A Comprehensive Guide on How to Secure your WordPress site.
Most people, when they first start designing and developing their website, are primarily concerned about making things work the way they desire and getting the site to look great. WordPress security isn't one of their primary concerns.
This is funny because almost everyone has heard or read about hacking but when it comes to our sites, we somehow expect it to not happen to us. Because why would a hacker be interested in a small section of our local business, right? Wrong. WordPress security is highly significant, and thus, your WordPress website needs to be adequately secured and fastened. Let's look at the reasons why!
Why and How does a hacker hack your site?
It's important to understand the reasoning behind a website hack before we discuss ways to prevent it from happening. There can be multiple reasons why a hacker would be interested in your website, even if it's a small business site or even a personal blog.
The primary two reasons as to why a site is hacked are - One, for political reasons like disfiguring websites to put forth and distribute content that supports a particular ideology or group.
The other is aimed at making money through fraudulent means. How this works is, the hacked website is used as a middleman to distribute malicious software, and in most cases, the owner of the site doesn't even come to know of this.
This is the online black market that operates through hacked sites. Your website has the potential of becoming an involved party in criminal activity!
The other negative repercussions besides these are:
Now that we've briefly established why your site may get hacked let's look at how a hacker would find and target your particular site out of the millions available online.
It must be highly improbable that a hacker would target your site, right? After all, it's just a drop in the ocean of websites. Well, sorry to burst your bubble but that's wrong!
Hacking is not done manually. Hackers employ robots/programs whose only function is to hunt for vulnerable websites. These programs usually run on cloud servers, where they are set up and destroyed as per need, leaving little to no traces behind. They are built to discover thousands of websites every hour. On finding a site, it is searched for vulnerabilities, which are continually being found in WordPress and its plugins. They may also be caused due to human errors like using easy to guess passwords or an unreliable or undependable hosting.
Securing your WordPress site, thus, is not an option but a necessity and we're here to help you through the process!
Your guide to securing WordPress
By the end of the long list of security measures that are following, you'll be equipped to get your WordPress website fully guaranteed. When it comes to securing websites, specific primary measures need to be undertaken by everybody.
These are non-negligible and mostly simple stuff that will go a long way and keep your WordPress reasonably secure. Then there is another set of measures for those of you who are very paranoid about your website's safety and don't mind going an extra mile to keep it extremely secure.
Let's first discuss the former set of measures, i.e., the necessary security tasks all website owners should perform:
Change the Default Username
One of the easiest and fastest ways to secure your WordPress is to change the default "Admin" username to something that isn't easy to guess. Ideally, you should change your administrator username during the installation of WordPress itself, but if you haven't done that, you can either rename it using phpMyAdmin or by running a Standardized Query Language script on your database.
Either way, this simple WordPress security hack will help your website dodge a lot of random hacking attempts.
Use a Strong Password & don't reuse it across different platforms
It is known to hackers that we, as humans try to keep secure and identical passwords because we tend to forget them. The pirates know how to take advantage of this, and they typically have a list of the most commonly used passwords that they will try time and again until they find the one. This technique is called brute-forcing a password. So keeping a secure and complex password is a straightforward step towards securing your WordPress.
Another thing to keep in mind is never to reuse passwords. What reusing passwords do is, it gives the hackers access to all the rest of your accounts if even one of them is compromised. Yes, it can be inconvenient and troublesome for you to remember so many different, complex passwords but to help you out with it, many password managers in the market help you store and keep your passwords secure. We suggest using these.
Always run the latest version of WordPress
It is essential to keep your WordPress updated because, with every core update, WordPress fixes its recently discovered security issues. A lot of times, people disable WordPress core updates because the latest version may not be compatible with some plugins. The critical thing to remember though is that a hacked website is far more problematic than a temporarily broken plugin.
Do Not Change WordPress Core
Editing WordPress core source files is a terrible idea because it takes away the ease of automatically updating your WordPress to the latest version, the importance of which we've discussed in the previous point. If you've changed WordPress core, an update to the newest version will make you lose these changes.
So what should you do if you wish to change WordPress functionality?
Writing a plugin is the answer. It gives you the freedom to do whatever you want without having to compromise on WordPress core.
The same applies to themes and plugins as well. Any attempt at core tweaking will result in a loss of ability to update to the latest version. In all, there are always other ways of getting the functionality you desire and changing the core is not the way to go.
