In the World’s top 10 million websites, 42.5% of websites are running on WordPress. There is about 43.2% market of the web is shared by CMS (Content Management System), In which WordPress holds a 65.2% share. So, we can say that WordPress is being used by one-third part of the Web.
WordPress is not only used by the blogger or a person who doesn’t know how to code? But it’s also used by web professionals, companies and even big enterprises such as TechCrunch, The New Yorker, BBC America, and Sony, etc.
Because of the popularity and market share, WordPress becomes the prime target for hackers. So, you must focus on the security of your WordPress along with Performance.
And To do that I’ll explain things that you need to understand about WordPress security and I’ll show you the DIY methods to hardening your WordPress website security from beginning to end.
Since WordPress is open-source software, its source code is available to all kinds of people, including the group of people who do not have good intentions! Yes, the Hackers.
As WordPress shares the highest slot in the CMS market, it becomes the primary target for Spammers, Attackers, Hackers, and Crackers.
You may think that you have a small website that runs on WordPress, so why would hackers or attackers waste their time on hacking your website? But it is not true. A hacked website can be used for various purposes.
The attacker might use your server as a bot, that may be a part of a DDoS attack network. They might redirect your traffic to another website, they might show unwanted ads on your website pages. There can be many ways an attacker can use your hacked website.
So, whether you have a small website or big eCommerce store on WordPress, you must ensure that it is secured by all means.
I have divided this WordPress Security guide into subparts. So, you can navigate to the subpart of your interest.
It is the first question that is mostly asked by the people when I talk about WordPress security. So, let me explain this question in the easiest way possible.
As we all know that WordPress is an open-source and source code available on the internet for free of cost. Also, it gives us the freedom to modify, rebuild and redistribute the software.
But most people don’t know about how WordPress is built? Or Who are the people who work behind the scene? And What security major they take? Or how the code is managed?
Here are the answers for all the questions,
WordPress project is managed by a core leadership team, that is led by the co-founder of WordPress Matt Mullenweg. The core team ensures all the aspects of projects such as core Development, Design, and Documentation, etc.
And the most important part of WordPress is that there is a big community of volunteers behind the WordPress project, that contribute to the WordPress project regularly to make WordPress more efficient and reliable. The community is worldwide and it includes professional developers, security experts and what not.
We at Quatervois also regularly contribute to the WordPress Project.
Note: If you are interested in contributing to the beautiful WordPress, you can start form Make WordPress official web. You don’t have to be a technical expert or something who knows the code. You can contribute to WordPress in several ways. Find your comfort zone and Start Contributing!
To ensure the WordPress Core project security there is a dedicated team of 25 Web Application Security excerpts from different areas who make sure that WordPress core is secure to all the modern-day threats.
According to the WordPress Security white paper WordPress follow the OWASP (Open Web Application Security Project) top 10 lists to ensure the hard rock security against the most serious application security risks.
Note: OSWASP is a community of volunteers, who gather the data from different organizations and analyze those data to estimate the top 10 serious web application security risks. The latest top 10 Security list is published in 2020 in which 40 organizations of top-level had shared their security data. Also, there are about 500 volunteers who contributed to the OSWASP survey.
WordPress project makes sure to use standard API, techniques, and policies to make WordPress secure against the OWASP top 10 threats.
Hence the WordPress core is Secure, however promptly if the security team founds security loophole or bug, they instantly fix that loophole and make security updates available for the users.
So, we can say that WordPress itself is secure.
but You know why WordPress is so popular?
Yes, because of the themes and plugins that enable the user to expand the functionality of WordPress.
And according to the WordPress.org directory, there are about 54,764 plugins available to date and there are 3,000+ Free GPL-licensed themes listed.
Before publishing the themes and plugins on the WordPress official website, they are manually verified by the team of volunteers, but the security of those themes & plugins may be the concern of developers of those themes & plugins.
Now we know that the WordPress core is secure. So, who is the culprit? Is it Theme, Plugin or WordPress core itself or anything else?
Let’s take a deep dive into how the overall security of a web application works when it especially comes to WordPress?
AS we know that web application has many aspects running behind it. If we talk from scratch then
So, as we can see that many factors are behind a web application. from the server, database engine to the programming language it is built upon.
Each of the aspects plays a role in security when it comes to the overall security of a Web application. So, we cannot directly specify how a web application can be hacked? Or who is the culprit that led to being hacked?
