and other hack techniques that rely on getting past your website’s login page.

Google Authenticator is a useful plugin that relies on an app installed on your Android/iPhone/Blackberry that provides you with necessary authentication code to login successfully on your website. You can enable this app for admin only privilege level or employ it on a user by user basis.

Stealth Login Page also completely blocks out bots. It intends to send people who attempt to login without the authentication code to redirect a customizable URL.

If a user fails to comply with the complete login sequence, the login attempt is rejected. Another technique that can be used to block bots is using captcha on the login pages, you can use Login No Captcha reCaptcha to prevent bots from logging in.

Changing Your WordPress Login Page URL

We have already discussed limiting login attempts, authenticating logins and the importance of using a strong password and an unusual username.

Now we’re going to hide or change the login page, this type of security mods are also known as security via obscurity. This step is no more difficult than the previously suggested security measures to secure your login page.

Brute force attacks are effective only if they can find the login page. Leaving your login page unchanged permits hackers to find your login pages.

You will use WPS Hide Login to hide your login page. This plugin doesn’t really change anything, it simply intercepts page requests and makes the wp-admin directory and the wp-login.php pages inaccessible. You’ll need to remember the new login page as set during the activation of the plugin.

Alternative options for changing the URL of your login page include two other plugins, Protect Your Admin and Rename wp-login.php.

5. Use SSL to Protect your data transfer

If you are selling online or you and your visitors/customers will share sensitive private information like addresses, credit card details or even share their email ID’s with you. Then you owe to them to protect their information.

SSL is an extra layer of protection (Secure Socket Layer) which turns the http to https and in the process makes all the information shared a whole lot safer.

SSL is basically something that scrambles your information into something that can not be read like we do plain text. So when information travels between your servers and any browser, anyone who gains access to it can not make any sense of it. There is a private key and a public key. Once SSL makes the information flowing all funny and illegible, we need to make sense of it again at the browser end. This is where the private key comes in to make things readable again. The mechanism in play is very similar to a mathematical lock and key.

6. Protecting Your WP Core, Database & Use Correct File Permissions

In these security measures we will be modifying your WP core and you’ll need to be familiar with how to use an FTP client for you to make changes and upload it. And since most of these security tips involve changing or modifying your WP core, it might just break your website. Backup your WordPress core and all its contents before you proceed any further, a mistake can easily be undone with a backup.

WordPress Security Keys

​WordPress uses cookies to identify and verify users who are logged in for commenting and making changes from the WP dash.

These cookies contain login information and your authentication details. The password is hashed out which means a mathematical formula is applied to make it illegible and can not be read without applying the math once more to make it readable.

We can add an extra layer of protection around this cookie with WP Security Keys. These are a set of random variables that improve the security of information stored on a user cookie. There are 4 keys namely, AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.

A non-encrypted password such as WordPress or 12345 can easily be broken, if someone one can reconstruct the authentication cookie. But encrypting with WP security keys makes this a lot harder.

​How Do You Add WP security keys ?

  1. Open the wp-config.php file.
  2. Search for “authentication unique keys and salts”.
  3. Use an online automatic keys generator tool.
  4. Copy the keys from the online tool and replace the existing set of keys, overwriting it in wp-config.php.
  5. Save it.
  6. You can repeat the same process every month or so.

Remember, every time you change the security keys, users will be logged out and they will have to log into their accounts again.

iThemes Security provides the necessary tools to do this from the WP dash. And they also will send you a reminder every month to change your security keys.

Password Protect Your WP Directories

This can be done from your cPanel or any web host’s dashboard. In the cPanel, open Security > Password Protect Directories. You’ll find a list of all the folders on your site. Start with an important folder like wp-admin.

You’ll find a dialog box that asks to create a user by providing a username and password. Now create the new user. After this, if you need to access to wp-admin folder on your website, the username and password needs to be entered to access the website.

This adds an extra layer of password based protection to your the most important parts of your website.

Use Secure FTP (SFTP)

A file transfer system is required to carry your website’s data to your web host when you add new changes that you’d like to incorporate. With a normal file transfer protocol or an FTP, the chances that someone may intercept and find vulnerabilities to exploit your website increases.

