How To Secure WordPress Site
Essential WordPress Security Tweaks, Tips&Tricks: Basic and Advanced.
WordPress’s overwhelming popularity makes it a target for hackers. Specifically, it’s seen thousands of attacks by botnets (networks of computers infected with malicious software) trying gain entry into these sites by brute-force.
Most of these attacks are using the simplest method possible to gain access to a site: trying username and password combinations until they can login. This method relies on user error in that a lot of WordPress users are unaware of their responsibility to keep their site secure.
When that’s the case, the botnets can try to log in to these sites countless times, since there’s simply nothing to stop them from it.
Why is WordPress being targeted by hackers?
Since December 2020, WordPress CMS is the most used form of script utilised in the Website Development Process from the Entire WWW. Hand-coded languages (excluding the Content Management Systems / CMS. HTML language is a good example) have been the most used kind of websites since the WEB was born. And from December 2020, this title has been awarded by WordPress.
Users that aren’t proactive in protecting their site or don’t update old plugins/WordPress versions, can unknowingly be exposing potentially major site vulnerabilities. Here are some tips to help you better secure your site against attacks. If you don’t have time to administrate your Business Website, you can check my offer: WordPress Maintenance
Is WordPress CMS secure?
Yes, WordPress CMS is one of the most secured forms of Web. WordPress suffers from minor security issues every now and then. Some of these security loopholes are patched quickly due to the active developer community. However, most of the security issues can be avoided by hardening the WordPress setup.
This guide forces the approach of better security practices that you can follow to safeguard your setup from common threats. You’ll learn some common fixes that can help your WordPress setup. You’ll also learn about files which are required to be modified in order to harden the security.
Never take WordPress security issues lightly!
Even minor plug-in or theme change can lead to a security flaw in WordPress. Remember, as software evolves so does the security flaws. The best thing that you can do is take precautions and avoid the common grounds from which security flaws are likely to affect your WordPress site.
Basic WordPress security tips for a safer, more secure WordPress install – Secure WordPress Site:
ATTENTION! BEFORE CHANGING ANYTHING, MAKE A BACKUP COPY OF YOUR WORDPRESS SITE!
1. Change your admin username
Do not use admin as a username for your site. This is the most targeted username these attacks use. Other usernames to avoid are administrator, manager, root, support, test, and user.
To change a username in WordPress:
2. Strong WordPress password: BE CREATIVE!
Creating a WordPress password that contains numbers, symbols, lower and uppercase letters, and lots of characters, you’re making it a lot harder for those nasty bots to guess your password. Here’s a list of passwords that you should definitely avoid:
Worst Passwords of 2020:
I would also suggest staying away from passwords like ‘WordPress’ and ‘admin’ – you get the idea.
Strong password=Safe website.
WordPress Secure Passwords
There are some of the services that offer to generate secure and longer passwords (even cPanel provides you this kind of feature). Here are some of the options to generate the secure passwords. You can also use programs like Lastpass to store your passwords and use it for the autologin.
Don’t store the passwords in the normal text or word files. Don’t store the passwords in the FTP programs. Don’t store passwords in any program that gives access to any other user than you.
3. Update update update!
WordPress is updated every so often and with that, problems are fixed. Security issues which come to light are addressed, and by not updating you are creating vulnerabilities. It’s important to keep your WordPress installation up to date, and especially true for plugins and themes.
Since this is the case, it’s also a good idea to remove all of the plugins that aren’t used on your site. Always make sure to backup your site before making any changes (installing new plugins, tweaking the theme, updating plugins or theme, etc).
If your WordPress site is managed by me then you don’t have to worry about this, I take care of everything.
4. WordPress Security Plugins
Free or Premium Plugin
It is not easy to select the type of the plugin suitable for your setup. Some of the premium plugins are suitable if your WordPress data is critical for your business. If you run a hobby blog or non-commercial blog, you don’t have to invest into a premium plugin. Keep in mind, the more important data that is being handled by WordPress, the harder your security setup should be.
How Many Plugins?
I have listed plenty of plugins for you to choose from and to install on your dashboard. However, you don’t have to install a lot of plugins. For example, If you are the only person to log into your WordPress dashboard, you don’t need many login security plugins. You can use the plugins that get you minimal security without having to reduce the performance of your WordPress setup. Do note that some of the hosts do not allow certain WordPress plugins.
So always consult with your hosting service before attempting to use any plugin that modifies your WordPress setup.
How to Choose a WordPress Security Plugin?
In order to choose a right plugin for your WordPress setup, use the following checklist.
✔ is used instead of the “check” word.
✔ for the number of downloads. Select the higher downloaded plugin.
✔ how many issues are reported in plugins forum in WordPress.org site.
✔ the plugin authors activity in the Forum. Another best way is to search on Reddit.
✔ the number of updates of the plugin. Ignore the star rating of the plugin.
✔ how the plugin makes use of unique namespace items.
✔ how the plugin makes use of settings API in the features.
✔ the Hooks, Filters, and Actions inside the plugins.
✔ if the plugin has properly sanitized data and MySQL statements.
✔ the plugin that does one task really well.
