Nobody wants their WordPress site to be the next victim of a hacking attack. Apart from losing an essential part of your business, it is embarrassing and costs precious time and money to fix. The good news, however, is that security breaches are avoidable. Read on to find out how!
Because the software that powers WordPress is available to everyone this also means that hackers can learn how to use the code to break into sites. Moreover, plugins can also be tampered with, so if you aren’t using the latest versions, then you are making your website susceptible to range attacks. Even a buggy theme or a weak password can result in your site being exploited. Because of the popularity of WordPress, it is probably the most hacked content management system across the internet.
WordPress Security plugins can cover the majority of potential issues but you must also ensure that you learn how to apply basic security precautions.
Essential WordPress Security Tips
Listed below are some essential WordPress security tips that every WordPress website owner should implement.
Avoid Common Passwords
Although you are way too smart to use obvious passwords like ‘password123’ or ‘123456’, you should also avoid passwords that are taken from current events, popular movies or favorite hobbies. Even passwords like ‘star wars’ and ‘football’ have been rated as some of the most popular over recent years. Sequential passwords are especially easy for password cracking software to guess.
To secure your login page, make sure that you use a password generator tool such as StrongPasswordGenerator.com which creates a password that is 15 characters long and includes upper and lower case, numbers and special characters.
Never Use Admin as a Username
Most brute force security attacks that target your wp-admin or wp-login pages will attempt to use ‘admin’ as a login. This is because hackers know that many WordPress site owners haven’t bothered to change their username and let’s face it, in many cases, they are probably right. By removing the default admin username you can make it harder for an attacker to guess your login details.
So how do you make this crucial change? Create a new user in WordPress via Users > New User and grant your new user administrator privileges. After that, log in with your new administrator account and delete the admin user.
Secure Your WordPress Website with SSL/TLS
To enable HTTPS protocol on your WordPress site, you will need to purchase SSL certificate and install it on your WordPress site. Next, you will need to redirect your WordPress site’s address from HTTP to HTTPS, which can be possible by adding following 301 (permanent) redirect code in .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} Off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
After redirection, all your elements of WP website will be “secure.”
However, you need to make sure that your website doesn’t show “mixed content” warning. So, Visitor can connect to your WordPress site securely over SSL/TLS connection to protect all sensitive information during online transmission. SSL certificate is used to gain customers’ trust and secure your WordPress website from hackers and intruders.
SSL certificate can obtain from Certificate Authority (CA) like Comodo, GeoTrust, RapidSSL and more, but you can get the same certificate at a high discount price from CA authorized reseller like Cheap SSL Shop.
Hide .htaccess and wp-config.php
By hiding your .htaccess and wp-config.php files, you can prevent unauthorized users from accessing them. Before you attempt this security measure, make sure you take a backup of your site.
With your favorite FTP client, zoom into your installation’s root directory. Download your .htaccess file and add the following lines code:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
<Files .htaccess>
order allow,deny
deny from all
</Files>
For better WordPress security, the above code will prevent your .htaccess and wp-config.php from being accessed directly.
Add Two-Factor Authentication
Brute force attacks can still be an issue, even if you have changed your admin login and created a strong password. Two-factor authentication should be employed to lower the risk of an unwanted user accessing your website’s admin area.
Luckily, there are plugins out there that can assist you in setting this key feature up. Check out UNLOQ, Rublon, Authy, and Keyy.
Use Least Privileged Principles
When someone wants access to your site, it is best to set a login that is given no more privilege than necessary to perform his or her job. To do this, you should determine the security required to perform the task at hand. If you allow users more access than necessary, then you are creating a security risk.
Also, if a person only needs access to your site for a certain length of time, make sure you delete their account once access is no longer required. Reducing the level of access on an account is also wise if higher level privileges are only required for a short period.
Disable PHP Error Reports
PHP Error reports appear when a theme or plugin isn’t working in WordPress. Whilst this may seem like a good thing, the disadvantage of this is that the error message includes the full server path of the error. This path gives away critical information that hackers can use to exploit your site.