You’ll need the right client to use an SFTP connection to upload new files and modified code. You can use FileZilla or FireFTP to help you get started.

In addition, you’ll need some specific details about your web hosting account. Generally, every host will provide specific information to help you set up a secure file transfer protocol. You’ll normally have an SSH key which is generated by the host, this key has to be added to your SFTP client like FileZilla and it is straightforward to set up a secure connection for file transfer from there on.

Using Correct File Permissions

The access to your files need to have the right permissions. It is possible to write on your WordPress from the web server. The problem arises when you share that environment with multiple websites who may also have their websites on a shared server.

Generally, WordPress folders and WordPress files have specific permissions on different hosts. With shell access you can run to the following two commands to keep your WordPress folders and files secure and accessible only to the correct user.

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

Protecting WordPress using .htaccess

While editing .htaccess file, please add code before # BEGIN WordPress or after # END WordPress. Anycode added within these two hashtags can be overwritten by WordPress and we wouldn’t want any newsecurity protocols we’ve added to disappear. So when you add any code to the .htaccess file, pleaseremember to stay out of the section starting with # BEGIN and ending with # END.

The wp-includes contains files that aren’t necessary for any user, but it contains files necessary for running WP. We can protect it by preventing access and adding some text to the .htaccess file. Keeping in mind to stay out of the code within hash tags.

Add this little snippet of code to the .htaccess file.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# BEGIN WordPress <-- Always add code outside, before this line in your .htaccess file -->

This wouldn’t work for wp multi sites. Remove this line – RewriteRule ^wp-includes/[^/]+.php$ –[F,L], this will offer less security but it will work for multisite.

Your wp-config.php file contains sensitive information about your connection details and the WPsecurity keys we previously discussed. Modifying your .htaccess will protect your website againsthackers, spammers and significantly beef up your website’s protection.

This process involves moving your .htaccess file out of your WP install and to a location accessible only with an FTP client or cPanel or from the web server.

Add this to the top your .htaccess file.

<files wp-config.php>
order allow,
denydeny from all
</files>

This will essentially prevent access to anyone who surfs for the wp-config.php file and only access from the web server space will be permitted.

All this added protection is great, but remember all of this was accomplished from your .htaccess file. That means if someone can access your .htaccess file, all your added security isn’t helpful.

Add the following to the top of your .htaccess file. It will prevent access to your .htaccess file.

<files .htaccess>
order allow,deny
deny from all
</files>

You can add more modifications to .htaccess file, if you’d like.

You could, restrict files, by file types and extension. This piece of code will not only restrict access to your wp-config but it will prevent access to ini.php and your log files.

​<FilesMatch "^(wp-config.php|php.ini|php5.ini|install.php|php.info|readme.html|bb-config.php|.htaccess|.htpasswd|readme.txt|timthumb.php|error_log|error.log|PHP_errors.log|.svn)">
Deny from all
</FilesMatch>
#Code courtesy - WPWhiteSecurity

Next we can disallow browsing of the WP directory contents.

Options All -Indexes

Apart from that we can add a few other changes to improve security by making changes to the .htaccess file in WordPress.

1. Block IPs and IP ranges. You can limit access to your login pages by IP range, I would have covered it in the Login section but login page protection plugins already block IP ranges which try to access login pages through brute forcing techniques.
2. Keep bad bots at bay.
3. Prevent hot linking.

This is quite extensive and we are starting to get off point. If you’d like to do the other stuff as well, for which I haven’t presented the code here, you can use this piece of custom code from WP White Security.

Please remember to keep track of which files you have moved to root directory of WP. You’ll need to be aware of where each file/folder is, so that you can not only edit them but also be sure not create multiple copies in different locations which again jeopardizes the point of the entire exercise.

Turn Off PHP Error Reporting & PHP execution

PHP executions need to be kept to a minimum. Why? A good example of a hack would be the Mailpoet Newsletter hack which could be used to add files which are run from the wp-content/uploads folder.

To prevent such vulnerabilities, we can deny PHP any room to run on WordPress. Add this code snippet to the .htaccess file.