✔ the plugins that use nonces instead of browser cookies. If the more than one plugin does the same task, choose the plugin with higher download count and reviews.
✔ the reputation of the plugin author in the WordPress community.
These are the criteria to look at while selecting the security plugin from the WordPress Support repository. If you choose to install the premium version of the plugins then you have to search online for the reviews. Also, test drives their free plugin or trial service before you buy the plugin.
a. WordPress Security Plugins List
Installing some of the essential plugins can ensure safety to your WordPress setup. Here are some of the plugins that I have personally used on many WordPress sites.
Sucuri is one of the most WordPress Security plugins in 2021. They have free&premium version. Sucuri also provide security improvement suggestions and tweaks, in order to keep your website safe. Sucuri Security have the following features: Auditing, Malware Scanner and Security Hardening.
Wordfence is a very straightforward and easy to use plugin. It acts as a firewall and anti-virus, as well as suggests how to improve your site’s security. Make sure to check out the ‘Live Traffic’ section, you can see all the failed login attempts to your site, it’s surprising.
iThemes Security (formerly Better WordPress Security)
iThemes Security This plugin will give you a more detailed review of what you can do to protect your site and more intricate security options. Be careful when activating settings that could conflict with other themes or plugins. These are highlighted in blue in System Status.
b. Other WordPress Security plugins:
WordPress Firewall avoids SQL injection attacks, brute force attacks, and Spambot registration attacks. It also notifies you via email when any live attack happens on your site. If you don’t like email notifications, you can disable it. It also comes with one handy feature which allows you to block the IP that regularly attempts to attack your WordPress setup. You can also blacklist certain IP address for additional protection. If you want some of the IP address in a whitelist, the plugin has an option that lets you do that.
Block bad Queries plugin is designed to monitor the request URI in the WordPress dashboard. This way it can filter out some of the common attacks. This plugin checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64” in the request URI. Block bad queries does a completely different job to that of WordPress firewall 2. So it is necessary to have this plugin installed with WordPress Firewall 2.
It keeps track of every change in the WordPress installation. It keeps log of the changes in the files of WordPress directories. It notifies you of the changes that take place in the files. If any hacker gets access to your themes and plugins and rewrites new information on any of the file, you’ll get the notification of the changes. This plugin is handy to understand which file to rollback in the previous state. You can use the backed-up files to restore the unaffected file in that place. In order to do this, you need to have a different backup plugin or manual backup on regular basis.
AntiVirus plugin helps your WordPress setup by scanning the files for malware and virus. This plugin detects every single change in file and reports in the dashboard. It does raise the false positives sometimes when it triggers the change in require_once, includes and other updated snippets which are genuine yet reported as malicious code. If any theme uses eval, base64_decode or shell_exec then It’ll notify in the report. You can then replace such themes with those which has a more secure code.
Use fail2ban along with WP Fail2ban Redux. This will catch would-be hackers scanning your website for vulnerabilities and ban them early.
WP-Bruiser is mostly used as a no-captcha method to block spam bots in your comment, contact, registration and login forms, but it also includes some useful brute-force protections, and a feature that notifies you anytime an administrator logs in. These features are available for free. This is a great light-weight option.
c. WordPress Database Backup Plugins:
You can save a lot of headache of recovering your site if you take regular backup. You can schedule some of the plugins to automatically backup your site when you post or certain times during the week. When it comes to WordPress backup there are plenty of solutions. Here we are going to discuss three methods: plugins, hosted backup services and manual backups.
WordPress Backup Plugins – These plugins can help you take backup your WordPress posts, comments, and other settings and store it wherever you wish. Some of them offer the feature of emailing your backup or uploading it to a remote server like Amazon S3, Dropbox or any other backup service.
Manual Backup – In this method, you have to take backup of the setup and keep it safe on your own. You have to store the backed up data to any other place than the hosting server. There are free and paid backup plugins available for the WordPress. You can choose one that fits your needs.
Hosted Backup Service – These services integrates with the WordPress setup and take a regular snapshot of the WordPress setup. They are basically plugins that are connected to the backup server. In this article I will talk about the first two methods.
Most of the free plugins that upload the data to dropbox or send data via email are preferred by the WordPress community members. If your WordPress data is critical then subscribing to the service like Vaultpress or Codevault is much better option. You can also use premium plugins like backupbuddy or backupify to backup your data.
The more important your data, the better to get your backup to hosted solution.
Here are some of the backup plugins that can solve your backup and monitoring requirements:
This is a free plugin that is very handy for uploading your database backup to external services like dropbox, amazon s3, Google drive and few other backup services. Restore option for a fresh install is included in the plugin. It doesn’t have active support in the forums but for the free plugin it gets the job done and doesn’t have critical bugs.
Very popular for backing up the database. It is very simple to use this plugin. It does only one task – which is backing up the core database. You don’t get to choose the backup location. You can’t backup posts and other files. There isn’t much support provided for this plugin. But considering the ease of use and quick backup of the database, this plugin is perfect for newbies who can’t use other advanced plugins.