Make sure all your plugins and Themes are updated
The reason behind the need to update your plugins and ideas is the same as that behind keeping your WordPress updated. It is your responsibility to keep them updated to the latest version, whether you do it manually or automatically, to keep your site safe from hack attacks.
If you are using plugins downloaded from WordPress.org, you can enable automatic background updates, and for any other commercial plugin updates, you will have to handle it through their plugin mechanism. Also, make sure to keep your plugin memberships active always to get the latest updates.
Now when it comes to updating your themes, you may worry about what will happen to all the changes you've made to your theme when you perform an update. What you should do while making changes to themes is to do it via "child themes" rather than making changes directly to the actual theme.
When you do this, you can easily update your themes to the latest version without losing any changes you've made so far. To check which themes require updates, go to "Appearance" and then "Themes" in your WordPress. You can also enable automatic background updates in the same way as it is done with plugins.
Always download plugins, Themes, and Scripts only from their official source
It can be tempting to acquire themes and plugins from unofficial sources for a better price or for free, but it is not a smart idea to do so. This is because a lot of these pirated themes and plugins are wrongfully tweaked by hackers to be served as a backdoor for them to carry out their wicked schemes.
You should always rely on safe sites to find quality plugins and themes to make sure your WordPress is secure. The most common of these is WordPress.org. Other reliable sites are WordPress.com, ThemeForest.net, CodeCanyon.net, etc.
Your site should always run the latest version of PHP
PHP is the underlying engine of WordPress, and it comes up with quite a few version updates.
But according to the Global WordPress Statistics page, almost 80% of WordPress installations run on versions of PHP that are no longer supported! This is a cause for concern because firstly, your website does not benefit from performance features that come out with the latest versions and this also leads to not fixing any security glitches that have been found in the previous version.
This is why it is essential to make sure your site runs the latest version of PHP.
While updating WordPress core, plugins and themes are quite a clear-cut task. The PHP version updates depend mostly on your hosting server. This is one of the reasons why it is essential to choose a secure hosting server. It will make the latest versions of PHP available to you with your WordPress installation. A secure WordPress hosting service will also have a proactive team whose job is to check for the latest vulnerabilities your site is exposed to and take actions to mitigate them.
Update your site only through trusted networks
Who doesn't love using free internet Wifi at places like the airport or even a local café, right? But keep in mind, these Open Wifi Connections are straightforward to spy on. You should avoid accessing your WordPress admin site through such a network. And especially when it comes to updating your website, always use trusted systems like the one at your home or office.
Use an Anti-Virus
If there happens to be a virus on your desktop, it can spread quickly by replicating itself onto your website. This is a scheme typically used by viruses to infect your site. It can then spy and get access to your passwords or even your bank and personal details. This is why you should make sure that your workstation is using a reliable and updated antivirus.
Secure your site using WordPress security plugins
A security plugin lets you know what vulnerabilities your site is exposed to and gives you guidance on how to fix them. Using a plugin is a straightforward yet safe way of securing your WordPress site, and it demands very little to no effort from you. They run scans and give you a detailed review of any issues traced within your website.
Some trusted security plugins are Total Security, Vulnerable Plugin Checker, iThemes Security Pro and Plugin Inspector.
Keep your site backed up
If all the above measures fail and your site's security is still compromised, then this step is what will save you.
It is essential to create and schedule backups for your site. These planned backups are an indispensable part of a site's security policy because it makes sure that if your site is compromised, it will get restored to a version before the damage with ease.
Not just in the case of a hack, but also in the case of a mishap or technical error, having backups makes sure you can get your site back and running again in no time.
The list of our primary, essential security measures ends here!
We've now reached the second part where we'll discuss WordPress security tips for our security fanatics. This is for those admins who want various layers of protection for their website.
Make sure you've set WordPress Secret Authentication Keys
You will find 8 WordPress security and authentication keys in your wp-config.php.These are nothing but arbitrary variables that make it tougher to deduce your WordPress passwords by adding an element of randomness to how they are stored in the database.
Let's look at how you can use it.
You are not supposed to share or make these keys public.
Limit Login Attempts
We've already talked about brute-forcing and how hackers use it to figure out your password. Putting in place a mechanism to limit login attempts is essential because of this very reason.
Fortunately, there's plugin that does this for you. The "Limit Login WordPress" plugin detects many wrong password attempts and disables further attempts for a specific amount of time which results in unsuccessful brute-forcing efforts and turns improve your site's security.
