The security of your WordPress installation should be a top priority for every website owner. Websites running WordPress are attacked continuously. If you take your website seriously you need to protect your website against hackers. In this post, I will share some tips to help you protect your website against hackers.
Is it necessary to secure your WordPress site?
According to builtwith.com, About 53% of all websites on the internet are running WordPress (source). This makes it a target for hackers. Luckily while WordPress websites are prone to be hacked, it’s still one of the safest platforms out there. There are a few things you can do to harden your installation of WordPress making it less likely for your website to become compromised.
Username
Always use a custom username for your WordPress installation. Using admin as a username is a terrible idea. Your installation shouldn’t have a user called admin if you do you should remove it today.
While there are some plugins that enable you to change your username it’s usually better to create a new user with the administrator role and delete the old admin user.
A good username should be something unique, something hackers aren’t going to guess.
Password
In the event that hackers manage to acquire your username (given you have a unique username), your password will be the primairy line of defense.
The NIST recently published the finalized version of their Digital identity guidelines. (read: Recommended password policy) Following these guidelines my password recommendations are as followed:
- Pick a long password (at least 8 characters long).
- Try to use a sentence as a password (including spaces).
That’s all. No, I am not going to recommend using numbers, symbols or combining capital and lower-case letters. A difficult to remember password isn’t a safer password. Like in the XKCD comic, the password “Correct horse battery staple” is 183 times harder to guess than the password “Tr0ub4dor&3”. Therefore I highly recommend using a sentence as a password. After all, length beats complexity.
Two-factor Authentication
In addition to the password, you should really consider adding two-factor authentication to your website. While using a unique username and good password will against brute-force attacks, it won’t help you if your login credentials get compromised.
The easiest way to protect your WordPress website against stolen login credentials is to add two-factor authentication. Even if someone gets hold of your login credentials they won’t be able to login to your website without the login token.
If you want to read more about two-factor authentication I recommend reading this great articleon Pixel Privacy from Bill Hess: Two-Factor Authentication: What Is It and Why You Should Use It.
There are several easy and free ways to add two-factor authentication to your website. Since WordPress itself doesn’t support two-factor authentication you will need to use a plugin. Some plugins require you to install their app to provide you with the login token. You will need to enter this token each time you log into your website.
I personally recommend using a plugin that supports the use of the Google Authenticator. This method also requires the installation of the Google Authenticator app. However, the Google Authenticator app is not limited to WordPress and can be used as two-factor authentication app for many websites on the internet.
Some plugins that enable the use of Two-Factor authentication on WordPress are:
- Google Authenticator – Two Factor Authentication (2FA) by miniOrange
- Two FactorDavid Nutbourne + David Anderson, original plugin by Oskar Hane Authentication by
Hosting admin panel
Commonly forgotten are the login credentials to the admin panel of your hosting provider. This username and password are usually supplied by the provider. You can turn your WordPress installation into Fort Knox but if your hosting package is compromised hackers can simply grant themselves access to your WordPress installation.
Make sure your DirectAdmin/Plesk or another admin panel is secured with a good username and password following the previously stated guidelines. Also, ask your hosting provider if they offer two-factor authentication.
FTP
FTP is used to transfer files from and to your hosting package. Most people don’t need FTP access once the website is live. Check your hosting admin panel or contact your hosting provider to disable FTP access or delete the FTP users when your site is live. It’s common for FTP access to be brute forced or passwords to be stolen. Once a hacker has access to FTP they are able to inject scripts or modify source files compromising your WordPress installation from within.
They could also upload a phishing website to your host, compromising your good name and reputation.
MySQL
By default, most providers won’t allow remote access to your MySQL database. It’s highly recommended to check with your provider if remote access is disabled. Remote access is only necessary if you need to edit the MySQL database with a third party tool, or if another website needs to access the contents of the database.
If remote access is required, it should always be limited to a single host.
Updates
Updates are important. WordPress is regularly updated, each update will fix bugs, add new features, improve performance and, most importantly, fix security issues.
If you don’t update your WordPress it’s just a matter of time before your website gets hacked. You shouldn’t only update your WordPress installation, you should also update your plugins and themes.
There are some great plugins that will help you to keep your WordPress up to date:
- Easy Updates Manager By Easy Updates Manager Team
- InfiniteWP by Revmakx LLC (free Self-hosted multi-site update software)
Backups
Creating regular backups is one of the most important things you can do. Backups are great for a number of reasons. The first most obvious reason is if something goes wrong, for example, you accidentally delete important content or an update goes wrong, you will be able to restore a working backup of your website.
Another important reason to create backups is that if your website gets hacked you can replace the compromised version of your website with a clean version.
Most hosting providers will create a backup of your website. It’s highly recommended not to rely on this back-up and to create your own backups. Luckily there are some great plugins to make it really easy for you to create backups.
Some recommended plugins:
Please note, I recommend only installing one of the following plugins.
