WordPress security isn’t something we talk or think much about until we get hit – by bots, hackers or viruses. As attacks are often directed against popular sites, beginners tend to believe that the threat isn’t real. This is, however, probably the biggest mistake they can make.
If your site has already been hacked, this post will help you make sure you never lose data again. If you’re lucky enough to not have been face to face with digital crime yet, this post will enable you to protect your site by performing the so-called WordPress hardening – and continue being lucky.
This post has two sections: Basic WordPress Security and Hardening WordPress (advanced). The first section allows you to secure your site, without coding or tweaking too much, by performing common sense maintenance tasks.
The second section guides you step-by-step through the more advanced WordPress hardening, where techniques as hiding wp-admin, wp-includes, and disallowing php execution are explained thoroughly.
Basic WordPress Security
When taking on WordPress hardening, it’s necessary to start from the basics that are so simple that we often forget them completely. Nevertheless, without them, any attempt to secure your site is doomed.
Here’s how you can minimize the digital threat:
It seems obvious and yet there are many that forget to do it, or don’t do it for reasons as compatibility or losing their setup: update WordPress, all themes, and all plugins present on your site, even the ones you currently don’t use.
Updates include often fixes to known vulnerabilities, which makes it very important to keep your system up to date. Updates should be applied as soon as their get available.
Keep It Lean
You need only one WordPress theme and one fallback. Delete all other themes that you have installed as a part of experimenting with themes or setting up temporary campaigns.
When it comes to plugins, this becomes even more critical: use only plugins that you can’t make it without. Any plugin that is used to deliver some fancy but not essential functionality, should be removed. Any plugin that you currently aren’t using, should not just be deactivated but also removed. Any plugin that behaves weirdly, should be removed right away. The same applies to plugins that cause plugin incompatibility.
You can get an idea about which plugins to keep by reading this post on essential WordPress plugins.
Maintain High Quality
Even though it might sometimes seem that premium plugins and themes are too expensive and you might feel tempted to look for cheaper or pirate copies, this might end up costing you much more.
Many pirate copies of premium themes and plugins are infected already before you download them, compromising instantly your site on install. Others may be clean on download but can present a threat due to the fact that removing the authentication code from the theme or plugin might have been done in a way that makes the theme or plugin vulnerable.
While it is not serious to say that free or cheaper plugins or themes generally pose a threat, they are usually not as thoroughly checked and not as often updated as premium ones. This can be a problem, as long as a vulnerability is present in the code.
The advice in this case would be to always download themes and plugins from reputable sources. Such marketplaces have usually proper quality control in place.
Keep It Secure
You should not name your user “admin” or use weak passwords. This makes it much easier for attackers to compromise your site. Choose unique or, even better, random and long username and password, preferably such including letters, numbers, and special characters.
As long as you already have created a user called admin (or your system defaults on it), you can’t just change this username, as WordPress doesn’t allow for this.
Instead, you should create a new secure user and give it admin rights. Then, you can delete the user called “admin”. To not lose any of your work, when deleting the user, choose to attribute the admin user’s work to the newly created user. Afterwards, you can safely click on the Delete button.
Additionally, remember to protect your username by doing the following:
- On your profile page, choose to Display name publicly as anything but your username
- Choose and enter a Nickname (even if you plan to use it for anything) that is different than your username. As the system defaults on placing the username in this field if you forget to edit it, remembering this detail is very important.
The autogenerated password is secure enough. Just copy it into your password manager to make sure you have it and click on Update User at the bottom of your profile in WordPress.
It’s recommended that you change your password often.
Back It Up
The ultimate way to secure your WordPress site is by backing it up on regular basis. This way you can be sure that, even if your site is taken down by attackers, you’ll be able to recreate it to a recent version.
How often you back up your site, depends on how active it is. Ecommerce sites should perform a backup at least once an hour. Very active sites with multiple posts published every day must back up the whole system at least once a day. For smaller or less active sites, where you may publish one post a day or a week, backing the system up every week or month should be enough.
There are two ways to back up WordPress: automatically and manually. Automatic updates can be set up directly on the server by your server provider or by you during the initial WordPress setup (dependent on whether your host allows for it).
Another way to facilitate automatic updates is by using plugins. This is, however, not optimal, as plugins can easily get compromised during attacks, making your backups useless.
Manual WordPress backup is performed by downloading the contents of the public_html directory on the server to the local disc. In the same time, you must export your database(s), using phpMyAdmin. These two actions should always be paired, as you both the file tree and the database to be restored. Detailed explanation of the process can be found in this post on migrating WordPress sites.