Enable Two-Factor Authentication
Two Factor Authentication or 2FA is an extremely efficient way of securing your WordPress login. On enabling 2FA, every time you log in to your WordPress admin, you will require a time-based security token (unique to every user) in addition to your regular password. This security token expires within a brief period, which is generally 60 seconds.
This makes it extremely difficult for anyone to get access to your login even if they have your login credentials (because they won't have the current security token).
Enabling 2FA thus is a full-proof way of strengthening your login and escaping brute-force attacks on your login details.
Disable PHP execution
When hackers get any access to your site, one of the first things they do is execute PHP from within a directory. A smart thing to do is to disable this altogether. Then, even if some vulnerability were present in your WordPress website, this protection would proactively break down the rest of a hacker's efforts at hampering your site.
This is a mighty step towards WordPress security and may lead to breakage of certain themes and plugins that may require it, but it is still advisable to implement it in the riskiest directories wp-includes and uploads.
You can implement this protection through your .htaccess file by adding the following code to it:
Disable File Editing
We generally fiddle with plugins and themes files while we're still at the initial stages of creating a website since by default, WordPress admins are allowed to edit PHP files. However, once our website is developed, we will have very little use of this edit option.
Thus it is advisable to disable file editing for WordPress admins once the website is up and live. This is because even if a hacker manages to login to your site, they'll be devoid of edit privileges and won't be able to change files to execute their wicked schemes. To disable file editing, insert following command in the wp-config.php file: define('DISALLOW_FILE_EDIT', true);
Segregate your WordPress databases
If you create all your sites in the same database and even one of them gets compromised, then all the other WordPress sites hosted on the same database are also at a huge threat of getting hacked. While installing your WordPress, you should always create a new database and give it a separate database name, database, and password. Make sure these are different from any other sites or logins you use.
What this does is, if one of your sites gets hacked, the infection will cease to spread to your other places even on the same shared hosting account.
If not in use, disable XML-RPC
An application can access your WordPress through something known as an API (Application Programming Interface). To explain it to you in straightforward terms, an example of the XML-RPC is using your phone application to update your site. There are also specific plugins that use XML-RPC functionality.
However, if you're not using any third-party application and are sure that none of your WordPress plugins are using your website through XML-RPC, it is wise to disable it because XML-RPC can be used as a tool to hack your site.
Secure your wp-config.php File
The wp-config.php file is one of the most critical data that store a lot of necessary configuration settings such as your database login details, hashing password salts, etc. You wouldn't want anyone intruding in here, and thus, security measures to safeguard this critical WordPress configuration file must be taken.
If you haven't disabled PHP Execution (Discussed in Point 15), add this command to your .htaccess files:
To keep it very simple, Software Fireballs keep things from getting in or stop them from getting out. In this case, they help prevent hackers from getting close to your website (or your website's party). You need to use a Web Application Firewall (WAF), and one of the most dependable and open-source firewalls generally available with WordPress hosting services for free is the "ModSecurity" firewall.
You can find out if your hosting service offers this and if it is, you can avail and enable it.
You should ideally also use a Content Delivery Network Firewall (CDN) to improve your site's performance by serving abundant resources fast. CDNs also protect your website against numerous WordPress security issues.
Stop PHP Error Reporting
Error reporting is beneficial at the time of developing a website as it makes you aware of the errors and you can promptly fix them. But when error reporting is enabled on a website that is up and lives, it serves as very significant clues for hackers and makes their job much more comfortable than it should be. Error reports can give out vital pieces of information to anyone on the look for it.
Thus, disabling PHP Error reporting once the site is live ensures that at least WordPress security risks caused by disclosure of sensitive information concerning your website are minimized. To disable PHP error reporting, make changes to your php.ini file as stated below:
Use Security Logging to monitor your WordPress Security
Watching your logs help you find out about what attacks are happening on your site and equip you to stop them. It is a pretty good way of improving your WordPress security. To give a minimal example, if you figure out that majority of the hacking attempts are coming from a particular area, possibly one that your website doesn't cater to, you could block that area using your firewall. It is advisable to use a security Audit Plugin to keep regular audit logs.
With this, we've come to an end of our long, comprehensive guide to fully securing your WordPress site. There's no doubt that this checklist could've been a little overwhelming for you if you hadn't given much thought to ensuring your website before. But the good thing is, most of these steps won't demand a lot of effort from you to execute them, and as time goes by, it will become a regular part of your WordPress maintenance routine. To be fair, most of you won't pull all of the steps mentioned above, and that's okay. But the more of these security measures you undertake, the safer your site. A little extra effort from you now will go a long way!