An attacker or hacker doesn’t directly hack your website? First of all, they need to collect information about your website.
They use a lot of techniques and tools to gather information about your website. They look for each tiny detail, that may help them to identify the possible type of attack, your website may be vulnerable to.
Apart from the Server if we only talk about the WordPress aspects that may lead to getting hacked are
I believe that you must have got an idea about how WordPress websites are hacked.
According to a survey by GETATRA, below are % that, who is responsible for the WordPress website hack?
Now, that you have an idea about who can be the culprit? You may wonder that how hackers or attackers get the information who is vulnerable and What is they vulnerable to?
You may not have an idea about this, but there are many information-gathering tools around WordPress, that helps to determine possible vulnerability on your website.
I would like to tell you about the two most popular WordPress Vulnerability Scanners.
WordPress vulnerability scanners are tools, that are developed by the security specialist, like penetration testers to automate the process of vulnerability scanning of a web application.
It consists of a series of tests, and each test has a specific output, that determines the security status of a Web Application.
There are hundreds of tools for Web App vulnerability scanning but for WordPress, I would like to share below tools
WPScan is free to use for non-commercial purposes. It is developed by the security professionals @erwan_lr, @firefart & @ethicalhack3r. It is the recommended WordPress vulnerability checker tool. It is based on Ruby on rails. This tool uses WPVulnDB API to get the WordPress vulnerability data in real-time.
Scan Your Website online or install it in your system
Prerequisites:
Installing using RubyGems
gem install wpscan
Usage
wpscan -u <target-url>
Output
For demo purpose, I have scanned a website with WPscan
See the result
It lists all the vulnerabilities that can lead to a breach or hack my website, eventually, I have not installed any plugin on the demo website.
but you may have plugins and the plugins have the vulnerability, then the WPscan will list it into the output.
So, it is a god-level tool for Hackers and attackers. I would advise you to scan your website and fix the error listed by the WPscan asap to avoid being hacked.
It is a simple Chrome browser extension, that can determine which theme & plugins you are using, also the WordPress version and many more details.
It also lists the plugins that have vulnerabilities and what kind of other vulnerabilities your website has.
I also recommend you to check your website against this tool. And make sure to fix the vulnerable areas.
So, these are the two basic tools that help to scan vulnerability on your website. Don’t think that if your website is not showing any risk in these tools, so your website is not hackable.
There are thousands of other ways by which website security can be tested. So, if you are on the web, you are at risk.
Security definition from WordPress:
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.
So, there is no way that you can fix security issues on your website in one Go, it’s an ongoing process that never ends.
At this point, you may be thinking that I have discussed a lot about WordPress security and other things, but what about the DIY guide that I have promised in the article title. So, let’s start with the DIY WordPress security guide.
Your quest for securing your WordPress website is started even before you install WordPress.
You often heard people saying things about a strong foundation, if not, here it is
The American religious leader, Gordon B. Hinckley once said
You can’t build a great building on a weak foundation. You must have a solid foundation if you’re going to have a strong superstructure.
And it is indeed true.
The foundation of your WordPress should be strong (performance-wise) and secure enough if you are looking for a far future of your website.
So, what makes the foundation for your WordPress website?
Yes, A Web Host. In simple words A Server or a remote computer, where all of your WordPress core files including themes, plugins, and uploads resides.
Also, your web host plays a major role in the overall performance (Speed) of your website.
Hence, we can say a web host is the foundation of the WordPress website. Being the most important aspect of WordPress website in terms of security & performance, it becomes critically important for you to choose a reliable web hosting for your web application.
It becomes really difficult to choose for a secure hosting provider due to hundreds of options available in the market.
But still, I’ll try to make things clear for you. So, first, all you need to define that What kind of Web Hosting server will be best for your WordPress?
You may define the web host type by your budget, the performance needed the type of website (Informational, Business Portfolio, Membership forums E-commerce, etc.).
Here are the common WordPress web hosting types you may encounter with
I’ll not talk about all this type of web hosting in detail, but you’ll get the idea about security and how much isolation each web hosting provider.
It is the most popular and cheapest kind of WordPress web hosting. Also, most WordPress websites in the world use shared web hosting.
In this kind of hosting the resources of the remote computer are shared among all the websites hosted along with your website.