Install SSL on your site and always use secure connections when working with FTP (SFTP) or mail clients. This is a good way to add additional layer of protection to your data. While having an SSL isn’t enough to completely secure your site, it makes the job of attackers much harder and helps protect sensitive data, such as user accounts or credit cards.
To learn more, read this post on using SSL to protect your site.
Secure Your Databases
Database name, user, and password should be even more secure than your regular username and password. You choose them, while installing WordPress on the server and can change them by accessing your database via MySQL on the server.
As long as you run more than one database on the same account, make sure that each database has a unique user with a unique password. This can help contain damage, if one of your databases gets compromised.
Ideally, you should keep sites in separate hosting accounts.
Restrict User Access
Your site should have as few empowered users (admins and editors) as at all possible. The usernames and passwords of such users should be monitored for security risks. If the account of an empowered user gets compromised, your site will be at great risk.
As long as you allow users to register as subscribers, authors or similar, you should make sure that you understand, exactly what privileges you give them. You should also warn them to only use secure passwords.
As a rule, a secure site has as few users as possible and doesn’t allow random registrations.
Check Directory and File Permissions
On the server, each directory and file has a set of permission for the three user groups: owner, group, and public. The most secure setup is 755 for directories and 644 (or 600 where possible) for files.
As a rule, shared hosting providers set these permissions as a default on all accounts, making it easy for you to keep secure. You can check these permissions by right-clicking on a directory or file on the server or in your FTP client and choosing File Permissions.
You are then presented with your current setup, where you can change permissions for each group or directly enter the numeric value of the setup. As long as you aren’t happy with the default setup, you can choose to apply changes to the current directory or file and/or recursively to files and folders, only files or only folders.
Please note that the optimal setup may vary between hosting providers! You should always consult your current hosting provider regarding the necessary permissions. It is, however, important to avoid having any files or directories set to 777.
Hardening WordPress: Advanced WordPress Security
Even when following all of the advice above, your site can still be at serious risk due to the fact that WordPress’ specific file structure and makes the job of attackers easier by always storing files the same way and behaving the same way on all 74+ mill. WordPress sites out there. Thus, every attacker knows where to find the login page or how to hit to cause max damage.
To make an attacker’s job much harder, you can implement several smart tricks adding an extra layer of protection around your site.
Security Through Obscurity
A WordPress website has two areas that are especially vulnerable due to the fact that they most often get targeted by IT-criminals: your login page and wp-admin.
Your login page can be accessed at yoursite.com/login.php and any hacker out there knows that. They target the login page with the so-called brute force attacks, meaning that they attempt to log in using an infinite number of username and password combinations till they get one right or the server crashes.
To stop such attacks, many webmasters install plugins as Wordfence, which helps by:
- Hiding usernames. Normally, if you enter mysite.com/?author=1 in the browser, you’ll be redirected to the page of the user with ID 1, usually the admin, giving away their username in the URL. Thus, hackers are already halfway through getting access to your site. If you, however, have Wordfence installed, any such request is redirected to a 404 page, hiding username info (further down, we offer a plugin-less fix to this security issue).
- Blocking users after too many login attempts, when they enter wrong username or when they click on the Forgot password-link two many times. This can stop most brute force attacks, with the exception of those using multiple IPs during the attack.
While this can stop almost all attacks, there are, as mentioned above, attacks that cannot be stopped by the plugin, as they use advanced technology to avoid being blacklisted.
In such cases, you can block the attack by hiding your login page. You can do this by including a simple piece of code into your .htaccess file on the server (see the code snippet below). It works by only allowing users from specified IP-addresses to access the login page, redirecting all other users to an error page, thus effectively preventing attacks.
NB! That would also prevent any legit login attempts, making this solution not suitable for sites, allowing user registration or maintaining many user profiles. This solution will also be problematic for those, who don’t have static IP-address.
Very often, together with hiding the login page, webmasters choose to hide the wp-admin directory. The files in this directory aren’t meant to be seen or used by the public and can safely be hidden, using the same redirect method to avert attacks. In the same time, this could hide the fact that you are running a WordPress-site, making the whole idea of attacking it in a certain way pointless (this is though dependent on your whole setup as using plugins that print their name into your code, as All in One SEO does, makes this pointless).
In order to deny access to both wp-admin and wp-login.php (or one of them), you should insert the following rules at the very beginning of your .htaccess file:
This results in effectively denying access to wp-admin and wp-login.php to anybody, except for users from a certain IP-address. You can also choose to allow access from several IP-addresses by repeating the whole line with the IP-address as many times as necessary. Remember to insert the actual IP addresses in the following format: !^xxx\.xxx\.xxx\.xxx$
As long as you don’t want to hide wp-login.php, if you for example allow user registrations, you should simply delete line 2 in the example above.
