Keeping your WordPress Site Secure

If you search Google for advice on keeping WordPress secure, you’ll be amazed by the sheer volume of articles talking about how hackers can get into your site. Reading posts on sites like Facebook can be much more scary, with bitter posts from ‘Eddie from Edmonton’ complaining about how his site was hacked through no fault of his own and started posting thousands of spam emails. But, if you read enough posts from Eddie and his fellow complainers, you’ll soon realise that the hacker’s most effective tool, and your site’s biggest vulnerability is YOU. The good news is that you don’t need to be an expert to improve WordPress Security!

wordpress hacked

Moving on from that and assuming you’re not Eddie, it helps a little if you have a little understanding of how WordPress sites are attacked, what hackers try to do and how sites can be hacked.

  • Hackers use automated scripts to search for and guess your admin username and Passwords.
  • They can try sending malicious commands to your database that will give out sensitive data (SQL injection attack)
  • Hackers can change the code of your website so that it does whatever they want, which might include damaging your visitors’ computers (code injection)
  • They can change various scripts in your website which will allow them to control your or visitors’ browsers, for example by creating input forms that steal information like credit card details or admin user/password (cross-site scripting)
  • They can try stealing your authentication and session information, allowing them to use your login and password
  • Some hackers will redirect your visitors on a DNS level to their own website, which may carry a whole range of malicious coding(DNS spoofing)

How these attacks are carried out varies, but most are done on these levels:

  • Client level (your operation system and browser)
  • Website level (software, e.g. WordPress, plugins),
  • Server level (e.g. hosting),
  • Network level (via insecure connections, such as insecure wi-fi).

So, where to start?

Check your PC for viruses and other malware

If your pc is already infected, or becomes infected at some point in the future, all your work improving WordPress security will go down the toilet. If your pc is cheerfully mailing your admin logins and passwords to a hacker, you may just as well post them on facebook for all to see. So before you start thinking about website security, be 100% sure your pc isn’t cheating on you!

Get decent hosting

As we said in our original post on WordPress security, there’s no point in wasting too much time on website security if your hosting isn’t good enough. No matter what you do at a site level, if your hosting isn’t good enough, you’d be better served reading an article on how to clean up wordpress after it has been hacked. Find a decent host, with a good reputation and up to date servers and systems.

get an ssl certificate

Get an SSL Certificate (https)

Have you noticed that every online store you visit has a little green symbol or padlock on the left of the address bar, or that their url begins with https instead of http? This tells you that the website has an SSL Certificate and that communications between you and the website are encrypted, and secure.

Explained in simple terms, when you visit a website there is a continual flow of information being sent between your computer and the server that the website is on. If your website doesn’t have an SSL certificate and uses http, data is not encrypted and a hacker can read, copy or even inject their own code or malware into the data. If your website has an SSL certificate and uses https, the data sent to and from the server is encrypted. Hackers can see data is being sent to and from the website, but can’t read or interfere with it. Https is a lot more secure. Money is no excuse here; SSL certificates are often available free nowadays. And, a little extra good news, Google prefers https.

Many hosting companies now allow users to add free SSL certificates thanks to LetsEncrypt and you can find out more about them by clicking the link.

Change the standard wp_ database table prefix

During the installation process WordPress allows you to change the standard wp_ database prefix to anything you want. Some hacking scripts (SQL injection for example) will start with the assumption that your database tables have the prefix wp_. Changing it makes your website safer. Some security plugins (for example ‘Bulletproof security’ allow you (encourage you) to change this even after your site has been set up.

WordPress admin usernames and passwords

The most basic attack is still surprisingly successful. Hackers simply guess your admin name and password. If your username is ‘admin’ and your password is something like ‘password’ or ‘123456’ and so on, your children will be able to hack your site. Even the family cat could do it, if it could stay awake long enough. At a slightly advanced level, there are countless hacking scripts which can be used to make endless username and password guesses, trying each one until they get in. These are often called brute-force and dictionary attacks. The harder your password is, the longer it will take to find it, even if you have no other security in place. Passwords should be a minimum of 12 characters long and use upper and lower case letters, numbers and symbols (like $%->£ and so on). The password shouldn’t contain proper words or names and, in reality, we’d suggest a password of at least 18 characters. That’s the first, minimum step.

