Harden WordPress Security: A Marathon Rather Than A Sprint
A lot has been said and written about the issue. In fact, a debate about what is the best practice to harden WordPress security is among the top 5 trends of all time. While the compromising methods are evolving, new measures become necessary. Due to the popularity of the CMS, an unfortified site is more possible to become a victim of even aspirant hackers.
However, there is no “one-stop solution”. The majority of plugin-based solutions might as well drastically slow down your website. With more and more functions running in the background, they are constantly keeping the CPU usage at a high level. Only a combination of code cohesion and server-based measures can keep away the bad guys. More on that, some personal habits, on the awareness level of each individual can make a difference.
We call them “soft” but they can be really hard to the attackers. We could also call them “absolutely necessary” or “basic measures” as they are the first things someone needs to know when getting into the WordPress ecosystem. Yet, even professional developers and implementors sometime neglect to do.
Maintain Your Site Regularly
- Keep backups. The web server will not go on vacation, and it is unlikely for the malicious scripts to do so. For that, you must ensure you have a working copy of your website in case a strange thing happens. Don’t forget to make it available on the cloud but keep a local copy as well. Larger deployments may require reviewing the version control repository. Get rid of branches forgotten in time. They may contain some useful code. Yet, work that was once considered brilliant may be useless today. Simply because it doesn’t fit anymore.
- Review the installation. Don’t you think is time to remove this plugin that remains inactive for the past two years? It is part of human nature to keep postponing works that do not seem to be urgent. When seeing this from a security aspect, it becomes critical. Check your plugins and make sure they actually do something on the site. If they don’t, get rid of them. Evaluate others. Do they bloat your website? Do you suspect their code is not well written or do they constantly create issues? Do they stress the server or the database? Remove or replace those plugins with others, even if this requires some extra work.
Keep The Code Up To Date (With Moderation)
- WordPress has introduced the auto-update feature for plugins in version 3.7. It was received with mixed emotions and, still, not everyone is using it. In some cases, it is not a bad idea to wait for some time before updating. Certain new versions have proven to be more vulnerable than previous ones. My recommendation is to let some plugins update automatically while updating more critical ones manually. This will allow, for example, to manually keep a backup before updating plugins like WooCommerce.
- Eventually, you need to update your website to the latest version, including WordPress, plugins, and of course, the themes. Do that regularly and especially when you are planning to let the site go with auto-pilot for some time. Although it sounds a bit overwhelming, keeping the site up to date will actually harden WordPress security. Just take a look at the log files of each new version and you’ll discover tens of security fixes.
- Turn comments off. If the type of your business does not request having a conversation through the website, we recommend hiding the comments section globally. In another case, consider adding a lightweight plugin like Antispam Bee that can effectively distinguish the good from the bad guys.
Apply Login Restrictions & Audit
- Change the login URL. Although this is the job of a security suite, we advise you do it anyway, even using a standalone plugin. While it will not protect you from the infamous “brute force attack”, it can moderate access to the login form which, one way or another, is a good thing. The chances of compromising your site with this method depend on the strength of your password. Even mild attempts may cause issues to the site and the server by consuming its bandwidth and CPU cycles. For this case, you will need to look at the hosting level to effectively harden WordPress security.
- Limit the login attempts. In contrast with more complex measures, limiting the trial attempts of anyone trying to log in to the site is half the job done. You can use a plugin like LLAR to moderate the number of attempts and permanently ban malicious IPs from your site. For a few dollars, you can get cloud-based protection and harden WordPress security even further.
- Add a Security plugin like Sucuri Security which will help you fortify your website against attacks, including DDOS, brute force, spamming, etc. It will keep you updated with emails about everything worth mentioning. If you pay for the premium version, it will connect your site to an external Firewall based on one of the top CDN services. In contrast with other similar plugins, it will not affect the performance of your website as it uses an advanced algorithm for detecting malware.
Believe me, it will be much harder to clean your site after a malicious attack than applying those measures in the first place. The real problem here is that you are not always authorized to access the hosting infrastructure. In some cases, the hosting provider can give you partial access to security settings while others don’t. It depends on the hosting plan.
