Complete Set of Measures Necessary to Protect and Secure WordPress Website
Cyber attacks on WordPress websites have become more sophisticated than ever and many companies, no matter the size, are becoming susceptible to these attacks.
WordPress websites should not be left unmaintained
Once a WordPress website is built, many of us don’t fully realize that there are many critical steps that must be implemented to protect the website. Whether you have an informational website, an online store or a blog, this is related to you.
In spite of the fact that the WordPress security team comprises approximately 50 experts (which includes: lead developers, security researchers, and cybersecurity specialists that work day and night to address and resolve vulnerabilities facing a number of websites) many developers still encounter data security breaches on WordPress websites.
Websites that are not secure can cause any combination of the following issues (just to name a few):
- Compromised customer or financial data
- Loss of access to your website
- Web browser blocking
- Being banned from search engines
The issues mentioned above can result in less traffic to your website, loss of client’s trust, and a decrease in your profits.
The last thing you want to happen is to find out one day that your website was ruined or hacked.
According to The Open Web Application Security Project ®, there are several possible attacks that can happen to your website. Some of the most critical risks are injections, broken authentication, and sensitive data exposure. If you like to learn more about the Top 10 Web Application Security Risks visit the OWASP website to view the standard awareness document for developers and web application security.
For many of us, the WordPress site helps drive revenue, so it’s important to take some time and implement some strategies sooner rather than later.
Today I am going to share a number of tips and techniques that we use at Reverence Global that you can apply to improve the security of your WordPress site.
General Practices You Can Implement to Secure Your WordPress Site and keep It Protected.
1. Create Secure Logins and Passwords
People often use passwords that are quite easy to crack for cybercriminals. Today, the cracking tools are so sophisticated that 6-digit simple passwords are like dinosaurs. You need to be diligent and create passwords that combine uppercase and lowercase letters, special characters, and numbers.
Also, to prevent one of the very common attacks also known as a Brute Force Attack, you need to limit failed login attempts. Your hosting provider may offer this as a built-in solution.
2. Update Your Website Consistently to Prevent Vulnerabilities
Make sure your site platform and any other scripts you use are kept up to date. Every software is born with a potential for security loopholes.
But, through regular updates, the potential for exploitation can be significantly reduced. This is especially important for anyone using website tools that are open sources like WordPress and its plugin
- Update WordPress Plugins and Themes
On the WordPress.org official repository alone, there are approximately 58,000+ plugins and 5,000+ themes listed; however, WordPress does not guarantee that they are free from security vulnerabilities.
An intimidating fact about website hacking is that 98% of WordPress vulnerabilities are related to its plugins. It doesn’t matter whether WordPress keeps its core secure or not, the effectiveness of these security tactics does not apply to the plugins.
Developers of plugins and themes are consistently upgrading them, troubleshooting bugs, and other security improvements.
Here are some tips on how to choose reliable WordPress plugins and themes:
— They are sourced from the WordPress.org official repository
— Built by reputable developers
— Make sure that they are frequently updated
— They have a lot of good reviews and a detailed documentation
— Have a high number of downloads (100,000+)
- Update PHP Version
PHP runs on your web server and needs to be updated frequently. Upgrading to the most current version of PHP can help enhance your site’s security, speed, and overall performance and functionality.
According to the official WordPress statistics (effective Jan 2021), 18% of WordPress sites are using PHP version 5.6 and below. In addition, about 34% of users are using PHP 7.2, 7.1, and 7.0, which is not already actively supported. This means that more than half of the WordPress websites use an insecure version of PHP. This is terrible! - Update WordPress Version
WordPress releases new security updates and bug fixes fairly regularly. Sometimes these updates are quite efficient in fixing bugs and security vulnerabilities. They also come with rich features and new functionalities. If you have the latest version, it will make it much more difficult for hackers to access your site.
3. Choose a Reliable and Secure Web Hosting Provider
A website hosting provider hosts your database files and provides a way for your website to be broadcasted onto the internet.
The role of a hosting provider in ensuring your WordPress site’s security is huge, as some website hosts are less secure than others.
Ensure that the host you choose takes precautions such as SFTP or SSH. These methods are safer than standard FTP. Also make sure that the provider updates your core software regularly, configures SSL for each domain, has CDN or partnership with third-party providers, implements firewalls and scan systems for malware regularly.
A word of caution! Avoid using shared hosting services as they can make your website vulnerable and expose it to outside threats.
4. Use HTTPS Secure Encrypted Connection for Your Website, Otherwise Known as SSL Certificate
You might already know about this, these days it’s mandatory that all websites have encrypted connections because it establishes a secure connection between a website and a browser.
You also need to think about your users’ privacy. When the users register or authorize their credentials on an HTTP site, their personal data is transmitted to the server in the form of a simple text message.
Most web hosts these days provide SSL certificates and automatically configure web servers to support HTTPS connections.
5. Make a Backup of Your WordPress Website, Database, and Files
Data backups are critical to ensure website restoration in the event that your website has crashed or if you’ve had a cyber attack. Keeping at least two sets of backups is ideal, one on-site and another one off-site. Remember to include your database in the backup, not just your site files.
6. Disable User Registration in WordPress Dashboard
If your site is purely informational and does not need users to register, disabling user registration can help secure your WordPress site from additional vulnerabilities.
Registration can easily be disabled directly in the WordPress dashboard without any plugins.
7. Stop User Enumeration
User Enumeration is a type of attack where hackers can use special techniques to discover your login name. To prevent this attack, choose a user display name that is different from the user name. You can make this change in the user’s dashboard area.