So, in simple words, you are not alone on that server, there might be hundreds of another website hosted at the same server.
The providers of shared web hosting include the largest EIG (Endurance International Group) companies such as GoDaddy, Bluehost, HostGator, etc.
Pros of Shared Web Hosting:
Cons:
Yet WordPress recommends Bluehost, Dream Host and Site Ground for optimum performance and essential security.
In this kind of hosting, all the server related end tasks are handled by the service provider, also you can get support from the hosting service provider whenever you need.
The provider may use other kind web host technologies to provide you the managed WordPress hosting. Like they may provide you managed WordPress hosting through the VPS, or AWS or Google Cloud Platforms. It depends on the provider.
Managed hosting is a little bit costlier than the Shared web hosting because it brings you the concept of isolation in which all of your WordPress core files are separated from the other website.
It may feel that you are the only user of the remote server. It usually costs between 20$ to 25$ per month.
Pros:
Cons
Kinsta is one of the best-managed WordPress hosting providers along with Sitegournd and Bluehost.
Here the “DIY” stands for Do it Yourself. So, first of all, when you choose this kind of hosting, you must have technical knowledge about, how to manage & configure the server properly.
VPS “Virtual Private Server”, is the cheap alternative for the dedicated server, often used by the Bootstrap start-ups and users that have server management knowledge.
Security depends on the users who have configured it. So, it solely depends on your security measurement you take while you configure your VPS.
Tools like ServerPilot makes it easier to manage VPS hosting. Some of the Popular VPS Hosting providers are Linode, Vultr and Digital Ocean.
Pros:
The main Machine is already secured by the Provider.
Cons:
The most efficient, powerful and expensive kind of web hosting. It is also secured against most serious threats like DDoS. So, you don’t have to be worried about the hack from the Server-side until you leave some security loophole.
This kind of hosting also need technical skill to manage, but some companies like Kinsta provides their managed WordPress hosting using the Google Cloud Platform.
You can free tier at amazon web services for the first 12 months
Pros:
Cons:
At this point, you must have got an idea about, which kind of web hosting will be ideal for your WordPress website.
A web host is the key aspect of the foundation of your WordPress website. So, it has to be strong and secure.
In the next section, I’ll be sharing the key security essential while installing WordPress.
You may wonder why I am including this section in this guide because on the internet every other guide explains “How to Install WordPress?”
But Here I am talking about the secure installation. Not the steps to install WordPress, but things to consider while you install WordPress to make your installation more secure. Remember the “Foundation? concept“. Yes, it same applies when we install WordPress.
Below are security measures, you must ensure while you Install WordPress.
While we install WordPress from the beginning, the first thing it asks is the information about the Database. Like Database Name, Database Username, Password, Database Host and Table Prefix.
So, we must take this information seriously and must create a Database username and passwords that are not common.
We all know that for PhpMyAdmin the default user is root. So, if I am an attacker then, I got the half information to get logged in your database server like username is root.
If I brute force for password and you have a weak password for database server then boom, I directly got access to your database.
Essential Security tips while you create Database for your WordPress:
By default, WordPress uses, wp_ table prefix for all the tables that it’ll create in your database automatically.
So, if you do not change it, by default the Hacker will know the exact name of all the tables in your database. It’ll look like the below scenario. And it’ll help hackers to carry out the SQL injection more efficiently.
WordPress by default asks to change Database table prefix when you install it from scratch. You can refer to the below screenshot
Or if you have already installed the WordPress, this guide shows how you can change the default prefix manually.
Choose table prefix something hard to guess like zbXNhCw
Once you are done with this, You are one step secure from a lot of vulnerable WordPress websites.
In 2013 after releasing WordPress 3.0, the Co-founder of WordPress Matt Mullenweg, in one of His Post Said that
Here’s what I would recommend: If you still use admin as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.
So, you must realize how important is to use a strong username and password for WordPress.
A hacker uses WordPress XML-RPC implementation vulnerability to brute force your website using common usernames and passwords. Here’s the list of 1000 common passwords used in WordPress. So, make sure your password is not in the list.
After you provide the database information while installing WordPress, Next it’ll ask you for Site Title, Username, Password & Email.
So Its time to select the unique username and powerful password and How would you do that, below is the answer.
