While the latest version of WordPress is always the most secure release available, there\u2019s more you can do to your site to ensure it\u2019s impenetrable to hackers and bots.<\/p>\n
Here are some best practice tips to help you secure your site.<\/p>\n
- \n
- Use a Good Web Host<\/a><\/li>\n
- Only Use Quality Themes and Plugins<\/a><\/li>\n
- Keep WordPress Core, Themes, and Plugins Up-to-Date<\/a><\/li>\n
- Don’t Use “Admin” As a Username<\/a><\/li>\n
- Use a Strong Password<\/a><\/li>\n
- Use Two-Factor Authentication<\/a><\/li>\n
- Limit Login Attempts<\/a><\/li>\n
- Install an SSL certificate<\/a><\/li>\n
- Change Database Prefix<\/a><\/li>\n
- Protecting wp-config.php and .htaccess Files<\/a><\/li>\n
- Add Security Keys<\/a><\/li>\n
- Disable File Editing<\/a><\/li>\n
- Prevent PHP Files from Being Executed<\/a><\/li>\n
- Disable XML-RPC Selectively<\/a><\/li>\n<\/ol>\n
1. Use a Good Web Host<\/h2>\n
A good web host is your first line of defense against attacks on your site. So don\u2019t automatically opt for cheap shared hosting. Instead, do your homework<\/a>.<\/p>\n
Go with a reputable host that supports the latest versions of basic web technologies, such as PHP and MySQL. Be sure to check your host supports PHP 7 \u2013 it is the official recommended PHP version for WordPress<\/a>.<\/p>\n
Consider choosing a managed WordPress host<\/a>. These services are set up specifically for WordPress and look after all the important technical aspects of hosting, including security, backups, uptime, and performance.<\/p>\n
2. Only Use Quality Themes and Plugins<\/h2>\n
According to WPScan<\/a>, 52% of website vulnerabilities are caused by plugins while 11% are caused by themes. Combine, that\u2019s more than 60% of WordPress security<\/p>\n
The easiest way to ensure your plugins<\/a> and themes<\/a> can stand up to attacks is to only download them from reputable sources. This includes WordPress.org<\/a> and premium providers. Downloading from dodgy developers who hide malicious code in their themes and plugins could compromise your site.<\/p>\n
If you\u2019re not sure if a website you want to download from is safe, look for testimonials and reviews to ensure the product you want is of sound quality.<\/p>\n
Also, ensure any plugins and themes you use are also well-supported and regularly updated. If a plugin or theme hasn\u2019t been updated in a long time, chances are it contains security holes that are unpatched or even bad code that could leave you vulnerable to hacks.<\/p>\n
Lastly, only keep plugins and themes that you actually need and use. The more you have, the higher the risk of being hacked. So regularly review your list of plugins and themes and deactivate and delete any that you don\u2019t need.<\/p>\n
3. Keep WordPress Core, Themes, and Plugins Up-to-Date<\/h2>\n
WordPress is open source software and developed and maintained by a worldwide community of volunteers. With each new release, any security vulnerabilities are patched.<\/p>\n
By default, WordPress automatically installs minor updates (i.e. WordPress 4.9.4). But for major releases (i.e. WordPress 4.9), the onus is on you to manually update to the latest version.<\/p>\n
![\"\"](\"https:\/\/www.designbombs.com\/wp-content\/uploads\/2018\/03\/wordpress-updates.png\")
<\/a>Ensure your site is always running the latest version of WordPress.<\/p><\/div>\n
These core updates are critical for the security and performance of your site. So be sure to backup your site and apply any core updates when they become available.<\/p>\n
Likewise, it\u2019s also important to regularly update any plugins and themes so you\u2019re always using the most up-to-date and secure versions of software.<\/p>\n
4. Don’t Use “Admin” As a Username<\/h2>\n
Don\u2019t use \u201cadmin\u201d as the username for your site. Earlier versions of WordPress used \u201cadmin\u201d as the default username, making it easier for hackers \u2013 one less piece of the puzzle to guess during a brute force attack.<\/p>\n
But recent releases of WordPress changed this, giving users the opportunity to enter their own username during installation. However, some people still opt to use \u201cadmin\u201d rather than come up with an original username. Just don\u2019t.<\/p>\n
You want to make it harder for malicious attackers to penetrate your site, so attacks take longer and you or your hosting provider can identify any attacks before they are successful and stop them.<\/p>\n