Applying this code will result in users receiving a 403 Forbidden error. You can choose to exchange the 403 with 404 to trigger 404 Not found response instead. Neither of these options is better than the other from a security point of view, however, a 404 response might discourage attackers by hiding the fact that yours is a WordPress site.
Restrict Access to wp-include
Just as wp-admin, wp-include includes files that aren’t meant to be publicly accessible. Restricting access to them is easy and adds an additional layer of security to your site.
You can do that by simply adding the following piece of code to your .htaccess file, outside of the #BEGIN WordPress and #END WordPress tags:
This would prevent anybody from browsing for the critical files in wp-includes.
Restrict Access to wp-config.php
wp-config.php is one of the most critical files in a WordPress install, as it contains sensitive data as your database name, user, and password, as well as security keys, used to keep data transfers safe. None of these should ever fall in the wrong hands.
Hiding this file from the public is therefore a must. You can do that by disallowing access to it to any users, browsing for it. Simply add the following lines into your .htaccess file on the server:
Remember to insert it outside the #BEGIN WordPress and #END WordPress tags. Everything between them can be overwritten by WordPress on update.
You can also choose to hide .htaccess the same way, by exchanging wp-config.php in the example with .htaccess and inserting the snippet into the .htaccess file itself.
Kill PHP Execution in Uploads
Hiding directories is a great way to protect them, however, it can’t always be used. An example here is wp-uploads, a directory, which many of the site’s users need access to in order to upload and publish media.
To protect it from attackers, you can disallow the execution of PHP within this directory. This way you can stop people from uploading and activating malicious scripts in the uploads directory, while still allowing legit user-generated uploads.
To do this, you should create a new .htaccess file in a plain text editor and enter the following into it (you can choose to leave the comment out):
Save the file as .htaccess and upload it to the server, following this path: public_html->wp-content->uploads.
Disallow File Editing from the Dashboard
Another weakness of WordPress is that it provides you with the option to edit core files, such as theme files, .htaccess or robots.txt directly from the dashboard (Appearance->Editor). While this might be convenient, this is a function used by very few webmasters. In the same time, it gives attackers the unique opportunity to destroy your site’s core, only by gaining access to an admin account.
It is highly recommended that you disable file editing to enhance your site’s security. As long as you wish to edit core files, you can always do it directly on the server or locally by downloading them.
To disable file editing, you should add the following function at the bottom of your wp-config.php file:
Yet another weakness of WordPress, which was already mentioned above, is that one can easily get any username just by typing ?author=1 (or another number) after your site’s URL. Usernames are half of what is meant to secure the access to your site. People are told to not name the admin user “admin”, because it is easy to guess. This advice doesn’t, however, really make sense, given that anybody can easily get the admin’s username (admin is usually the user with ID 1), no matter how hard to guess it is.
To hide usernames completely, you should do the following:
- Log into cPanel and find phpMyAdmin (sometimes called Database Administration)
- Find the database of your website (if you are in doubt, check the database name in wp-config.php) and click on it
- Find wp_users (see the screenshot to the right) and click on it
- On the next screen, you’ll see a list of all registered users of the site. Find the user you want to edit (it is recommended to repeat this for all users).
- Find the user_nicename tab. By default, it is filled out with the username.
- Click twice on the current user_nicename to change it. You can change it to anything but the actual username. Be though aware that user_nicename will be made public, meaning that it probably should equal the user’s public name or screen name.
- Click outside the box to save your changes.
- Test, whether you have successfully hidden the username by entering mysite.com/?author=1 in the browser (replace mysite and the number, if it isn’t the user with ID 1 you are trying to edit). You should see something like this:Notice that the author’s username is replaced by the public name. If you are still seeing the username of the author, this means that something went wrong and you should retrace your steps to find the error.
Additional Security for WordPress Sites
After you have secured your site by restricting access and editing files, you should also make sure that you don’t give attackers easy access to the server by transferring viruses from your computer via uploads.
While this might seem obvious, it’s sometimes easy to forget that off-server security is just as important as server security. Keep your computers clean and well protected with reputable antivirus and firewall software to minimize the risk of infecting your site on upload.
Remember also to always scan files for upload that you have downloaded or received from others, even those you trust. Sometimes, they can unintentionally send corrupted files to you.
Even after implementing every security measure out there, there is still a risk that your site gets corrupted. It is therefore important to regularly monitor for malicious activity. You can always do that with plugins or off-site scanners but you should also keep an eye on Google Search Console’s Security Issues tab, giving you a heads up, if a threat is detected on your site.