- UpdraftPlus WordPress Backup Plugin by UpdraftPlus.com David Anderson
- BackWPup – WordPress Backup Plugin By Inpsyde GmbH
- Duplicator – WordPress Migration Plugin By Snap Creek
- BackUpWordPress By Human Made Limited
Specialized Plugins
There are a few specialized plugins for improving the security of your WordPress installation.
A great plugin is the Anti-Malware security and Brute-Force firewall by Eli Scheetz. This plugin is a malware scanner for your WordPress installation, it scans for known threats, log-in vulnerabilities, back-door scripts, .htaccess scripts and several exploits.
Once your WordPress installation is secure, you probably want to keep it that way. The best way to improve WordPress security and maintain a high level of protection is the installation of a dedicated security plugin. The following all-in-one security plugins combine many functions to secure your WordPress installation.
You should only install one of these plugins. Installing multiple plugins will not improve security and might even break your installation because of incompatibility issues.
All-in-one Security plugins
- iThemes Security By iThemes
- Wordfence Security By Wordfence
- All In One WP Security & Firewall By Tips and Tricks HQ, Peter, Ruhul, Ivy
- Sucuri Security By Sucuri Inc.
Advanced
Warning
The following tips require some basic understanding of webservers, htaccess and file permissions.
Do not proceed if you are unsure about what you are doing.
.htaccess tweaks
The .htaccess file is a configuration file for use on web servers running Apache. When a .htaccess file is placed in a directory then the .htaccess file is detected and executed by Apache. These .htaccess files can be used to alter the configuration of Apache to enable/disable additional functionality and features that Apache has to offer. Using .htaccess files you are able to improve your WordPress security significantly.
Limit request methods.
HTTP defines methods (sometimes referred to as verbs) to indicate the desired action to be performed on the identified resource. ‘TRACE’ and ‘TRACK’ are HTTP request methods used for debugging. However, these methods can cause several vulnerabilities including Cross Site Tracing (XST) and Cross Site Scripting (XSS). With a small .htaccess tweak you are able to disable these methods.
Create or Edit the .htaccess file in the root of your website and add the following lines:
#Limit request methods RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* – [F] |
Restrict IP
Most of the WordPress websites are hacked by gaining access to the admin area. Using a good password combined with two-factor authentication will keep the bad guys out. But if you want an extra layer of security it’s possible to limit access to the admin area to a certain IP address.
Using a .htaccess file you will limit access to the admin area on a server level. Please note that if you have a dynamic IP address that changes on a regular basis this option might not be for you.
Create or edit the .htaccess in the wp-admin folder (/wp-admin/.htaccess) and add the following lines:
#Restrict access by IP order deny,allow deny from all # allow Jason’s IP allow from *.*.*.* # allow Aidan’s IP address allow from *.*.*.* # allow Stuart’s IP address allow from *.*.*.* # allow Alec’s IP address allow from *.*.*.* # allow James’s address allow from *.*.*.* |
Please note that you should change the *.*.*.* with your own IP (found at sites like whatismyip.com). The lines starting with a number sign (#) are comment lines and are only there to help you remember what is what. You can add and remove the “allow from” lines to match the number of IP-addresses you want to whitelist.
Disable PHP/HTML in /Uploads
Everything you upload to WordPress is usually stored in the WP-Contents/Uploads directory. By default, .php and .html files are executable when uploaded to this directory. There is, however, no reason why this should be possible. With a .htaccess file, it’s possible to deny execution of these files.
Create or edit the .htaccess in the Uploads folder (/wp-content/uploads) and add the following lines:
# Disable execution of php and html files <Files ~ “\.ph(?:p[345]?|t|tml)$”> deny from all </Files> |
Protect wp-config
The wp-config file contains a lot of sensitive information, including your database password. With a .htaccess file we are able to deny any external access to the file ensuring that whatever happens, the file can’t be read.
Create or Edit the .htaccess file in the root of your website and add the following lines:
# Deny remote access to wp-config.php <files wp-config.php> order allow,deny deny from all </files> |
Change database table prefix
Most attacks on WordPress installations are done by bots. In case of a vulnerability in your WordPress installation, these bots will likely try to perform a SQL injection to manipulate your WordPress installation.
An easy way to make life a lot more difficult for these bots is to change the database table prefix. If your WordPress installation is using a different table prefix most bot scripts will fail.
Changing the table prefix manually is difficult, luckily there are a few plugins that can do this for you. A simple to-the-point plugin is the WP Prefix Changer by Tiago Sousa
note: After the table prefix has been changed, you can safely disable and remove the plugin.
File permissions
The file permissions are one of the most overlooked parts of a wordpress installation. Incorrect file permissions are a security risk.
To check and correct the file permissions you need to access the file system of your hosting package. This can be done either through an FTP client or the online file browser in your hosting admin panel.
The correct permission scheme should be:
- Folders – 755
- Files – 644
Conclusion
Following the tips above your website should be protected against all the common attacks. It’s always possible that a new vulnerability is discovered or that your hosting provider itself gets compromised. In these cases, it’s important to have a good back-up to restore your website.
I hope that this article helped you to learn more about WordPress security, and will help you to protect your WordPress installation against future hacks.