Things may become a bit more complicated if your site is running over shared hosting. Hosting providers may share the same settings across several sites for their convenience. While this is not necessarily bad, it may restrict the application of further actions. On the other hand, a dedicated server is typically more expensive. Last but not least, managed hosting services may provide great security – or maybe not (and in some cases, you might not be able to review them at all). In any case, here is a list of things we consider essential for keeping your site safe, on the hosting level.
Evaluate Your Hosting Security
- After taking all the “Soft Measures” check the PHP in which your WordPress install is running over. Whereas a new hosting plan will have activated the latest version, your 5-year-old plan will possibly not. Upgrade to the latest version of PHP because it provides extra security by not allowing malicious scripts to take advantage of deprecated functions.
- Make sure your hosting plan has activated a Firewall (a.k.a Web Application Firewall). A simple, yet super effective precaution for every website. Modern firewalls include numerous rules that can effectively figure out what is behind an HTTP request within milliseconds. It is attached to the network of the hosting service so, it will block the unnecessary traffic before it even makes a call to the site.
- Ensure you have access to the server logs, they can give you critical info about anything bad or good happening. Periodically you can check the logs for errors. If you experience error-free browsing on your site for a long time, consider deleting server logs as they can become huge.
Apply Access Restrictions & CDN
- Restrict access to the WordPress directories. There is no reason to allow anyone to access the physical files of your installation. Moreover, WordPress Codex has long ago issued guidelines about the correct file permissions.
- If your audience is located in a single country, you can ask your provider to restrict access to the rest, minimizing the risk of malicious attacks. Statistics show a great number of malicious attempts are coming from a handful of countries.
- If you are aiming for the global market, add your site to a CDN service like Cloudflare. Not only this will make it perform faster anywhere across the globe but it will also help it stay clean from malware. The last thing they want is to distribute malware, so, CDN services always integrate an additional malware scanner.
Harden WordPress Security – Offline Methods
This part refers to the awareness level of each individual who manages a WordPress site. Whatever the security policy your site is relying on, your attitude is equally important. Any infrastructure is worthless without someone being ready to take action.
Remain In Touch With Your Property
- Periodically check your website on any accessible device to see if it’s online and working as expected. Hard-refresh or go anonymous browsing to ensure you are receiving a fresh version of the page. Consider configuring your security application to send you notices about security events. Some apps can also send SMS alerts, in case you’re lying on a beach and still, you need to remain in touch.
- Use an availability monitor service like Pingdom or Google. This service regularly checks your website and notifies you about sadden changes. It can also track the performance of your site which is equally important to safety.
- Why not allow a partner to watch your website while you’re absent? Or agree to forward them all the emails you receive from your security application. This way, not only yourself but one more person will be alarmed if things become weird.
Safeguard Your Passwords
- If you have installed your password manager on multiple devices, keep them locked as well with a strong password. People forget that physical access to a device can reveal a ton of information to anyone having access to it. For crowded places or when you’re jogging, leave your high-end device at home and consider using a simple cell phone – for emergency voice calls only.
- Lock your passwords in a safe place. You can also keep a hard copy of your password list in your office drawer. Don’t rely on a single device for storing your credentials. If it fails, you may be locked out of your website. For best results, use a manager like 1Password to store your passwords. With this application, you will ensure your passwords are always safe and accessible to you and your partners. Additionally, you can safely share passwords with anyone using the same application.
Bottom Line: Less Is More
Securing your WordPress site is a concept. You don’t need to activate tens of security plugins. You only need to be consistent in the long term. Google will try to keep traffic away from a compromised site. When such an incident occurs, it will downgrade the website in the search results after only a few days. You don’t need to be on the black list – but even if you do, don’t lose hope! It’s never too late to harden WordPress security. Just do what you have to do and, sooner or later, you’ll be back on track.
Did you find this article useful? Feel free to comment below.
My name is Vangelis Chirmpilidis and I’m the author of this post. I am a long-term member of Plethora Themes as a Content Creator and Lead Customer Support Agent. I’m contributing to the local WordPress community with participation on Polyglots and WordCamp.