Your password should ideally be sufficiently difficult that you can’t remember it, so you might consider using something like ‘lastpass‘ to save your passwords (it’s free).

Restrict login attempts

Remembering that some hackers will try hundreds or thousands of times to crack your passwords, restricting how many times a visitor to your site can attempt to login (unsuccessfuly) is a very good idea. There are plugins which exist only to do this job (such as ‘limit login attempts‘) but many multipurpose security plugins also have this feature. Generally, we would recommend using ‘NinjaFirewall’ which is available free from the WordPress plugin repository and offers protection against this sort of attack. (See ‘Get a Firewall’ below)

Keeping WordPress Updated

WordPress is updated on a regular basis, with improvements and security patches appearing every couple of weeks. As hacker attacks evolve with time, new methods of attack are identified and new weaknesses are identified. But as each vulnerability is found, WordPress is updated, closing the door. Keeping WordPress updated is just as important as using an intelligent password.

Keep themes and plugins updated

Just as important as keeping WordPress updated, themes and plugins must also be kept updated. Sadly, lots of people don’t realise how important keeping updated is, and these people are prime targets for hackers. One particular story comes to mind:

In 2014, one of the most popular image slider plugins for WordPress, ‘Revolution slider’, was found to have significant vulnerabilities, allowing hackers to download files from users’ servers. This type of vulnerability is known as a Local File Inclusion (LFI) attack. The vulnerability was posted on underground websites and hackers started searching the internet for wordpress installs using this plugin. The plugin authors updated the plugin, but initially chose to keep quiet about the issue. These attacks compromised over 100,000 WordPress websites. Users of the plugin, packaged with hundreds of WordPress theme, probably didn’t realise that failing to keep and image slider plugin or theme updated meant that anybody could hack their website. But that was the reality. The moral of the story is to keep your themes and plugins updated and never assume that they are secure by default.

File Permissions

Assuming you have access to your server, check that your file permissions are correct. Directories (folders) should have 755 permissions and files should be 640. If you don’t know what they are or how to change them, speak to your hosting company. That said, no matter how many sites we’ve set up, we’ve never found a file or folder with incorrect settings.

keep backups

Keep Backups

There is no single, foolproof method of keeping your website secure and impervious to attacks. If hackers can wander around the US Government websites, hack banks and meg-rich companies like Sony, you can be sure that a determined hacker on a personal mission against you will be able to find a way into your site. It’s a sad statement, but true. It probably won’t happen to you, but it might, and it certainly can. That’s where backups become an essential part of your security planning. If your hosting company does daily site backups and keeps an archive of restorable backups, you’re mostly covered, but we’d still recommend getting a good backup plugin and do full daily backups. The most popular backup plugin, Backupbuddy, also allows you to move or duplicate a website on a different domain. Don’t store the backups on your server if at all possible. Store your backups with services like Dropbox, or download them to your local pc and keep them on a removable disc. We keep daily backups from the past 60 days. All it takes is a few minutes of your time to ensure that if someone corrupts your site you can simply delete the whole thing and replace it with a full working copy.

Modify .htaccess for improved security

You don’t really need to know what .htaccess is, so let’s just say that it’s a system file (usually hidden) which manages security. This section assumes you have cpanel access to your server, or similar. If you don’t have server access, or are using nginx which doesn’t use .htaccess, you just need to ask your hosting company to make these changes (or their equivalent) for you.

NOTE: Before you do anything mentioned below, take the time to read the ‘Firewall’ section further down the page. If you choose to use the plugins mentioned, you won’t need to play with your .htaccess file yourself – the plugins will do it for you.

Getting started

Firstly, if you visit your site control panel and then open the file manager, you should see all the files on your server. Your .htaccess file will be in the domain root (/public_html/) but may not be visible. If you can’t see it, click the settings button (top right of screen) and choose the option to display hidden files. Once you find it, you need a backup version of it, just in case you make mistakes editing it and end up locking yourself out of your site, or breaking your site (it happens). I’d always recommend using a good text editor such as notepad++ (it’s free), copy your .htaccess contents straight into a backup version saved on your pc.