5. Use a Strong Password<\/h2>\n
Always create strong and unique passwords for your WordPress admin account, database, hosting account, email address and any FTP accounts. Like usernames, passwords are another piece of the puzzle for hackers to guess, and the stronger your password, the more difficult you make it for hackers to successfully login to your site.<\/p>\n
During installation, WordPress will try to force a strong password on you and ask you to check a box if you enter a weak one. While you might want to come up with your own password, tools like Secure Password Generator<\/a> can create a strong password for you.<\/p>\n
![\"\"](\"https:\/\/www.designbombs.com\/wp-content\/uploads\/2018\/03\/secure-password-generator.png\")
<\/a>The Secure Password Generator lets you create unique and random passwords.<\/p><\/div>\n
6. Use Two-Factor Authentication<\/h2>\n
Even with a strong username and password, brute force attacks are still a problem for many websites. This is where two-factor authentication can help.<\/p>\n
Two-factor authentication adds another step in the login process, forcing users to enter a code sent to their mobile phone in addition to entering their usual login credentials. This can thwart automatic attacks and ensure your site doesn\u2019t fall victim to hackers.<\/p>\n
Plugins like iThemes Security<\/a> can implement two-factor authentication. There are also free plugins like Two Factor Authentication<\/a> that can add this extra layer of security to your site.<\/p>\n
![\"\"](\"https:\/\/www.designbombs.com\/wp-content\/uploads\/2018\/03\/two-factor-authentication.png\")
<\/a>The free Two Factor Authentication plugin lets you easily add another layer of protection when logging in to your site.<\/p><\/div>\n
7. Limit Login Attempts<\/h2>\n
By default, you can attempt to login to your WordPress account as many times are you want. While this might be convenient for you if you\u2019re forgetful and don\u2019t always get your password right on the first or even third go, it\u2019s also convenient for hackers carrying out brute force attackers \u2013 it gives them an unlimited number of attempts to crack your username and password combination.<\/p>\n
This can be easily fixed by limiting the number of failed login attempts a user can make on your site. Free plugins like WP Limit Login Attempts<\/a> let you limit login attempts and block IP addresses temporarily.<\/p>\n
8. Install an SSL Certificate<\/h2>\n
Installing an SSL certificate on your site is a must, especially if you have an eCommerce store. Not only because it will make it difficult for hackers to intercept sensitive information between user browsers and your server, but because Google now insists that all sites should have one.<\/p>\n
Starting in July 2018 with the release of Chrome 68, web pages that load without HTTPS will be marked as \u201cnot secure.\u201d This means that users who try to access sites that don\u2019t have an SSL certificate will get a warning that the site is untrustworthy.<\/p>\n
This announcement is a big deal because, according to Cloudflare, more than half of web visitors will see these warnings.<\/p>\n
![\"\"](\"https:\/\/www.designbombs.com\/wp-content\/uploads\/2018\/03\/lets-encrypt.png\")
<\/a>Let’s Encrypt is a free certificate authority providing SSL certificates for site owners.<\/p><\/div>\n
Getting an SSL certificate is becoming more and more easier to do. Let\u2019s Encrypt offers free open source certificates<\/a> while hosting companies will generally provide one for a free (and sometimes even for free).<\/p>\n
9. Change Database Prefix<\/h2>\n
By default, WordPress uses wp_ as the prefix for all tables in your site\u2019s database. This means that if you\u2019re using the default \u2013 which is common WordPress knowledge \u2013 hackers can easily guess what your table name is, making it vulnerable for SQL injections.<\/p>\n
A simple way to fix this it to change the prefix to something random, like
5jiqtu69dg_<\/code> using a random string generator<\/a>. In order to update your table\u2019s prefix, open the wp-config.php file in the root of your site\u2019s file directory and find this line:<\/p>\n$table_prefix \u00a0= 'wp_';<\/pre>\n
Using my example, you would replace the line like so:<\/p>\n
$table_prefix \u00a0= '5jiqtu69dg_';<\/pre>\n