Avoid Using admin username:
Don’t use the admin as the username. Use something different and a unique username that cannot be guessed by anyone. Also, don’t use or domain name as the username, make sure to choose something that not directly define you. Be unique.
Use Passphrase instead of Password:
Hackers or attackers know each bit that can change the way their tools work, they keep themselves updated. They have a wordlist of Passwords that contains billions of passwords.
Again, it becomes vulnerable to use short passwords that contain about 8-9 characters. To make the digital system more secure, the Passphrase Term arrived.
The passphrase is not a complex topic, it is the same as the password but in the Passphrase, you use the sequence of Words, numbers or special characters in a specific order, Style and also in easy to remember the way.
For example:
A Password Can be: xh\[email protected]^yvE%9a$
But PassPhrase will be Like: Mcbride34claiming78Flurried67hipster80Tote
The example passphrase contains 42 characters, and if we calculate the total possible combination for above passphrase than it’ll be 103,635,711,738,782,159,688,396,800,000,000
Crazy number. Isn’t it? Now way to brute force it.
So, I’ll recommend you to use a passphrase instead of passwords for all of the existing users.
This is the step where a tiny mistake can compromise your whole WordPress website to the attacker.
We all know that Themes and Plugins are one of the main reasons why WordPress is a popular CMS.
Anyone can install themes and plugins to extend the features of core WordPress and make it more customizable.
On another hand, Theme & Plugins from untrusted sources are the major factors that make a WordPress website vulnerable to many attacks. So, you must choose themes & plugins from the reputed sources.
Once you install WordPress securely and successfully, this time for you chooses the themes & plugin. So How would you choose them?
The first thing you need is to consider is “Security” & “Performance”.
Make sure to choose a theme from Trusted sources. Such as WordPress.org Theme Directory, Evanto Market, Theme forest, etc. These are trusted and authenticated marketplace for themes.
If someone is offering you a commercial theme at less cost than the actual cost, DO NOT BELIEVE ON SUCH SOURCES. The theme might be nulled and may contain malware that eventually hijacks your website in the future.
I have discussed a pie chart at the beginning of the article that shows the data about who is the culprit behind the WordPress hack. And the insecure themes are responsible for over 6% of total WordPress website hacks.
List all the features you require in a theme and search for a theme that provides all your required features and minimalist way possible. More features in a theme, there is more risk.
When You choose a theme, Look for the below points
These are points, I consider while I look for a WordPress theme.
From the beginning of this article, we are constantly talking about WordPress security, and in the culprit section you must have noticed about the biggest reason behind the WordPress website hack is Plugins.
About 56% of WordPress websites are compromised due to Outdated or Poorly coded plugins. SO, it primarily becomes essential to check every plugin’s authenticity and reliability before installing it into the website.
Things to look for in a Plugin
Don’t fall for the offers from third parties offering you the premium plugin in half prices. If you are buying a plugin, make sure to purchase it from the vendor itself or a trusted marketplace.
Before installing an untrusted plugin make sure to take a backup of your whole website including the database, so if anything goes wrong, you can start it from over. The recommendation is never to use a plugin from source, you don’t know about.
In August 2014, Google officially announced that HTTPS/SSL is a ranking signal for the website. Google started to use SSL as a ranking signal because Google officially promoting the private communication between browser and server.
The most convincing reason is that it is an official raking signal for the Google search engine.
Second and most important is that, it encrypts the communication between Brower’s and server.
In other words, it prevents the man in the middle attack. So, it is now standard to use an SSL certificate on your website.
SSL certificate does not directly save from you the other potential WordPress threats but it makes sure that the communication between your website and the user is encrypted using public and private key methodology.
Even ISRG (Internet Security Research Group), the organization has started a non-profit certificate authority known as Let’s Encrypt that provides X.509 TLS encryption certificate for free of cost.
Also, Internet giants like Google, Mozilla, Facebook, and Cisco are a regular donor to the project Let’s Encrypt. So, if you don’t want to invest in an SSL certificate, you can simply have Let’s Encrypt SSL certificate for your WordPress website.
Let’s Encrypt certificate is recognized by all the modern age browsers like Google Chrome, Firefox Mozilla, Opera, etc.
You must have an SSL certificate on your user’s privacy.
The above steps make sure the Secure installation of a WordPress. At this point in WordPress Security Guide, you have securely installed WordPress successfully.