Caution – .htaccess is a powerful file. After you make changes to it (and save them) test that you can still use your website! It’s the easiest thing in the world to ‘break’ your site. If something goes wrong, simply undo your last action and save it again. Your problems should have gone away – if not, paste your backup version into place. THAT will always work, assuming it wasn’t already defective!

So, where to start? You’ll find the standard block that WordPress adds to your .htaccess file upon installation. It’ll look like this:

Don’t touch this bit. Don’t alter it, and don’t add anything between the BEGIN and END blocks.

Protect files:
Paste the code below into your .htaccess file.

This does 3 things – The first line stops anybody seeing an index of your folders (you can add this protection via cpanel). The second block prevents anybody accessing your wp-config.php file, and the last protects .htaccess itself.

We have seen lots of articles suggesting that you should use .htaccess to restrict access to wp-admin to specific IP addresses, those belonging to the site administrator, obviously. Most people seem to have variable IP addresses (mine resets every time I reboot my pc or modem, for example) so restricting access to a single IP could lock you out of your site if your IP changes.

However, you can restrict access only to your pool of IP addresses. For example, if your IP address today is 10.220.55.110 and normally only the last set of numbers changes, you can restrict access to the IP’s 10.220.55.xxx. If maybe the 3rd set of numbers changes too, you could restrict access to 10.220.xxx.xxx (x meaning any number). It’s probably safer to assume that your IP address can include different 3rd or 4th blocks.

Let’s say then that you want to be able to access your website as administrator from your home, and your office. To do this, you first need to find out the IP address at both locations. That gives you your starting point. Let’s say your IP address at home is 10.220.55.110 today. To restrict access to wp-admin ONLY to computers using the pool of IP numbers that your home PC uses, paste the following into your .htaccess file:

Then do the same for your office IP address, or wherever else you will want to be able to access the site.

If you do this, and your site theme or plugins use Ajax, some things might break, as they won’t be able to access files they need. To prevent this from happening, add the following code to your .htaccess after the code above.

If you are the only person who needs to login to your site (so, no registered users) you can do the same thing with your wp-login.php file. Obviously, it’s no use to you if you plan to have, or have, other people who need to be able to login. If you are the only person who needs to login, you can use the code below (using the same logic with the IP address)

If you want to use all of these snippets, here they are in one block. Remember to adjust the IP address and delete the text lines inside the (brackets).

Password Protect your WP-Admin Directory

As an alternative to protecting wp-admin with htaccess, you could password-protect your wp-admin directory with cpanel. Doing that is quite simple; open cpanel and look for ‘password protect directories’ in the security section. Once the navigation screen opens, navigate to wp-admin (click on the folders to open them and move up a level) and then click on the name of the wp-admin directory. Once you do that you will be taken to a new page where you can give a name to the folder you want to protect, then create users and passwords. Once you’ve done this, anybody who tries to login will be presented with another username and password box which they’ll need to complete before they can actually login. It’s fairly straightforward. You’ll need to set up a username and password for each user – with strong passwords, of course. This is probably the simplest form of two-factor authentication.

If you want to add two-factor authentication for all users, you might consider using a plugin specifically for that purpose. WPClef is quite popular, and free. Remember to read the plugin FAQ before trying to unstall and use it.

Scan your site to be sure it’s clean from infection

The old adage about shutting the barn door after the horse has bolted springs to mind here. If you’ve read this article and copied every suggestion, it won’t help you an awful lot of your site was already corrupted and infected. So, before you do too much, just reassure yourself that your site is okay. Probably the best way to test your site is by using a third-party scanner such as the free security scanner provided by Sucuri. As the site itself says, the results aren’t guaranteed to be 100% accurate but it’s a damn good place to start! Other companies offer scanning and security assessment tools, such as hackertarget.com but these are not free.

So, that’s DIY security covered. What next?