Next, you\u2019ll need to update the prefix used in your database. While security plugins like iThemes Security can help you do it quickly and easily, you can learn how to do it manually via phpMyAdmin here<\/a>.<\/p>\n
10. Protecting wp-config.php and .htaccess Files<\/h2>\n
Your site\u2019s wp-config.php file, which is usually located in the root folder of your website, contains critical information about your WordPress installation, including the name, host, username and password for your database. Meanwhile, .htaccess is a hidden file that sets directory level server configuration, enables pretty permalinks, and allows for redirects.<\/p>\n
Preventing access to these critical files is easy. Simply add the following to your .htaccess file to protect wp-config.php:<\/p>\n
<Files wp-config.php>\r\norder allow,deny\r\ndeny from all\r\n<\/Files><\/pre>\n
Alternatively, you could simply move your wp-config.php file on directory higher as WordPress will automatically look for it there<\/a>.<\/p>\n
To stop unwanted access to .htaccess, all you need to do is change the file name in the code:<\/p>\n
<Files .htaccess>\r\norder\u00a0allow,deny\r\ndeny\u00a0from all\r\n<\/Files><\/pre>\n
11. Add Security Keys<\/h2>\n
WordPress security keys and salts encrypt information stored in browser cookies, protecting passwords and other sensitive information. There are four security keys in total:
AUTH_KEY<\/code>,SECURE_AUTH_KEY<\/code>,LOGGED_IN_KEY<\/code>, andNONCE_KEY<\/code>.<\/p>\nThese authentication keys are basically a set of random variables and make it harder to crack your passwords. A non-encrypted password like \u201cwordpress\u201d doesn\u2019t take much effort for attackers to break. But a long and random password like \u201cL2(Bpw 6#:S.}tjSKYnrR~.Dys5c>+>2l2YMMSVWno4`!%wz^GOBf};uj*>-tkye\u201d is much more difficult to crack.<\/p>\n
Adding security keys and salts is a manual process and easy to do. Here\u2019s how to do it:<\/p>\n
- \n
- Get a new set of security keys and salts. You can randomly generate them here<\/a>.<\/li>\n
- Next, update your wp-config.php file. Open your file and scroll down until you find the section below and replace the old values with your\u00a0new keys and salts:<\/li>\n<\/ol>\n
\/**#@+\r\n * Authentication Unique Keys and Salts.\r\n *\r\n * Change these to different unique phrases!\r\n * You can generate these using the {@link https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/ WordPress.org secret-key service}\r\n * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.\r\n *\r\n * @since 2.6.0\r\n *\/\r\ndefine('AUTH_KEY', 'add unique variables here');\r\ndefine('SECURE_AUTH_KEY', 'add unique variables here');\r\ndefine('LOGGED_IN_KEY', 'add unique variables here');\r\ndefine('NONCE_KEY', 'add unique variables here');\r\ndefine('AUTH_SALT', 'add unique variables here');\r\ndefine('SECURE_AUTH_SALT', 'add unique variables here');\r\ndefine('LOGGED_IN_SALT', 'add unique variables here');\r\ndefine('NONCE_SALT', 'add unique variables here');\r\n\r\n\/**#@-*\/<\/pre>\n- \n
- Save your wp-config.php file. You\u2019ll be automatically logged out of your WordPress site and will need to log in again.<\/li>\n<\/ol>\n
12. Disable File Editing<\/h2>\n
WordPress features an internal code editor for plugin and theme files. While this is useful for admins who want to make quick changes to files, it also means hackers and high-level users can also make file changes. You can find this feature by going to Appearance > Editor<\/b> in your WordPress admin.<\/p>\n
You can disable file editing in your wp-config.php file. Just open your file and add this line of code:<\/p>\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\nYou\u2019ll still be able to edit your plugins and themes via FTP<\/a> or cPanel<\/a>, just not in the WordPress admin.<\/p>\n
13. Prevent PHP Files from Being Executed<\/h2>\n
A common folder for hackers to upload malware in WordPress is wp-content\/uploads, <\/i>but also wp-includes\/<\/i>. To prevent files from being executed in these folders, create a new text file in a text editor and paste in this code:<\/p>\n
<Files *.php>\r\ndeny\u00a0from all\r\n<\/Files><\/pre>\n
Next, save this file as .htaccess and upload it to both your \/wp-content\/uploads<\/i> and wp-includes\/<\/i> folders via FTP or cPanel.<\/p>\n
14. Disable XML-RPC Selectively<\/h2>\n