Now its time to consider the Security measure that is essential after installing WordPress. I’ll try to make things easier for you to understand.
Let’s dive in Together.
From this stage of this security guide, whatever changes you’ll make to the website. The changes will directly affect the working mechanism of your WordPress website.
So, it is recommended to backup up your whole website (Website files + Database) before applying anything from now on. Also, regular backup with the clear timestamp (Date and time mentioned properly) is the next security measure I am going to discuss.
There is nothing like the Perfect Secure website. Nothing is secure on the internet until you take appropriate actions by time.
Suppose if your website is hacked, what will be your immediate action? Will you report a crime scene? Or find the probable reason why your website is hacked?
No, your immediate action should be restoring your website from the last stable backup and delete the hacked version, so the user can continue to access your content.
Also restoring the backup will make sure that search engine bots won’t notice anything suspicious on your website.
Backups are really important if you are running a website on the Internet.
Backup is nothing but a good risk management tactic. So, make sure to take the backup of your WordPress website regularly. Now the Backup frequency is depending upon, how often you update your website.
So, make sure to take backup whenever you make an update to the website. Also, mention the proper date and time for each backup because you might don’t know the exact date or time when your website is compromised. In that case, you may need backup from the past days.
There are mainly two ways to take a backup of your WordPress Website.
I have further subdivided the manual backup into subparts according to available credentials. Some you may have cPanel/Plesk credentials, or some of you may have only FTP credentials. So, depending upon, the access details available to you, choose the easiest way to take backup manually.
I) Backup Using SFTP Client (FileZilla):
Pre-requisite:
To connect with your server using FTP (File transfer protocol), You need Hostname, Username, Password, and Port Address. The standard FTP port address is 21. It may vary according to your web hosting service provider.
You also need an FTP client installed on the local computer. Using an FTP client, we’ll connect to the remote server for file transfer. FileZilla is the most used FTP client, also it is open source and free to use.
Once you have the above-required things are ready to take the backup of your WordPress website using FTP client. Below are the steps to do so.
Here’s the problem: At this point you have only your website files backed up; your database is still needing to be backed up. To do so, you need server access through SSH or cPanel or Plesk (Depends upon your hosting provider)
II) Manually backup of Database
Perquisite
If you have the above details,
That’s your database with all the tables that have been backed up.
III) Manual Backup from cPanel
Most of the web host service provider uses the cPanel to manage the website related task on the server. So if you have Cpanel details then manual backup might be easy for you. Just follow the below steps
Above are the ways to take backup manually for a WordPress website. You might need some patience and a bit of technical knowledge to do it manually.
If you are comfortable in taking backups manually, you might like the above process. Otherwise, there is an alternate way to take backups automatically and regularly.
We all know that WordPress is popular because anyone can use it easily and effectively without having a technical background.
Plugins are the best when it comes to doing things automatically on WordPress. So, many plugins allow you to take the backup of the WordPress website along with the database regularly based upon a fixed time interval.
My Favourite is UpdraftPlus. Currently, it has 2 million-plus installation and 5 out of 5 start rating on WordPress.org
It is indeed a good backup plugin because it allows you take automated backups of your website along with database, also you can automatically save those backups on cloud storage like OneDrive, Microsoft Azure, Google Cloud Storage, Backblaze B2, SFTP, SCP, and WebDAV.
UpdraftPLus is available in Free and Premium version.
Other Backup Plugins:
Automatic backups are really easy and hassle-free. But you know having a manual backup is also a good practice. So, for the sake of utmost security, take a manual backup of your website in a regular time interval.
Let me take back to you the section “Who is the culprit behind WordPress hack?”, where I have discussed the possible causes that lead to WordPress website compromisation.
In that section, I have already described that the potential reason behind WordPress website hack can be the outdated WordPress core, plugins & themes. So, it becomes essential to keep WordPress core, themes and plugins always updated.
Also, security experts behind the WordPress say that, if you keep your WordPress core, themes and plugins always up to date, you’ll be avoiding 99% of WordPress security threats.
But A major update of WordPress core can break the functionality of your website. as a consequence, it is recommended that you take a full back up before updating the website.
As we are talking about the WordPress update, I would like to mention the type of updates released by the WordPress core.
By default, the minor core updates like bug fixes, maintenance, and security release are automatically applied to your WordPress. But you have to manually update the WordPress core major release update.