Once you have implemented the general practices, you can utilize these Advanced Practices to Further Strengthen the Security of Your WordPress Website.
8. Hide Your WordPress Admin and Login Pages
The initial authorization URL of your website looks like this: domain.com/wp-admin or domain.com/wp-login.php. The problem behind keeping these URLs is that everyone knows they are standard practice.
By changing the WordPress login page, you can protect yourself from Brute Force Attacks and eliminate a lot of resource-wasting bot traffic to your site. This is not a solution to all problems, but a simple trick that can definitely help keep your website safe.
9. Remove Unused Files and Folders
Play safe to limit any possible liabilities and take preventive measures to improve the security of your website. This means that you should avoid keeping any unused files on your server.
Unused or unnecessary files on your server can make your website vulnerable to malware attacks!
Here’s an example of unnecessary WordPress files that you can remove or deny access to:
— wp-config-sample.php
— readme.html
— license.txt
— Backup files
— Log files
— Version control files
— Temporary/Test files
10. Protect Your WordPress Configuration File
The WordPress configuration file wp-config.php holds important structural information about your site. This includes security keys and database login details in plain text. This information should be protected from outside access to prevent malicious attacks.
According to the WordPress documentation, the permissions for the wp-config.php file must be set to 440 or 400 to prevent other users on the server from reading it.
Deny access to the file or move it to one directory above your WordPress installation so bad guys cannot access it.
11. Protect WordPress Installation File
Did you know that if you visit yourdomain.com/wp-admin/install.php on your website or any other WordPress websites you’ll see this page?
This is fine because you already have WordPress installed and established a connection with your Database. But what if hackers could sabotage the connection just for a split-second by DDoS or SQL Injection attack? They probably will be able to see this page:
Don’t give hackers the opportunity to replace your WordPress site with their own installation. Deny access to your install.php file to prevent this from happening!
12. Update WordPress Security Keys
Security keys in WordPress are like a cipher — a collection of randomly generated characters that are used to encrypt user cookies. When you install WordPress, keys are usually generated automatically. However, sometimes it is important to keep updating them occasionally.
The WordPress official site has a free tool that you can use to create new unique keys and replace them in the wp-config.php file. This means that all users will have to login again.
13. Avoid Using .htaccess File in PHP
You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache HTTP server. This file can also be used for injecting unrelated content, hiding backdoor scripts, modifying other files, overriding security or server configuration settings, hiding malware, redirecting traffic to their own websites, and more!
Leaving a .htaccess file vulnerable is like leaving the door wide open for unauthorized access to your website and other attacks that can decrease your search engine ranking or get you blacklisted from Google.
Any directive that you can include in a .htaccess file is better set in a Directory block, this will have the same effect with better performance.
14. Hide WordPress Version
If there is a particular reason that you don’t keep your WordPress version updated, it would be a good idea to hide it. The fewer outsiders know about your site configuration, the better. If they see that you are using an outdated version, it can be a great signal for attackers to target your website.
By default, the WordPress version appears in the header of your site’s source code.
15. Configure HTTP Security Headers
Another way to improve your WordPress security is to utilize HTTP security headers. The security headers are configured at the webserver level and tell the browser how to behave when working with your site’s content.
There are many different HTTP security headers, but the following are the most important ones:
: Content-Security-Policy
: X-XSS-Protection
: Strict-Transport-Security
: X-Frame-Options
: Public-Key-Pins
: X-Content-Type-Options
: Permissions-Policy
You can check which headers are currently running on your WordPress site by crawling the website with Security Headers Report.
16. Secure WordPress Database
Another important step to take to harden your WordPress database is to use a unique database name. Changing the database name to something more obscure makes it difficult for hackers to identify and access your database details.
During the installation process, anything other than wp_ (for example, something like this: xt_fd46efrf_ ) is going to help to significantly secure your WordPress database.
For already installed websites, changing the WordPress database prefix requires a bit more steps and web development skills.
17. Check Permissions for Secure Files and Folders on Your Server.
File access rights are critical to improving your WordPress site’s security. If the restrictions are too loose, someone can easily break into your site and cause damage. On the other hand, if the restrictions are too strict, it can break the functionality of your site. Therefore, it is important to have the correct settings.
All files must have permissions 644 or 640. The only exception is wp-config.php. This must be 440 or 400 so that other users on the server cannot read it. All directories must have rights 755 or 750. You do not need to grant 777 rights, even for the /uploads directory.
18. Disable XML-RPC on Your WordPress
XML-RPC is a specification that enables the communication between WordPress and other systems. This specification has increasingly become a common target for Brute Force Attacks.
When xmlrpc.php makes a request, it sends the username and password for authentication. If you are running WordPress version 4.4 or higher, it already uses the REST API to communicate with external systems, so you don’t need xmlrpc.php, it should be disabled.
Not sure if XML-RPC works for your site? Use Automattic’s free XML-RPC Validator to find out.
19. Disable File Editing in WordPress Admin Panel
Many WordPress sites are operated by multiple users and administrators. While at times this may be necessary, giving authors or editors admin access can be a bad practice for your site’s security.
It’s important to give users the correct roles to avoid any violations. Therefore, it may be useful to simply disable the “Theme Editor” in WordPress.
Conclusion
WordPress is one of the main targets for hackers and it may be because it has a massive user-base.
In this article, I’ve listed several ways to secure and prevent vulnerabilities on your WordPress website. If you’d like to learn the steps to implement the security measures mentioned in this article, you can easily find resources online. Use this post as a checklist to make sure you’ve got everything covered.