If you can’t afford any other method of the backup service, you can backup your data manually to Google drive, dropbox or local computer. In this method, you can use any of the database backup plugins to download the archive that is generated by the plugin. Alternatively, you can also backup the data from /uploads folder for backing up images and other media files. Posts and comments along with core settings can be downloaded by following these instructions.
Click on Tools then go to the export page. In this page, you have to select all the posts and pages and click the export button. You get WXRS file that contains the data from the WordPress core. This is basically an XML file that has the structured data which you can use to restore your posts. If you can’t afford premium plugins or service for the backup. You can use free plugins that can store the backup on Dropbox or Google Drive. These two backup services can host your blog backups for free. If by any remote chance if your backup exceeds the data limit of these services, you can then go ahead and purchase the yearly subscription for storage.
5. Install a Secure Sockets Layer (SSL) certificate:
In ourdays, you have two options for the SSLs: Free SSL certificate and Premium SSL certificate.
One of the best providers of Free SSL certificates is Let’s Encrypt. A 2021’s relevant hosting provider will add this feature for free on it’s hosting clients.
For the premium SSL certificates, you have a lot of options. Premium SSL certificates are an enhanced form of the standard SSL certificate used by eCommerce websites to secure online transactions. Of course, you can use this kind of SSL certificate for your basic WordPress site, too, but for medium and big sites, where people provide personal information, credit card informations, etc, it is imperative to use a Premium SSL certificate.
A premium SSL certificate’s price starts from $5/yr and goes up to $1,999/yr for a ) SSL certificate.
Why to use a SSL certificate?
Not only it will secure your WordPress site, but using a SSL certificate in 2021 is a MUST. Without SSL, your site visitors and customers are at higher risk of being having their data stolen. Your site security is also at risk without encryption. SSL protects website from phishing scams, data breaches, and many other threats. Ultimately, It builds a secure environment for both visitors and site owners.
6. File Permissions
Each file on the Linux or Unix based web server has read, write and execute levels. Users who access these files are divided into three groups – user (owner), group and the world. You can make your website more secure if you set the file permissions that restricts the anonymous users and group from modifying them. As you can see by default webserver sets some permission levels for you. Common permissions that you’ll find on a web server.
As you can see the level of strictness from these permissions, you should stick to 644 and 755 when you modify the permission levels. By default, WordPress sets file permission to 644 and folder permission to 755.
You should never set any file or folder to permission 777. Some cache plug-ins require you to set the permission of the plug-in folder to 755, if your webserver overrides it to 644. Permission settings vary from one host to another. It also depends on the Operating system that is used on the hosting account. You may find a completely different way to set the permission level for windows server.
When you upload the files to the webserver via FTP or web-based uploader, check the permissions.
7. Think about Cloud Managed WordPress Hosting Services
Hosting your WordPress platform on cheap, shared servers may put your site at more risk – you have no control over what other users on that same server will do, and that can potentially compromise your site.
In addition, performance can degrade over time as the hosting provider adds more users onto that server, having you fight amongst each other for resources.
Why to avoid a cheap shared WordPress hosting and choosing an expensive one?
A good hosted WordPress service can help keep your site fast and secure by:
I provide WordPress Cloud Hosting services for my clients. Read more here: LiteSpeed WordPress Hosting
Advanced WordPress Security Tips – Secure WordPress Site
ATTENTION! BACKUP YOUR WEBSITE BEFORE DOING ANY OF THE FOLLOWING CHANGES. ALSO, DO A BACKUP AFTER EVERY CHANGE YOU MAKE, IN ORDER TO SAVE IMPORTANT TIME!
1. Add a server-level layer of authentication
Having anybody being able to access your /wp-admin login screen makes it easier for hackers and bots to do their damage.
Adding an additional level of security on the server-level ensures that you are the only one who has control of who can and can’t access /wp-admin in the first place. In order to secure WordPress site, you should follow the next tips:
There are a few ways to do this:
a. IP Restrict /wp-admin
White-list only your IP (and those you trust) in your .htaccess file to ensure /wp-admin is only accessible by authorized people.
b. Add these lines to your .htaccess file:
c. Add HTTP authentication to /wp-admin
Add an additional username/password credential via .htpasswd to /wp-admin. Users can’t even view the WP login page until they provide the appropriate username and password on the .htpasswd level.
2. Restrict WP-CONFIG.php access
If you can access the file, change the permission to 0644. If you don’t have access, ask your hosting provider to do this.
3. Stop the Login Hints:
I don’t know why WordPress keeps this setting, but you have to get rid of it ASAP. To disable login hints, you have to add the following code to the function.php file:
4. Change WordPress Admin URL
To change the WordPress Admin URL, follow these steps:
1. Add constant to wp-confing.php
2. Insert below filter to functions.php
3. Add this to .htaccess file
After these steps, your WordPress admin URL will be like: http://www.yoursite.com/hidden-folder/
Secure WordPress Site: Conclusion
Although WordPress has seen a huge increase in attacks from hackers, with a few adjustments and some awareness you can keep your site safe from hackers. Matthew Mullengweg, the founding developer on WordPress notes in his blog that if you change your admin username, ensure you have a strong password, and keep your site up to date, “you’ll be ahead of 99% of the sites out there and probably never have a problem.”
This content was originally published here.