Also, themes & plugins are needed to be updated severalty. Since these updates are based on the author or creator of those themes & plugins.
It is recommended that you take a full back of your website. So, if anything goes wrong while updating WordPress, you can restore the backup immediately.
There are two ways to update WordPress core, Themes & Plugins
Warning: WordPress core updates override all the core files that are required to run WordPress. If you have made any changes to the WordPress core files, it’ll be lost in the update. So make sure to keep records of your custom changes. And again, take a full backup.
WordPress Core:
From the version 3.7+, minor updates and security updates are applied automatically. And for the major version update, WordPress introduced the “One-click update”
One-Click Update:
If in case the update is failed, You need to delete the .maintenance file created while you are updating the WordPress in the root directory. And after that follow the below steps for manually update the WordPress using FTP client.
Updating themes and Plugins Manually
Warning: If you have modified the core files of plugins and themes, again the update will override those changes, and your changes will be lost. This case usually happens with “Themes update”. Start using the child-themes, So your changes remain as it is.
You don’t need to click a single thing, once you configure your WordPress core for automatic updates. But Make sure, that the updates won’t break your website functionality. And if they do, this method is not recommended.
To automatic update WordPress core, You simply need to define a constant in wp-config.php file
define(‘WP_AUTO_UPDATE_CORE’, true );
This constant will make sure to automatically update WordPress core, as the new update arrives.
Constant can three values as per the WordPress codex:
Automatic Updating theme and Plugins:
You simply activate automatic updates for themes and plugins by the below WordPress filter. Simply put these code in the themes functions.php file
Automatic updates for All plugins
add_filter( ‘auto_update_plugin’, ‘__return_true’ );
Automatic updates for the theme:
add_filter( ‘auto_update_theme’, ‘__return_true’ );
If you want automatic update specific plugins just use the below code snippet:
function auto_update_specific_plugins ( $update, $item ) { // Array of plugin slugs to always auto-update $plugins = array ( 'akismet', 'buddypress', ); if ( in_array( $item->slug, $plugins ) ) { // Always update plugins in this array return true; } else { // Else, use the normal API response to decide whether to update or not return $update; } } add_filter( 'auto_update_plugin', 'auto_update_specific_plugins', 10, 2 );
at this point, you must have the idea about WordPress updates and the importance of it to achieve rock-hard security.
Make sure to remove unused plugins and themes. This step won’t save you from hackers, but it’ll help you to clear extra disk space obtained by used themes and plugins.
Also, the security reason behind is that unused plugin or theme may have vulnerabilities, you may not aware of. So, it is recommended to delete them.
As we all know that WordPress is built upon the programming language PHP. You also need to take care of the PHP version upgrades. As the old PHP version does not have security support, it’s become essential to update PHP to the latest version.
Note: From November 30, 2019, PHP Version 7.2 and the older version will no longer have security support. If there is any security known security vulnerability, it’ll remain unpatched. So, it is recommended to update PHP to the latest version i.e. PHP 7.4 (Released on 28 Nov 2019)
How to update PHP Version?
You can review the changes in PHP with my info. Also in the WordPress dashboard -> Site health check.
You may get an error after upgrading to the PHP 7.2 or above like 500 internal error, or if you are directly upgrading from PHP 5.0 then you might get an error like
PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect()
Because PHP 7.0 or later no more support mysql_connect() function. It is deprecated the latest PHP version.
So all you have to do is
Select the below modules in your current PHP version that is 7.2 or above:
That’s it. Your website should now work with PHP 7.0 or above.
I would personally recommend you to enable a FIREWALL for your web application. It solves the most security problems.
A firewall is a layer between the user and your server. It has some rules defined to filter the bad traffic from the overall traffic, so only good traffic can reach your server.
Hence, if someone with bad intension is unable to get to your web application server, the risk of being compromised is directly reduced to zero. So, the firewall act as a strong wall between the user and the server.
The firewall can be enabled at two levels
What if your server’s DNS records are managed by another server, which has the firewall enabled to it? Seems interesting?
This is what happens when you decide to enable the firewall at the DNS level. Most of the bad traffic is filtered from the DNS level. The attacker doesn’t even get a chance to interact with the real server that has the web application.
