There is no single, foolproof method of keeping your website secure and impervious to attacks. If hackers can wander around the US Government websites, hack banks and meg-rich companies like Sony, you can be sure that a determined hacker on a personal mission against you will be able to find a way into your site. It’s a sad statement, but true. It probably won’t happen to you, but it might, and it certainly can. That’s where backups become an essential part of your security planning. If your hosting company does daily site backups and keeps an archive of restorable backups, you’re mostly covered, but we’d still recommend getting a good backup plugin and do full daily backups. The most popular backup plugin, Backupbuddy, also allows you to move or duplicate a website on a different domain. Don’t store the backups on your server if at all possible. Store your backups with services like Dropbox, or download them to your local pc and keep them on a removable disc. We keep daily backups from the past 60 days. All it takes is a few minutes of your time to ensure that if someone corrupts your site you can simply delete the whole thing and replace it with a full working copy.
Modify .htaccess for improved security
You don’t really need to know what .htaccess is, so let’s just say that it’s a system file (usually hidden) which manages security. This section assumes you have cpanel access to your server, or similar. If you don’t have server access, or are using nginx which doesn’t use .htaccess, you just need to ask your hosting company to make these changes (or their equivalent) for you.
NOTE: Before you do anything mentioned below, take the time to read the ‘Firewall’ section further down the page. If you choose to use the plugins mentioned, you won’t need to play with your .htaccess file yourself – the plugins will do it for you.
Firstly, if you visit your site control panel and then open the file manager, you should see all the files on your server. Your .htaccess file will be in the domain root (/public_html/) but may not be visible. If you can’t see it, click the settings button (top right of screen) and choose the option to display hidden files. Once you find it, you need a backup version of it, just in case you make mistakes editing it and end up locking yourself out of your site, or breaking your site (it happens). I’d always recommend using a good text editor such as notepad++ (it’s free), copy your .htaccess contents straight into a backup version saved on your pc.
Caution – .htaccess is a powerful file. After you make changes to it (and save them) test that you can still use your website! It’s the easiest thing in the world to ‘break’ your site. If something goes wrong, simply undo your last action and save it again. Your problems should have gone away – if not, paste your backup version into place. THAT will always work, assuming it wasn’t already defective!
So, where to start? You’ll find the standard block that WordPress adds to your .htaccess file upon installation. It’ll look like this:
Don’t touch this bit. Don’t alter it, and don’t add anything between the BEGIN and END blocks.
Paste the code below into your .htaccess file.
This does 3 things – The first line stops anybody seeing an index of your folders (you can add this protection via cpanel). The second block prevents anybody accessing your wp-config.php file, and the last protects .htaccess itself.
We have seen lots of articles suggesting that you should use .htaccess to restrict access to wp-admin to specific IP addresses, those belonging to the site administrator, obviously. Most people seem to have variable IP addresses (mine resets every time I reboot my pc or modem, for example) so restricting access to a single IP could lock you out of your site if your IP changes.
However, you can restrict access only to your pool of IP addresses. For example, if your IP address today is 10.220.55.110 and normally only the last set of numbers changes, you can restrict access to the IP’s 10.220.55.xxx. If maybe the 3rd set of numbers changes too, you could restrict access to 10.220.xxx.xxx (x meaning any number). It’s probably safer to assume that your IP address can include different 3rd or 4th blocks.
Let’s say then that you want to be able to access your website as administrator from your home, and your office. To do this, you first need to find out the IP address at both locations. That gives you your starting point. Let’s say your IP address at home is 10.220.55.110 today. To restrict access to wp-admin ONLY to computers using the pool of IP numbers that your home PC uses, paste the following into your .htaccess file:
Then do the same for your office IP address, or wherever else you will want to be able to access the site.
If you do this, and your site theme or plugins use Ajax, some things might break, as they won’t be able to access files they need. To prevent this from happening, add the following code to your .htaccess after the code above.
If you are the only person who needs to login to your site (so, no registered users) you can do the same thing with your wp-login.php file. Obviously, it’s no use to you if you plan to have, or have, other people who need to be able to login. If you are the only person who needs to login, you can use the code below (using the same logic with the IP address)
If you want to use all of these snippets, here they are in one block. Remember to adjust the IP address and delete the text lines inside the (brackets).
Password Protect your WP-Admin Directory
As an alternative to protecting wp-admin with htaccess, you could password-protect your wp-admin directory with cpanel. Doing that is quite simple; open cpanel and look for ‘password protect directories’ in the security section. Once the navigation screen opens, navigate to wp-admin (click on the folders to open them and move up a level) and then click on the name of the wp-admin directory. Once you do that you will be taken to a new page where you can give a name to the folder you want to protect, then create users and passwords. Once you’ve done this, anybody who tries to login will be presented with another username and password box which they’ll need to complete before they can actually login. It’s fairly straightforward. You’ll need to set up a username and password for each user – with strong passwords, of course. This is probably the simplest form of two-factor authentication.
If you want to add two-factor authentication for all users, you might consider using a plugin specifically for that purpose. WPClef is quite popular, and free. Remember to read the plugin FAQ before trying to unstall and use it.
Scan your site to be sure it’s clean from infection
The old adage about shutting the barn door after the horse has bolted springs to mind here. If you’ve read this article and copied every suggestion, it won’t help you an awful lot of your site was already corrupted and infected. So, before you do too much, just reassure yourself that your site is okay. Probably the best way to test your site is by using a third-party scanner such as the free security scanner provided by Sucuri. As the site itself says, the results aren’t guaranteed to be 100% accurate but it’s a damn good place to start! Other companies offer scanning and security assessment tools, such as hackertarget.com but these are not free.
So, that’s DIY security covered. What next?
If you’ve gone for managed WordPress hosting with a company that actually provides what it advertises (not all do) you will find that a large part of your website security is dealt with by your hosting. They’ll probably have an FAQ explaining exactly what security hardening measures they employ. They might also restrict you and the plugins you can use, either for the sake of security or performance. This might be because your hosting already employs a firewall or security measures that will conflict with plugins that you planned to use. It’s well worth reading up on prospective hosting in advance. However, for this article we’ll assume you’ve got ‘normal’ hosting and need to take care of security yourself.
Get a firewall!
It’s worth noting that if you choose to use either or both of the plugins mentioned below, you won’t need to mess about with your .htaccess code yourself, as the plugins do the work for you!
If you’re looking for a low-cost solution, and having used it and tested them on multiple domains, we’d recommend ‘ninjafirewall’ and ‘Bulletproof Security’. They both perform very well, are well supported and are both free.
Installation and setup of Ninjafirewall is very easy. Despite that, you’ll find plenty of advice available on their website explaining how to set it up, if you need it. Installation of Bulletproof Security is, in our opinion, more complicated. However, there are plenty of notes explaining what to do, and the plugin is as well supported as any free plugin we’ve ever used.
Even if you have to pay for it, we’d strongly recommend the premium version – Bulletproof Security Pro – for which AIT charge a one-off fee of $59.95 (includes support and upgrades for life) and the plugin can be used on as many domains as you own. That’s about as good a deal as you’ll find anywhere. Having had personal experience of the support on offer, we’d go so far as to say it’s the best security plugin available.
The pro version is easier to set up, having a setup wizard that does most everything for you. If you still struggle, there are some handy ‘how to’ videos on their website in addition to normal support. In terms of effectiveness, the plugin authors state:
“BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5+ years and is installed on over 30,000 websites worldwide. Not a single one of those 30,000+ websites in 5+ years have been hacked.” That’s a pretty mean record!