Securing WordPress 2018
Ever worried about your website’s security? Sure you have. Although WordPress is one of the most secure CMS on the web, there have been cases where non-secured or neglected installations have fallen victims to malicious hackers and spammers.
Although, the most important security measure is to always keep your site backed up and updated, here are some extra steps in order to secure your WordPress website:
During WordPress installation
While the process is famous for its short duration (5min), we recommend spending a few more minutes to make it more secure.
As a good precautionary measure (although there’s a bit of controversy on the matter) we suggest you change the default database prefix from wp_ to something else (like a random string, e.g. l3xfr_) when installing WordPress. The particular prefix is declared in wp-config.php file. If you need to change the table prefix after installation (a quite risky process), you can check out these two guides: How to Change the WordPress Database Prefix to Improve Security and Change Your Database Prefix to Improve Security.
After completing the installation, you can keep wp-config.php file one level up on the server’s default public access directory (like public_html). Using your FTP account, you can move that file away from the rest files of the installation to make sure nobody will be able to access and change it, resulting in ruining your website.
Now, let’s see the very basics.
No joke, you need to do regular Back ups. Thankfully, there are some great Plugins for doing that: BackWpUp, UpdraftPlus WordPress Backup Plugin, etc. We recommend automated regular backups, especially to some external FTP or Cloud Storage solution (Dropbox, Google Drive) for security purposes. Alternatively, you can download the latest backups to your hard drive.
- Keep WordPress System (Core) always up to date. It’s just one click and you have the latest version installed.
- Keep all themes and plugins up to date. It may take a while but, usually there are reasons for authors to provide new versions…
- Keep the Administrator User and Login Secured. This has been proved to be the Achilles’ heel for most WordPress based websites. So…
- Never use ‘admin’ as the administrator account. Create a new Administrator account and delete the ‘admin’ account as soon as you install WP. Plugins, such as iThemes Security, can be configured to lock out hackers trying to login as ‘admin’ (see screenshot).
- Use Strong Passwords and NEVER use the same password elsewhere
- Regularly change passwords
- You may as well use a Two Factor Authentication. Available plugins include: (1) Google Authenticator (requires a mobile App), (2) Two Factor Authentication (David Nutbourne) plugin, (3) WordPress 2-step verification plugin.
- Avoid or limit the creation of Administrator accounts
- Remove inactive accounts
- Limit the login attempts from a certain IP address to eliminate any kind of brute force attack. You can use a plugin like WP Limit Login Attempts or a similar one for this kind of protection.
Is it ok?
Yes but, here are some more things to check out. This is your installation and you care about it, so would you let a poorly authored plugin to ruin it? No, so:
- Remove unused plugins and themes. Deactivated plugins may still be harmful and you will have to check for regular updates for themes and plugins you don’t use. You might even miss a critical update for one of these. Keep the latest default WP theme as a “fallback” theme in case something breaks on your main theme.
- Disable Plugin and Theme Editing feature for Users. Although latest WP versions do have a warning about this function.
- Make sure that the WP_DEBUG constant defined in the wp-config.php file is set to false on your production sites.
- Disable PHP files on the uploads folder (via .htaccess or nginx config script) (*)
- Try limiting the amount of plugins you install
- Beware of non trusted themes and plugins. Use a plugin like Theme Authenticity Checker to check for malware. NEVER download premium themes and plugins from warez/torrent sites (they are not there by chance, someone uploaded them for a reason).
- Set up server monitoring (Use free services like: pingdom)
- Run a free site check by Sucuri regularly
- Always check Active Installs, Ratings, Last Updated and Compatibility on the WordPress repository before installing any plugins or themes. If a theme is not properly tested, it is most likely to become unstable in your installation (do you want to debug a third party plugin on your production website?).
Bonus: how to use .htaccess for keeping your site secured. The particular file existing on apache server, a very popular web-server, can be used for allowing or prohibiting access to back-end files of your installation and, is a very good way to keep your website secured.
Here is an example .htaccess file for disabling PHP execution on all files on a folder:
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off
deny from all
Now we are (almost) sure our website is safe. How about some extras?
Does your website requires feedback from the readers. If not, consider disabling comments and trackbacks as there are common gateways for intruders to “come in” and have, well, fun.
Connect to Jetpack. This amazing plugin is like a Swiss knife, offering among other features, extra security to your website. You only need one wordpress.com account and, you are ready to use it.
Install a third party antispam plugin. There are numerous available, but you can always use the Automattic promoted Kismet plugin, bundled with WordPress with just a small fee.
What to do when Hacked
First of all don’t panic. You have been keeping backups (don’t you?) and, you can restore your website anytime. A good idea is to keep even older backups of your website because you don’t know (and probably won’t ever) now when exactly this thing happened. The site may have “broken” now but, malicious code may have been injected days or months ago. Keeping older backups may be helpful if you find out (or suspect) that the latest backups may have included the scum. Now, let’s do some treatment:
REFERENCES AND SOURCES
- WordPress Security Top Tips by Reginald Dawson
- Website Hacked Sucuri Trend Report 2016 – Q1
- Easily Change WordPress Security Keys & Salts with iThemes Security
- WordPress Backup: Why it’s important to regularly backup your WordPress site and database
- The Ultimate Guide to WordPress Security
- Hardening WordPress (Codex)
- WooCommerce security: the 7 things you should do first
- The WordPress Security Learning Center
- Hardening WordPress: Security through .htaccess
- WordPress Htaccess Tips And Tricks
- Secure WordPress
- 4 Simple Ways to Secure (and Maintain) Your WordPress Website
SECURITY RELATED PLUGINS
- Wordfence Security (Security Suite)(Enforce strong passwords, Feature Status, Basic Options, Enable automatic scheduled scans, Firewall, Rate Limiting, Diagnostics, etc.)
- Sucuri Security (Hardening Options, Post Hack Options)
- iThemes Security (formerly Better WP Security)
- WPS Hide Login (Obscure Login Page URL)
- Loginizer (Fight against bruteforce attacks, block IP addresses, maximum retries, etc.)
- Force Strong Passwords
- Expire Passwords
- Email Login (use email instead of username to login)
- WP Security Audit Log (WP White …)
- WP Limit Login Attempts (Limit Login Attempts for login protection, protect site from brute force attacks.)
- Limit Login Attempts Reloaded (Limit Login Attempts for login protection, protect site from brute force attacks.)
- Activity Log (Much less options. Easier to configure. Custom notifications based on events.)
- Simple History
- Theme Authenticity Checker (TAC)