That’s what services like Cloudflare do. It directly prevents you from DDoS, SQL Injections and Cross-Site Scripting and other serious attacks. It also keeps the records of the log file which contains the details of attacker IP, location, etc.
So Cloudflare is not only a CDN but also it provides DNS level firewall protection. Firewall protection may require a premium subscription.
According to my DNS level firewall is the best practice to filter the bed traffic directly from the DNS level.
The name suggests. This kind of firewall is implemented on your server.
This means the bed traffic is not filtered by any middle server, instead, it is filtered by the firewall rules implemented at your server.
For WordPress, it’s easy to implement an Application-level firewall. You need to install a good firewall plugin.
Below are some of the most used firewall plugins for WordPress
If you know any other good plugins for firewall, please let me know in the comments.
Till this part, if you are doing what I have discussed above, you may be in a good position regarding your website security. But as you know, there no way to secure your web application perfectly. There’s always something to do more with security.
So, I am going to share some of the advanced methods to secure WordPress using the DIY approach.
You need to be extra careful and aware because these methods may ask to make changes in WordPress core files like wp-config.php, .htaccess file (Server Configuration File), etc. and a tiny mistake in editing those files can break the entire functionality of your website.
Keep backup and avoid implementing these methods directly on the live website. Test these methods on staging site and if you feel this works well on your website then make it live.
I call the below methods as DIY methods, because these steps may need some coding knowledge and You might need to implement those methods by yourself. These techniques are used and proven.
Following security methods will assure to harden WordPress security more.
A regular WordPress user knows the default login URL for WordPress dashboard is /wp-admin/ or wp-login.php
Anyone can directly approach your website login page by just appending the /wp-admin/ to your homepage URL. So A hacker can easily perform a brute force attack (guessing username & password) if they have access to the login page.
According to a survey by the Sucuri, there are about 40 million brute force attacks carried on websites every day. Hence, it’s really important to hide your login page from the attackers.
There are numbers of plugins for WordPress that provide the functionality to change the default WordPress login page slug i.e. youdomain.com/wp-login.php to something you want.
Warning: Take fullback up of your website, in case you locked out from logging in.
Below Plugins can change the default WordPress login URL to something you desire
This method requires some tweaks to the WordPress core file wp-login.php
If you have access to your website file system using FTP then are you are good to go. Follow the below steps.
For my example, I am creating a file named mylogin.php. So slug would be yourdomain.com/mylogin.php
After doing this if anyone tries to open either wp-login.php or /wp-admin/, They’ll get the 404 not found an error.
This method has the limitation that, if you update the WordPress core in the future, the changes will be overridden and lost. At that point, you have done this again from the start.
If you are looking for a stable DIY method to change the Login URL I would advise you read an article shared by WPMUDEV. This article has a DIY approach using .htaccess file.
Most of the people avoid changing the default Login URL because they think it might break the WordPress core functionality. If you are one of those, I would advise implementing an HTTP authentication to default WordPress login page i.e. wp-login.php
This technique will simply add another layer of security while you access the login page from the browser. It’ll simply return error code 401 to the user, who does not have credentials to prove authentication at the page request level.
You can use the Http auth plugin to implement HTTP authentication on your website. It even has the functionality to provide HTTP authentication on your whole website.
This functionality is also useful when your website is in the development phase.
If you want to do it manually here the article for server powered by apache.
Even after Hiding the default WordPress login page or implementing HTTP authentication, if hacker or attacker somehow got access to the login page, how would you stop him performing the brute force attack?
Here comes another security layer, we just have to implement the limits on the login attempts anyone can make to get logged in.
A brute force attack includes thousand of login attempts to guess the right username and password. What if we limit login attempts to 3 times only? If anyone tries to get logged in with the wrong username and password with more than 3 times, the system will automatically lock the IP address immediately.
So it can be good practice to implemented Limits on Login Attempts. To-Do that you simply need to install a plugin that provides the functionality to limit the Login Attempts.
Some of the plugins with Limit Login Attempts functionality are
You can install any of them and see which works best for you.
To this step, we have stopped the attacker to reach the login page. But let us assume that an attacker has access to the login page and somehow the attacker got the username & password of one of the users.
In this condition how would make sure to keep the attacker stay away from the WordPress backend?
Yes, in this scenario, two-factor authentication systems add an extra layer of Security to WordPress. Even if the attacker has the exact username and password, an attacker cannot get logged in until the attacker verifies another authentication method.
