WordPress Security: Top WordPress Security Tips & Tricks
Today we’ll be discussing some of the best tips and tricks to secure WordPress, enabling you to secure your own website.
# Regularly Update WordPress
Current versions of WordPress feature one-click updates. You can launch the update by clicking the link in the new version banner or by going to the Dashboard > Updates screen. Once you are on the “Update WordPress” page, click the button “Update Now” to start the process off. You shouldn’t need to do anything else and, once it’s finished, you will be up-to-date.
In general we would recommend the following steps when performing an update:
- Back your website up
- Turn off any caching plugins
- Update your plugins and theme framework
- Update WordPress
- Reactivate your caching plugin and clear your cache
# Backup Your Website
Always rely on a strong backup and recovery protocol for your website. It’s not just hacking that may compromise your website but other factors like a faulty upgrade or plugin install.
If you are looking for an automated backup solution that runs inside your WordPress site then review the following plugins:
- VaultPress (recommended) “VaultPress provides realtime, continuous backup and synchronization of every post, comment, media file, revision and dashboard setting.”
- DropBox for WordPress “WordPress Backup to Dropbox has been created to give you piece of mind that your blog is backed up on a regular basis.”
- BackupBuddy (VMware Cloud VPS Required)“Backup your entire Single or Multisite WordPress install. Including the widgets, themes and plugins.”
- BackWPUp “Do backups and more for your WordPress Blog.”
# Manage Your Plugins
Third party plugins is what makes WordPress so popular but at the same they are a primary point in allowing an attack on your website. Every plugins is another item that you have to ensure is updated or patched.
For this reason it’s important to install only those extensions that have a good reputation. You should read the reviews at the WordPress Plugin Directory as many plugins contain vulnerable code, which when installed makes it easy for hackers to compromise your website.
Also check to see if there are any associated exploits or vulnerabilities with the plugin you are about to install. This can be done at Secunia or ExploitDB.
# Remove Unused Plugins
People often test different plugins or themes and forget to remove them once they finish working with them. Leaving these plugins or themes installed, even if they are disabled, can create a potential security risk so it’s advisable to remove these after any testing has been completed.
# Use Strong Login Details
For almost every website that you build, there will be various user accounts that you have to create and manage. For each of these you should create a secure password. Choosing a password that other people won’t guess easily is a matter of creating unlikely letter and number combinations.
A strong password:
- Is at least eight characters long
- Does not contain your user name, real name, or company name
- Does not contain a complete word
- Is different from previously used passwords
- Contains a mixture of uppercase, lowercase characters and numbers
You can use a free tool like the Norton Identity Safe Password Generator to create a complex password for your WordPress accounts.
# Block Unwanted Visitors
Bots are automated computer programs operated by hackers who use these tools to aggressively attack and gain access to your website. This can quickly rack up bandwidth and resources for your hosting account, and ultimately may lead to your WordPress site being compromised.
A simple but effective method of restricting bots can be implemented by creating, or modifying an existing, .htaccess file in your WordPress root directory with the following lines:
SetEnvIfNoCase User-Agent ^$ keep_out SetEnvIfNoCase User-Agent (pycurl|casper|cmsworldmap|diavol|dotbot) keep_out SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|planetwork) keep_out Order Allow,Deny Allow from all Deny from env=keep_out
A more comprehensive approach is to use the 5G Blacklist provided by Perishable Press.
The 5G Blacklist is a simple, flexible blacklist added to your current .htaccess file that checks all web pages requests against a series of carefully constructed htaccess directives. This happens behind the scenes at the server level, saving important resources for WordPress site and protecting it from unwanted visitors.
# Change The Admin User
In WordPress the default user name for the Super Administrator is admin. Intruders usually rely on this during a brute force attack, but simply changing the name this will provide protection from attacks that attempt to guess the name of the Administrator (admin) account. There are also other attacks that may attempt to guess the default ID of the Administrator account in order to gain access to the site.
To create a new Administrative account just:
- Login to your WordPress Admin area.
- Click on “Add new” in the “Users” menu.
- Type in the information for the new user account. You need to use a different email address than what you have setup for your “admin” username.Make sure you select “Administrator” as the role. Choose a new user name that is not similar to the name you display publicly on your blog.
- Click on the “Add User” button.
- Logout of WordPress.
- Login to your WordPress again, using your new username.
- Click on “Users” in the “Users” menu.
- Move your mouse cursor over the “admin” row. You will see links for “Edit” and “Delete”. Click on “Delete”.
- Select “Attribute all posts and links to” and then select your new username from the drop-down list. Ensure that you select this option otherwise all your posts will be deleted!
- Click on the “Confirm Deletion” button.
Some people may prefer an alternative method using the iThemes Security plugin which allows you to do all of these tasks, and change the default ID at the same time.
# Implement Two-Factor Authentication
Two-Factor Authentication is a login method whereby a person has to provide his/her user name, password and a random generated OTP (One Time Password).
OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your WordPress Administrator username and password correctly, they would still require the OTP to login.
To implement Two-Factor Authentication on your WordPress site we can recommend using either:
# Disable Access To The wp-content Folder
Uploaded images and other media are stored in the wp-content folder. To prevent unauthorized access to this with the exception to client-side media create an .htaccess file within your /wp-content/ directory with the following statements:
Order Allow,Deny Deny from all <files ?.(jpg|gif|png|js|css)$? ~> Allow from all
# Disable Directory Browsing in WordPress
To prevent visitors from traversing through our site folders and viewing their contents you can disabled directory browsing for your website. Create or modify an existing .htaccess file in your root WordPress directory with the following contents:
Options -Indexes
# Use Proper File Permissions & Ownership
File permissions are a method of controlling what you and other people can do with a file or folder. You will want to configure your permissions so that files and folders can only be accessed by your account, and that outside visitors can’t read important WordPress configuration files.
- All files should be set with a CHMOD value of 644
- All folders should be set with a CHMOD value of 755
- Your wp-configuration.php file should be set with a CHMOD value of 640
# Hide WordPress Reporting
When things go awry, only you should know about it. Displaying errors to our visitors can be an absolute disaster, especially if they have malicious intentions.
A common method of a WordPress attack is to crawl sites that have a particular version number, with a number of known security exploits and vulnerabilities associated to them.
In order to remove WordPress version reporting simply place the following line of code in your theme’s functions.php file:
remove_action('wp_head', 'wp_generator');
To hide any WordPress login errors by place the following snippet of code in your theme’s functions.php file:
add_filter('login_errors',create_function('$a', "return null;"));
# Use Security Plugins
Security extensions provide a way to monitor, review and secure important files and components for your WordPress installation.
One of the most popular is the free iThemes Security fix your file and directory permissions, protect your administrator directory, change your database prefix, set a secure Super Administrator ID and a whole host of other recommended security improvements.
You can learn more about iThemes Security by visiting https://wordpress.org/plugins/better-wp-security/.