Tips to secure your WordPress website
WordPress is the world’s most popular content management system. It accounts for nearly 15% of the world’s websites and every day 500+ websites are created using WordPress. But, popularity always attracts myths and one myth that goes around about WordPress is that it’s not secure. The fact that WordPress is an open-source software assures that it is as secure, if not the most, like any other CMS available. So, the question is, why do WordPress sites get hacked so much? Well, it’s because most of the time users, which most of the time are not tech-savvy, don’t follow security best practices while making websites on WordPress. So, I am gonna tell you some simple tips by which you can make your WordPress website more secure.
1.) Keep WordPress up to date including WordPress core, themes and plugins
Outdated themes and plugins can be easy targets for attackers since most of their attacks can be found online. If an attacker gets to know that you are using outdated vulnerable plugins then half of his work is done. WordPress core, themes, and plugin are regularly updated with bug fixes and other reported vulnerabilities fixes. Keep checking for new updates and regularly update everything. Themes can be updated from Appearances > Themes > Update Now.Auto-updates can be turned on for plugins using Plugins > Installed Plugins > Automatic updates > Enable auto-updates.WordPress core can be updated from the Updates section. Following this practice can save the WordPress website from most of the security issues. Updates should be done cautiously as new updates can remove all custom changes. This can be avoided by making custom changes using a plugin called Code Snippets.
2.) Restrict direct access to wp-login, wp-admin pages
wp-login is a common endpoint for all WordPress websites which hackers also know. These pages are vulnerable to brute force attacks. Hackers can get username and password, using brute force technique, on the login page thus taking control of the whole website. Restricting access to WordPress login pages can save websites from severe attacks. One of the best ways to protect this is using the “security by obscurity” technique i.e. make it harder for hackers to reach this page.
This can be achieved by changing the url to the login page using the plugin WP Hide Login. The username and password used should be random and hard to guess. Prevent rest API from showing username (knowing username can help hackers in brute-forcing), which can be easily seen on endpoint www.yourwebsite.com/wp-json/wp/v2/users. This can be achieved by disabling API using the Disable Rest Api plugin.
3.) Limit login attempts on WP-login
Even if the login page URL is changed, you can take extra caution by limiting login attempts on the login page. This will again help in preventing brute force attacks since the attacker will be blocked after a certain number of failed attempts on the login page. This can be achieved by using the plugin Cerber Limit Login. You can set no. of attempts, lockout duration, and IP blacklist or whitelist using this plugin.
Another great way to stop bots, used by hackers to brute force, is using Captcha.
4.) Harden access to your WP-config.php file
WP-config.php contains encryption keys, salts that are used to encrypt information in cookies. Other than this, it includes other sensitive configurations and database credentials for WordPress websites. Access to this sensitive data can lead to many severe attacks on websites.
WP-config.php is the most important file of any WordPress website containing all database login information and encryption keys.
Access to the contents of WP-config.php can have a severe impact on the security of a website.
This can be due to misconfiguration of PHP, which might be by the admin himself, or due to bugs in some other server software, which can lead to exposure of contents of such files.
Move wp-config.php a step up from the root directory file path. You can then make another PHP file in the root directory to include this file using:
<?phpinclude(‘/path-to-file/wp-config.php’);?>
The above step will have no impact on your website but it will make wp-config.php unreachable to hackers. Restricting access to this file is another way but that is risky since changes can be reverted to default while making changes on the server-side. Another way is, you can change permissions on the wp-config.php file to WordPress recommended 440 or 400 to prevent other users on the server from reading it. This can be done using the FTP client on your hosting.
5.) Disable XML-RPC
XML-RPC is used to make remote calls to WordPress (using the WordPress app to post on your website). These requests are authenticated with a simple username and password. This is a basic security check. If a hacker manages to get their hands on these credentials, they could use it to send their own requests to gain access to your site.
XML-RPC is designed to publish content in large volumes. This enables hackers to carry out brute force attacks where hackers can try to guess your username and password. Through the XML-RPC function, they can make login attempts by sending large amounts to guess your credentials. Or they can make a large number of requests to carry out DDoS attacks on websites.
XML-RPC is an obsolete feature of WordPress which is still included just to maintain backward compatibility of WordPress.XML-RPC can be disabled using a plugin or manually by code.
Install plugin Disable XML-RPC and activate it. This will disable XML-RPC on the website.
Or else, write the code below using code snippets plugin:
add_filter(‘xmlrpc_enabled’, ‘__return_false’);If the above two methods don’t work, you can simply deny access to the xmlrpc.php file by writing the below rule in the .htaccess file:
<Files xmlrpc.php>order deny,allowdeny from all</Files>
This will block all requests to the xmlrpc.php file.
6.) Hide sensitive information
Rest APIs can be directly accessed thus disclosing sensitive information. If an attacker accesses these APIs, he will get sensitive information that he can use to escalate an attack on your website.
/wp-json/wp/v2/users/ exposes user information.
/wp-json/wp/v2/pages/9 exposes internal server name.
This can be prevented by writing the below code in code snippets:
add_filter( ‘rest_endpoints’, function( $endpoints ){if ( isset( $endpoints[‘/wp/v2/users’] ) ) {unset( $endpoints[‘/wp/v2/users’] );}if ( isset( $endpoints[‘/wp/v2/users/(?P<id>[\d]+)’] ) ) {unset( $endpoints[‘/wp/v2/users/(?P<id>[\d]+)’] );}return $endpoints;
However, the above code will only disable //wp-json/wp/v2/users/ endpoint. To disable other endpoints, you will have to write code specific to that endpoint.
To avoid this, use the plugin Disable Rest API to disable these rest APIs.
7.) User roles should be clearly defined
If roles are not clearly set, the wrong person can get access to sensitive functionality thus posing a security threat to the website. Depending on the role a user has, he/she gets access to certain types of data. If your site has different types of users like admin, writer, subscriber, or anything else, define their roles cautiously. WordPress provides a powerful way to do so. You can add users on the Users tab and select the role of the user. WordPress will automatically provide a certain amount of access to the site to that user depending on their role.
Final words
In this article, we tried to share some tips which could help you with the security of your WordPress websites. Remember security of any platform is a different subject altogether and any platform or technology is secure only if you follow their recommended practices while developing. These were some of the tips which I think can be useful for anyone who is new to WordPress. Hope these tips help you secure your websites and if you like these tips, you can follow more such tips for securing different technologies and other security and development-related tips. Until then have a good day!