<FilesMatch ".(php|php.)$">
Order Allow,Deny
Deny from all
</FilesMatch>

This code detects PHP files and denies access. You need to add it to the following wp folders.

wp-includes
wp-content/uploads
wp-content

You’ll need to create a .htaccess in the other folders. By default, it may be available in the root directory but to prevent PHP execution the .htaccess file needs to be created and added to the aforementioned folders. The three folder mentioned are primarily folders where content is uploaded and is particularly vulnerable to a PHP script that can cause a lot of problems.

PHP error reporting is a signal to all hackers who are looking for vulnerabilities that there is something not working on your website.

Adding these two lines of code to your wp-config.php file should resolve the problem.

error_reporting(0);
@ini_set(‘display_errors’, 0);

Although having read multiple threads and discussions about PHP error reporting, it may not work. In which case your best option is to contact your web host and ask for instructions on how you can accomplish the same.

Change the wp_ table Prefix

All WordPress tables begin with a wp_ prefix. Change this wp table prefix across your entire website and make it more difficult for a hacker to infiltrate your website.

In your wp-config.php, you’ll find this line of code

$table_prefix = 'wp_';

Change that to something completely random,

$table_prefix = 'jrbf_';

Now every table like, wp_posts, wp_users, etc will change to jrbf_posts, jrbf_users and so on.

Almost all security plugins do this for you and furthermore changing wp table prefixes may be time consuming. You can do this with PHPMyAdmin or other database managers, but I’d much rather use a security plugin like iThemes Security to accomplish it.

Similarly, you can take it a step further by changing the name of your WordPress database. This way, not only do you change the prefix but you will also be changing the names of what follows the prefix. This will make it nearly impossible for hackers to randomly guess your database name and you can not access what you can not find.

Disable XMLRPC

Generally, DDOS attacks target all web pages of WordPress websites indiscriminately. But this particular part of WordPress can become a target for DDOS attacks. I’ll explain, XMLPRC is used for pingbacks and trackbacks. But it has, in the past been exploited to launch DDOS attacks on websites.

You can use a plugin like Disable XMLPRC. But you will not need it, if you use security plugins or a login protection plugin. They generally provide protection against this particular vulnerability.

7. Security Plugin – Wordfence/iThemes Security/ Sucuri​

An effective security plugin is absolutely essential in ensuring your WordPress site’s security, for the non-tech savvy at least. Security plugins perform the various functions many of which have already been discussed here, all of these added security measures add up to build a fortress around your website and its contents.

Wordfence performs a number of functions crucial to site security on a WordPress powered site,

  • Real time blocking of attackers, blocking entire malicious networks and certain countries.
  • Limit crawlers, bots and scrapers.
  • Block users who trespass on your security rules.
  • Two factor authentication via SMS, greatly improves security on login pages.
  • Strong password enforcement for all users (non-admins).
  • Protect against brute force attacks.
  • Scan site for malicious scripts, back doors and phishing URLs on your site masquerading as comments on your website.
  • Compare plugin/theme core files with files of the same listed on WordPress.org’s directory.
  • Run heuristics for Trojans, suspicious scripts and other potentially security endangering activities on your site.
  • Firewall to block fake Google bots sent by hackers to scan for vulnerabilities.
  • Real time awareness and live content access monitoring to enhance situational awareness.
  • Geo-located down to a city level the threats to your website to find out the point of origin of threats to site security.
  • Monitor DNS for unauthorized access.
  • Keeps an eye on disk space consumption to prevent and react to Denial of Service attacks.
  • It is multisite compatible.
  • Falcon caching system to reduce server load.
  • Full IPv6 compatibility for WHOIS lookup, location and security functions.

Some features are restricted to the premium version of the plugin. The premium version of the plugin is priced at $3.25/mo.

That being said, the free version of this plugin is a very capable site defender for your WordPress website. And you shouldn’t be too apprehensive about the free version of the plugin, given that it has a rating of 4.9 on a five point scale and has been downloaded nearly a million times.

Security plugins require configuring and this can be an elaborate and long process. With Wordfence, you can to an extent at least customize all your security settings from Options under WordFence on your WordPress site menu.