XML-RPC, or XML Remote Procedure Call, is an API that helps connect web and mobile apps with your WordPress site. It was enabled by default in WordPress 3.5 but has since been found to significantly amplify brute force attacks<\/a>.<\/p>\n
For example, if a hacker wanted to try 500 different passwords on your site, usually they would have to make 500 separate login attempts. But with XML-RPC, the hacker could use the
system.multicall<\/code> function to try a large number of username and passwords combinations in a single HTTP request.<\/p>\nWhile it would be easy to simply disable this feature altogether for your site, it would mean losing functionality for plugins like Jetpack. Instead, it\u2019s best to selective in the way you implement and disable XML-RPC using specially designed plugins<\/a>.<\/p>\n
Bonus: How to Check for Vulnerabilities<\/h2>\n
There are a couple of different ways you can check your site for vulnerabilities: with an online site scanner or with a plugin.<\/p>\n
With these free online tools, all you need to do it enter your site\u2019s URL and they will start scanning your site for known vulnerabilities:<\/p>\n
WordPress Security Scan<\/b><\/a> \u2013 This tool passively checks for basic security issues. You\u2019ll need to upgrade to a premium plan for advanced testing.<\/p>\n
Sucuri SiteCheck<\/b><\/a> \u2013 Check your website for known malware, blacklisting status, website errors, and out-of-date software. With a premium upgrade, this tool will do malware cleanup, DDoS\/brute force protection, blacklist removal and security monitoring.<\/p>\n
WPScan<\/b><\/a> \u2013 This black box WordPress vulnerability scanner hosted at GitHub lets you scan your site for known vulnerabilities with core, plugins and themes. You\u2019ll need to use the Terminal to run this application. It\u2019s free for personal use and sponsored by Sucuri.<\/p>\n
Bonus: Best WordPress Security Plugins<\/h2>\n
Installing a security plugin<\/a> on your WordPress site adds another line of defense against possible attacks. They offer a wide range of features to help secure your site \u2013\u00a0including site scans \u2013\u00a0and can notify you when your site has been compromised.<\/p>\n
Here are the top 3 plugins:<\/p>\n
Wordfence<\/a><\/h3>\n
![\"\"](\"https:\/\/www.designbombs.com\/wp-content\/uploads\/2018\/03\/wordfence.png\")
<\/a>Wordfence security plugin.<\/p><\/div>\n
WordFence is a hugely popular free security plugin with 2+ million active installations and a premium option available. It features a \u201cThreat Defense Feed\u201d that pulls in the newest firewall rules, malware signatures and malicious IP addresses, keeping your website site.<\/p>\n
A web application firewall identifies and blocks malicious traffic, while a real-time IP blacklist blocks all requests from malicious IPs, protecting your site while reducing load.<\/p>\n
This plugin protects against brute force attacks by limiting login attempts, enforcing strong passwords, and other login security measures. If it finds any kind of infection in your site, it will notify you by email. You can also monitor the traffic to your site in real-time to check if it\u2019s under attack.<\/p>\n
Sucuri<\/a><\/h3>\n
![\"\"](\"https:\/\/www.designbombs.com\/wp-content\/uploads\/2018\/03\/sucuri.png\")
<\/a>Sucuri security plugin.<\/p><\/div>\n
For a free security plugin, Sucuri\u2019s security plugin provides a comprehensive set of features, including security activity auditing so you can keep an eye on any changes made to your site, file integrity monitoring, remote malware scanning, blacklist monitoring, and security hardening measures.<\/p>\n
A \u201cpost-hack security actions\u201d section of the plugin walks you through the three key things you should do after a compromise. You can also enable security notifications so when an infection is found on your site or it\u2019s compromised, you\u2019ll be immediately alerted.<\/p>\n
When you upgrade to the premium version, you get access to a website firewall for added protection.<\/p>\n
iThemes Security<\/a><\/h3>\n
- Next, update your wp-config.php file. Open your file and scroll down until you find the section below and replace the old values with your\u00a0new keys and salts:<\/li>\n<\/ol>\n
- Only Use Quality Themes and Plugins<\/a><\/li>\n
![\"\"](\"https:\/\/www.designbombs.com\/wp-content\/uploads\/2018\/03\/ithemes.png\")
<\/a>