If you’ve gone for managed WordPress hosting with a company that actually provides what it advertises (not all do) you will find that a large part of your website security is dealt with by your hosting. They’ll probably have an FAQ explaining exactly what security hardening measures they employ. They might also restrict you and the plugins you can use, either for the sake of security or performance. This might be because your hosting already employs a firewall or security measures that will conflict with plugins that you planned to use. It’s well worth reading up on prospective hosting in advance. However, for this article we’ll assume you’ve got ‘normal’ hosting and need to take care of security yourself.

Get a firewall!

It’s worth noting that if you choose to use either or both of the plugins mentioned below, you won’t need to mess about with your .htaccess code yourself, as the plugins do the work for you!

If you’re looking for a low-cost solution, and having used it and tested them on multiple domains, we’d recommend ‘ninjafirewall’ and ‘Bulletproof Security’. They both perform very well, are well supported and are both free.

Installation and setup of Ninjafirewall is very easy. Despite that, you’ll find plenty of advice available on their website explaining how to set it up, if you need it. Installation of Bulletproof Security is, in our opinion, more complicated. However, there are plenty of notes explaining what to do, and the plugin is as well supported as any free plugin we’ve ever used.

Even if you have to pay for it, we’d strongly recommend the premium version – Bulletproof Security Pro – for which AIT charge a one-off fee of $59.95 (includes support and upgrades for life) and the plugin can be used on as many domains as you own. That’s about as good a deal as you’ll find anywhere. Having had personal experience of the support on offer, we’d go so far as to say it’s the best security plugin available.

The pro version is easier to set up, having a setup wizard that does most everything for you. If you still struggle, there are some handy ‘how to’ videos on their website in addition to normal support. In terms of effectiveness, the plugin authors state:

“BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5+ years and is installed on over 30,000 websites worldwide. Not a single one of those 30,000+ websites in 5+ years have been hacked.” That’s a pretty mean record!

ninja firewall and bulletproof security

Other security plugins

If you feel inclined, it doesn’t hurt to use more than one, if the plugins don’t conflict with each other or duplicate functions. One of the more popular free plugins is ‘Wordfence’, which performs quite well and is easy to set up, although we found it to be a bit of a memory hog. Wordfence also includes a caching engine called Falcon. We stopped using WordFence some time ago, but it’s a popular choice. There is also a paid-for version with added features.

The premium security plugin ‘iThemes Security’ (in our plugin downloads library) is also very popular, although it takes a little time to set up properly.

How much is security worth to you?

If you’re running a personal blog or a website with limited commercial value, you probably don’t want to spend hundreds of dollars on security every year. If that’s the case, the free (or low cost) options mentioned above are a good choice. Then again, if your website has a high commercial value, such as an ecommerce store or similar, you might want to consider paying for a comprehensive solution that deals with everything – even the removal of any malware if it gets in. If that’s the case, we’d recommend Sucuri. We’re not their salesmen or affilliates in any way, but their antivirus and firewall solutions are generally rated as being first class. If you’d like to read more, visit their website – link above.

Finally, keep informed

Instead of relying on the traditional website bullshit, keep yourself properly informed. There are a couple of websites with exceptional reputations for keeping WordPress users up to date with current viruses, vulnerabilities and attacks.

WPVULNDB Website

One site we advise keeping an eye on is wpvulndb.com which maintains a database of new vulnerabilities identified within WordPress itself, plus WordPress themes and plugins which have been identified as having security vulnerabilities. The list contains a couple of very popular plugins, so the lesson here, again, is to keep it all updated!

Sucuri – Blog section

Another very interesting and useful site is the blog run by Sucuri, who also offer one of the best security packages for those willing to pay for it (see above). The blog contains a wealth of information and articles, and even if some are way too technical for the man on the street, most are easily comprehensible.

OWASP Foundation

Finally, there is owaso.org which offers top-notch security advice (the link goes to the WordPress Security guidelines page). OWASP is an international organization and the OWASP Foundation (a non-profit organisation) supports OWASP efforts around the world. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. The group’s home is at www.owasp.org.