Other options you can consider, if you still haven’t settled on a security plugin for your WordPress site.

I do not think Wordfence is the best overall security system out there. What I mean by this is, there are better security solution providers/ managed hosting services that offer better overall security solutions for WordPress sites. But when it comes to simple security plugins that enforce good protection and security protocols, Wordfence is certainly one of the best. The not too distant second position would probably go to iThemes Security.​

8. Update! Update! And not just your WordPress​

There are hundreds of WordPress vulnerabilities in the previous/non-current versions of WordPress.​

​Note: It is very important that you BACKUP your website including its database before doing the updates.

Whenever a software vulnerability is discovered, typically the vulnerability is reported to the software vendor. The software vendor then modifies the software and adds some added protection or merely deletes some unnecessary code. This is released as a software update or a patch. This is the best possible case, but if someone with less than noble intentions discovers a vulnerability in any web based or non web based software, then he/she is likely to exploit it to the fullest.

July 2014, Mail Poet Newsletters previously known as Wysija Newsletters, a plugin which had been downloaded over 2 million times was compromised as a result of which 50,000 websites were made vulnerable to attack. An automated attack where in, an injected PHP backdoor would allow for eventual control of the site by the hacker.

December 2014, 100,000+ websites were compromised by the Revolution Slider plugin which was targeted by the SoakSoak.ru campaign. This particular malware injected JavaScript into the wp template-loader.php file. A thousand themes were affected as they had been sold with this plugin as an add-on via Envato and other WordPress marketplaces.

The XSS vulnerability in WP Super Cache, a plugin I included in my round up for the Top 6 Caching Plugins. The list of vulnerabilities in top notch free plugins is quite concerning. But there are a number of steps you can take to decrease your chances of using a vulnerable piece of code theme or plugin on your website.

You should know that most plugins with vulnerabilities have been patched. But you need to stay fully updated at all times. Updating your site to the latest versions is an extremely important part of your site defense strategy. All the previously mentioned security measures are useless, unless you update as and when the updates for WordPress and other third party software are available.

Enable Automatic Updates For Your WordPress, Plugins & Themes.

You do not want your website’s update page looking like this page on a test site.

WordPress introduced automatic background updates with the release of WordPress version 3.7.

You can enable auto updates for WP, by making a change to the WP_AUTO_UPDATE_CORE constant. This change needs to be made in the wp-config.php file.

define( 'WP_AUTO_UPDATE_CORE', true );

This will ensure that all updates major or minor are updated as soon as they are made available.

Change the update core constant to “false” and you will disable all updates. Changing it to “minor” will enable auto updates for minor changes, normally includes security patches.

You can update plugins and themes in the same manner, by editing the auto_update$type filter.

For automatic plugin updates,

add_filter( 'auto_update_plugin', '__return_true' );

And to enable automatic theme updates,

add_filter( 'auto_update_theme', '__return_true' );

If you do not enjoy fiddling with code, you can use a plugin to help yourself out. You have another option in the form a plugin, when it comes ensuring the smooth update of your WP and all themes/plugins on your site. Advanced Automatic Updates allows you to enable major updates and minor/security updates individually. And the plugin also provides auto update solutions for themes and plugins.

For multisite update solutions, if you need help handling updates with WordPress plugins and themes, you can try out Easy Updates Manager. There is also a premium service offered by WP Updates which provides auto updating solutions for premium plugins and themes.

Using plugins like ManageWP or a managed WP host like WPEngine will also help resolve issues with updating your WordPress and the third party software that you use on your website.

Updating WordPress core automatically becomes problematic when things start to break down. This can happen either because of customized code which gets erased during an update or compatibility issues that arise with third party software (plugins & themes). This is one reason which may give you pause, perhaps enabling minor updates may be a better idea.

If you have problems with your automatic WordPress updates, then I’d recommend you give Background Update Tester a try. The plugin checks for and explains any compatibility issues.

Always run a BACKUP before you update. Always! This is to protect your website against things going horribly wrong, in which case you end up making a mess of your website. A good practice to follow, to protect against automatic updates causing havoc through compatibility issues with plugins, themes and sometimes customized code on your WP core.​

Leave a Comment: