WordPress Security

On an average week, your WordPress website has to defend itself against several hack attacks. Thus, if you have spent time developing and promoting your website, you have to take steps to improve your WordPress Security so you are not at risk of losing your hard work.

Although WordPress has basic defense features in place, you cannot rely on these alone to secure your WordPress website from hack attempts.

WordPress thus recommends that all users “harden” their website to prevent getting hacked; and this is good advice considering that up to 70% of websites using this platform have vulnerabilities that hackers can exploit.

But why is it really important to secure your website?

Why You Should Secure Your WordPress Website.

Have you ever searched on google and seen a warning that one of the sites on the search list may contain malware, or may have been hacked? What was your next move?

Most users avoid that site like the plague; nobody wants to be exposed to malware. This alone will lead to much loss in traffic.

But your most serious traffic loss will likely come from getting removed from google search results. In a recent poll, 45% of people who noticed their website was hacked saw a drop in search traffic. And 9% said they saw as much as 75% decrease in traffic. Those are scary numbers.

WordPress security becomes even more important if you use WordPress for your eCommerce business, or as a company website for your physical business.

If you run an online store, a notification about your website being hacked is sure to turn a lot of customers in the opposite direction. And if someone uses your website and their financial details get stolen, you can be sure just about everybody they know will be warned to stay off your site. BAD FOR BUSINESS!

But how can you harden your WordPress security and keep hackers away?

How to Secure Your WordPress Website

Hardening WordPress security is a continuous process. While some of the recommendations in this guide can be done once and will to help keep you secure, most others have to be done from time to time. So you can consider the steps below to be a checklist with which you can harden and improve your security from time to time.

Note: If your website has already been hacked and you need help restoring it, or you want us to help you audit your site and make it secure, please book our service and a developer will contact you.

 

WordPress Security Steps

Securing your admin login page and dashboard

  1. Use secure usernames and passwords.
  2. Use 2 factor authentication.
  3. Limit number of login attempts.
  4. Change your login URL.
  5. Disable file editing in admin dashboard.

Securing themes, plugins, and WordPress Core

  1. Delete themes and plugins that are not in use.
  2. Regularly update themes, plugins, and WordPress.
  3. Do not download themes and plugins from untrusted sites.

Securing WordPress files and folders

  1. Access your server using secure connection.
  2. Use correct permissions on files and folders.
  3. Prevent directory browsing.

Securing database

  1. Use strong passwords
  2. Use different database users for different WP sites on the same host.

Others

  1. Regularly Backup files and DB
  2. Use a WordPress Security Plugin

Now let us consider these steps one after the other.

SECURING YOUR ADMIN LOGIN PAGE AND DASHBOARD

The WordPress login page and admin dashboard are especially targeted by hackers. Gladly, there are simple steps you can take to prevent unauthorized access to these pages.

1. Use secure usernames and passwords.

The place to start when hardening your WordPress Security is ensuring your usernames and passwords are not easy to guess.

By default, WordPress creates an administrative user with “admin” as username. If that username is still active in your site, change it immediately to something more secure.

Also, use very secure passwords and require that everyone else who has access to your admin dashboard does the same. Using the WordFence security plugin, you can enforce strong passwords for all users.

If your password is something like “admin1234”, you are handing hackers the key to your admin dashboard. Instead, use something hard to guess like “Ne8L(&15mMz&^G”.

2. Use 2 factor authentication.

Two factor authentication provides added WordPress security by presenting an added layer a user has to go through to gain access to your website. One very common 2 factor authentication is the one-time password you receive when trying to sign up for some services.

Using Wordfence security plugin, you can implement 2 factor authentication on your WordPress site, such that even if a person has your username and password, they will also need your mobile device to login to your WP dashboard.

3. Limit number of login attempts.

WordPress Security - Restrict login attempts

This step is very important to defend your site against brute force attacks.

Using Brute Force, a hacker tries to login repeatedly using a random combination of usernames and passwords. If these login attempts go on unhindered, the brute force software will possibly arrive at your correct details and gain access to your dashboard.

However, you can restrict login attempts to just 3 tries, and thus make your website secure from Brute Force attack.

This can easily be enabled using the WordFence security plugin.

WordPress Security - Limit login attempts with WordFence

4. Change your login url.

By default, you can get to any WordPress page by adding “/wp-admin” to the domain name. This means that a hacker knows exactly where to go to carry out attacks on your login page.

You can prevent this by changing the location of your login page, and this can easily be done using the WPS Hide Login plugin.

5. Disable file editing in admin dashboard.

By default, you can edit plugin and theme files using the editor in your admin dashboard.

WordPress Security - Disable file editing in dashboard

We highly recommend that you disable this feature.

In the event that a hacker gains access to your dashboard, they can only carry out functions permitted in the dashboard, and according to the authorization level.

But if file editing is enabled, they can inject malicious code into your themes or plugins and gain complete control of your site.

To disable file editing in dashboard, add the following code to the end of your wp-config file.

## Disable Editing in Dashboard

define(‘DISALLOW_FILE_EDIT’, true);

SECURING THEMES, PLUGINS, AND WORDPRESS CORE

Securing your plugins and themes is very important to keeping a secure website. Since these have complete access to your WordPress files and database, if a hacker is able to get into anyone of them, he can gain complete access to your website.

Thus, you need to use the following steps to keep your plugins, themes, and other code areas secure.

1. Delete themes and plugins that are not in use.

If there are themes and plugins installed in your site that you are not currently using, delete them.

WordPress Security - Delete themes and plugins that are not being used

Every theme and plugin adds extra code to your site that could contain vulnerabilities that hackers can exploit. When you delete those that are not in use, you effectively reduce a hacker’s ability to gain access to your site.

2. Regularly update themes, plugins, and WordPress.

One major reason software is updated is to correct security loopholes in previous version. Thus, you can improve security by regularly updating your WordPress core, themes, and plugins.

WordPress Security - Regularly update themes and plugins

3. Do not download themes and plugins from untrusted sites.

Many premium themes and plugins have ripped versions that you can get to download on file sharing websites.

WordPress Security - Download themes and plugins from trusted sites

If you decide to skip the usually low fee and get premium themes or plugins from those sites, you will likely end up paying by giving a hacker control of your website.

We highly recommend that you download your themes and plugins directly from WordPress as these are thoroughly screened before being added to their database.

SECURING WORDPRESS FILES AND FOLDERS

1. Access your server using secure connection.

When connecting to your server (either during initial setup or to access and change files), use Secure FTP (SFTP). This will ensure that your files are correctly transferred and not hijacked and altered by a hacker.

You would need to contact you web host for details on how to use SFTP.

2. Use correct permissions on files and folders.

WordPress recommends that folders should have 755 permission, while files should have 644.

Your WordPress files may be vulnerable to hacks if this scheme is not followed.

Also, no file or folder should have a 777 permission! That permission grants all rights (read, write, execute) to everyone.

Using command line, you can change all folder permissions in your site to 755 by entering the following:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

You can do the same for files using this command:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Alternatively, this can easily be done using an FTP client like Filezilla

WordPress Security - Use correct file permissions

3. Prevent directory browsing.

If you have a folder in your site that doesn’t contain an index.html or index.php file, what happens is that all the files in that directory are displayed on screen when a visitor types in a link to that folder.

WordPress Security - Disable directory listing

Hackers can use this behavior to browse through your files in search for vulnerabilities.

You can prevent directory browsing by adding the following code to the .htaccess file:

Options –Indexes

SECURING DATABASE

Another possible attack point is your database. If a hacker is able to gain control of your database, they can do much damage. For example, they can add a new admin user and password and gain unlimited access to your dashboard. It is thus important to secure your database with the following steps.

1. Use strong passwords

Ensure you use a secure password for your database user. If you checked and decided your current password is not secure enough. Do this:

  • Access your WordPress files using Filezilla FTP client (preferably with secure FTP connection).
  • Locate the wp-config file in your WordPress base directory. Right click and select “View/Edit”
  • Look for:

define( ‘DB_PASSWORD’, ‘Your old password’ );

and change it to :

define( ‘DB_PASSWORD’, ‘the_password_you_just_created’);

WordPress Security - Use strong password for DB

  • Save the file and upload it.

2. Use different database users for different WP sites on the same host.

If you are using a single web hosting account for multiple WordPress sites, you should refrain from using the same database user for them all.

In fact, each WordPress website should have its own database and each database should have its own user and password. This way, if a hacker gains access to the login details for one database, the others would still be secure.

Read this guide to learn how to create databases and database users.

OTHER SECURITY STEPS

1. Regularly Backup files and Database

ALWAYS! Always have a complete backup of your website files and database in a remote location.

WordPress plugins such as UpdraftPlus and BackWPup can be used to run regular backups of your website files and database to remote locations such as Amazon S3 and Google drive.

WordPress Security - Backup WordPress sites

In the event of a security breach, even if your data is compromised, you can first secure your site, and then fall back to your most recent backup to get your site up and running.

2. Use a WordPress Security Plugin

There are quite a few plugins that provide a good number of tools and operations to secure your website. Some of the most popular include Wordfence and iThemes security.

WordPress Security - Security Plugins

Using these plugins, you can perform some of the operations covered in this guide, and also benefit from other real-time protection features.

For example, if an ip is used to attempt a site hack in any site with one of these plugins, that ip is noted. If that ip is used to launch attacks on your site, the attacks are completely blocked off.

This, and many other settings and features help keep your site more secure. Hence, we recommend that you use a security plugin.

How Can You Use This Information?

Website security is an ongoing process. Many of the suggestions in this post have to be done from time to time. We encourage you to keep this article bookmarked and use it as a checklist on your current site, or whenever you are installing a new WordPress website.

If you have tried other security measures and seen good results, we would love to hear about them in the comments section.