WordPress is the most popular blogging and CMS system on the Internet which makes it a favorite target for hackers. Having a WordPress site means that you have to take some extra efforts in order to protect your and your visitors data.
Here is a summary of the best practices for securing a WordPress, that will help you do that.
- Keep your WordPress site and plugins up-to-date
- Protect your WordPress Admin Area
- Don’t use the “admin” username
- Securing wp-admin
- Add a Unique Database Prefix and Authentication Keys
- Hide your username from the author archive URL
- Limit Login Attempts
- Secure accessing via FTP
- Wise selection of themes/plugins
- Ensure your computer is free of viruses and malware
- Keep a backup
>>> Keep your WordPress site and plugins up-to-date
It is really important to keep your core WordPress files and all of your plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed.
The latest version of WordPress is always available from the main WordPress website at http://wordpress.org. Official releases are not available from other sites — never download or install WordPress from any website other than http://wordpress.org.
Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.
>>> Protect your WordPress Admin Area
It is important to restrict the access to your WordPress admin area only to people that actually need access to it.
If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.
Deny from all
Allow from xx.xxx.xxx.xxx
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.
>>> Don’t use the “admin” username
Most of the attackers will assume that your admin username is “admin”. You can easily block a lot of brute-force and other attacks simply by naming your admin username differently. If you’re installing a new WordPress site, you will be asked for username during the WordPress installation process.
If you already have a WordPress site, you can follow the below instructions to modify the admin username :
1. Enter the WordPress MySQL database (If using cpanel, you could access the database using the option ‘PhpMyAdmin )
2. Choose the _users table from the WordPress database.
3. You will see a list of all the registered users in your site. Locate the admin username and click on the Edit button on that line.
4. Now, you will see all the fields for this username. Locate the user_login field and replace its value from admin to your new preferred WordPress login name and hit the Go button at the bottom of the page.
If you don’t have access to the database via the PhpMyAdmin utility, you could just create another administrator user and then login as new administrator user and delete “admin” user.
>>> Securing wp-admin
Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files.
Now lets see how to password protect your WordPress admin (wp-admin) directory.
If the account is hosted with cPanel as the control panel, proceed as :
1. Login to your cPanel. Scroll down till you see the Security Tab. Click on the “Password Protect Directories” icon.
2. When you click on that, a lightbox popup will show up asking for directory location. Just click on web root. Once you are there, navigate to the folder where your WordPress is hosted. Then click on the /wp-admin/ folder.
3. In the next box, simply check the box to password protect the directory. Then create a user for the directory. That is it.
>>> Add a Unique Database Prefix and Authentication Keys
Leaving your wp-config.php file only with database information and no other configuration is a security issue.
Make sure to generate authentication keys by visiting https://api.wordpress.org/secret-key/1.1/salt/ and copy-paste the randomly-created keys into the file.
Note that you should also change the default WordPress database table prefix. This is to secure your installation against hacks. Visit random.org to generate a random prefix string which you’ll need to set as the $table_prefix in wp-config.php. In addition, make sure to add an underscore at the end of the prefix.
>>> Hide your username from the author archive URL
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is ‘jess’, your author archive page would be something like http://yoursite.com/author/jess
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database as described below:
There is a field in your WordPress database called user_nicename, which is found in the wp_users table. user_nicename is populated with the login username as the user is created.
By changing user_nicename to something very different from your actual login username, it becomes more difficult for hackers to figure out what the login username is.
For example, by changing user_nicename to “testuser”, the URL to username‘s author archive page becomes http://yoursite.com/author/testuser. This way, the login actual ‘jess’ is not revealed in the URL anymore.
Since user_nicename cannot be updated via WordPress Dashboard, you will have to make the change in the database directly. You will need access to your WordPress database and to be able make changes to the data (for example, using phpMyAdmin).
>>> Limit Login Attempts
In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.
Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.
There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.
>>> Secure accessing via FTP
When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.
>>> Wise selection of themes/plugins
First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system. Try to avoid Free themes.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems.
If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.
Also there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.
Here are a handful of popular options:
http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.
>>> Ensure your computer is free of viruses and malware
If your computer is infected with virus or a malware software, a potential attacker can gain access your login details and make a valid login to your site bypassing all the measures you’ve taken before.
This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.
Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your site.
When an attack happens, it always leave traces. Either on the logs or on the file system (new files, modified files, etc)
If the attacker tries to deface your site or add malware, you can also detect these changes by using a web-based integrity monitor solution.
This comes in many forms today, use your favorite search engine and look for Web Malware Detection and Remediation and you’ll likely get a long list of service providers.
>>> Keep a backup
Back up your data regularly, including your MySQL databases.
Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack.
It is important to mention that these measures don’t guarantee a 100% protection against hacking attempts, mostly because a 100% secure website doesn’t exist, but they will protect you against the majority of attacks.