Add the following code to your wp-config.php file (create a backup of the file first) to switch this feature off:
Switch off File Editing
Open up your wp-config.php file (again, take a copy first) and add the code below to disable file editing:
define(‘DISALLOW_FILE_EDIT’, true);
Should a hacker gain access to your site, this handy piece of script will prevent them from being able to make amendments by navigating to Appearance > Editor in WordPress.
Don’t Display Your Version Number
Save a copy of your functions.php file and then amend it to hide your WordPress version number by adding the following code:
add_filter( ‘the_generator’, ‘__return_null’ );
WordPress keeps track of how many blogs are active globally by displaying the version number. This can cause a major problem though, as bots and hackers are constantly scanning sites for versions that are known to be vulnerable; which is why you should switch this feature off.
Be Careful with XML-RPC
Hackers are using the XML-RPC function in WordPress for DDoS botnet attacks as well as Brute Force attacks. So, it may be a good idea to remove the functionality altogether. Do note, that disabling XML-RPC comes at a cost. A lot of plugins (like Jetpack) and themes use the API to communicate with your website.
Add the following code your functions.php file:
// Disable XML-RPC// Disable XML-RPCadd_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
// Disable X-Pingback to headeradd_filter( ‘wp_headers’, ‘disable_x_pingback’ );function disable_x_pingback( $headers ) { unset( $headers[‘X-Pingback’] ); return $headers;}
Although it does what it says, it can get intensive when a site is under attack. You may better off using following code snippet in your .htaccess file.
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>
Restrict the Number of Login Attempts
By default, WordPress allows users to enter passwords as many times as they wish. Hackers might try to take advantage of this by using code that enters various combinations until they break into your site.
To prevent this from happening, you can limit the number of login attempts from one particular IP address. For example, you could prohibit further logins after three failed attempts and then block their IP address for a temporary length of time. Download and install the Login Lockdown plugin to activate this feature.
Keep WordPress, Themes, and Plugins up to Date
It may sound easy to keep your site up to date but in reality, this isn’t easy to achieve. With constant plugins, WordPress and theme updates, it is difficult to keep track and make changes quickly.
This is where automatic updates help a great deal. By inserting a couple of lines of code into your wp-config.php file you can configure updates so that both themes and plugins happen automatically, whenever a new version becomes available:
add_filter( ‘auto_update_theme’, ‘__return_true’ );
add_filter( ‘auto_update_plugin’, ‘__return_true’ );
Alternatively, you can use a plugin like the Advanced Automatic Updates.
Use the Best WordPress Plugins and Delete Unnecessary Ones
Make sure that you pay for premium downloads from official sites, rather than getting them for free from other unreliable and illegal sources. Free premium plugins can be loaded with malware, meaning that if you install them on your WordPress site, you can easily corrupt it and cause serious damage. It is also not a good idea to update free plugins at will unless you are able to test it first. Many developers who maintain free plugins do it in their spare time, and there is no guarantee that they have tested it is secure prior to deploying it.
Whilst you are at it, remember to delete all unused plugins and themes from your admin area. After you stop using a plugin, it won’t be updated. This means it is easier for unscrupulous coders to take advantage of outdated elements and find a way to break in. As well as being a security vulnerability. Outdated themes and plugins also slow things down, so there is no reason to keep them.
Use WordPress Security Plugins
Most importantly, make sure that you install WordPress security plugins to protect your website.
Wordfence Security is really useful, as it identifies attackers and prevents hacking. It also offers two-factor authentication and security scanning.
All in One Security & Firewall is another security plugin worth downloading. As well as user login and database security, this free and paid plugin can also ban IP addresses and user agents.
iThemes Security can hide vulnerabilities and amend URLs for the WordPress dashboard and wp-content path. Another great feature is that it prevents brute force attacks by blocking invalid login attempts. It also locates bots that search for vulnerabilities and carries out system and malware scans.