Another authentication may include One Time Password on Mobile number or OTP on Email. So, there is no way that an attacker can get logged in.
Two Factor Authentication is the recommended plugin to unable two authentications on your WordPress website.
This plugin works with a mobile phone application. Where you get OTP while you try to get the login to WordPress dashboard using your username and Password.
Simply follow the steps provided at the plugin page and you’re done. You have added another layer of security to WordPress as Two Factor Authentication.
Two Factor Authentication is the recommended plugin to unable two authentications on your WordPress website.
This plugin works with a mobile phone application. Where you get OTP while you try to get the login to WordPress dashboard using your username and Password.
Recently in 2017 WP Hide Security Enhancer Plugin has this vulnerability called “Arbitrary File download”, which allows attackers to directly download your WordPress wp-config.php
wp-config.php file has crucial because it contains some of the confidential information about our website like Database name, Database Username, Database Password, etc.
If the attacker has this information, they can easily exploit your database with username and password alone. So, it became essential to protect your wp-config.php file against this kind of security threats
To protect your wp-config.php file manually follow the below steps:
In my case, I am creating a file called configuration.php in /user/etc/custom/ directory.
For my example: the full path for the newly created file is /user/etc/custom/configuration.php
So the code will be:
<?PHP include ('/user/etc/custom/configuration.php '); ?>
Now see if your website works. If it works then you do the changes correctly. If not then please check the path for the newly created file.
Disable Internal Access and code modification inside the wp-config.php file by Setting permission 400 to the wp-config.php file.
Don’t use the same account for publishing the content on your WordPress website.
The best practice is to use a different user account with the least privileges to publish content on your website.
Understand it in this way:
If you use your super administrator user account to publish the content then there are full chances that your username is revealed to the public. Username is the 50% of your login information. And Super administrator has all the privileges to modify the WordPress website.
Once the attacker has a username, now only half part is remaining to determine that is your password. Using the administrator account to publish content may welcome an attacker or hackers.
So the best practice is to create a new user account with “Author” privileges. With an “Author” role a user can write, edit and publish a post. But the ability to only delete their post. They also don’t have access to settings, plugins, themes or any other administration area.
Also, change the display name. Otherwise, the default display name is the username associated with that user.
Even if you are using a different user account to hide username, there is another method by which an attacker get the information of all the users available in just one click.
By default, WordPress provides REST APIs to provide flexibility to communicate with another application. But not all of the WordPress website needs it by default enabled.
An Attacker can simply get all the user information using the below REST API call example.com/wp-json/wp/v2/users (example.com) us your domain.
WordPress still allows this kind of call by default. To disable it, simply add the below code snippet in your functions.php file.
add_filter( 'rest_endpoints', function( $endpoints ){ if ( isset( $endpoints['/wp/v2/users'] ) ) { unset( $endpoints['/wp/v2/users'] ); } if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) { unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ); } return $endpoints; });
This will make sure to close the user endpoint for REST-API calls.
At this stage we have taken security majors to hide our login page, prevent brute force attack and hide the username. Now its time to implement application-level security actions.
This is the most underrated security practice when it comes to making WordPress more secure. People often forget to set strict permission on files and folders on the remote server.
The basic rule of security is “who can access what?”
This simple step adds the strongest security layer to WordPress.
To get the complete details on how to file permission works for the Linux system. Read the article by WPMUDEV on Understanding the File Permissions.
According to the WordPress codex, recommended file and folder permission for WordPress core is
However, Apply strict file permission for important configuration files like wp-config.php, .htaccess, etc.
Here’s the best practice for file permissions according to GETASTRA security experts:
To change the file permission, You can simply use FTP clients like FileZilla.
By default, WordPress provides an inbuilt file editor for themes and plugins. Users with bad intentions might use that file editor for wrong purposes.
So, it is recommended to disable the file editor inside WordPress for better security. To do so simply add the below WordPress constant in wp-config.php file
define( ‘DISALLOW_FILE_EDIT’, true );
Some plugins provide automatic functionality to disable file edit in WordPress dashboard such as Sucuri, Better WP Security, etc.
Do you ever wonder why the banking website logs you out automatically when you leave the screen for some time? If yes then here the reason
When a user is inactive when logged in, this situation can be useful for attackers to hijack the session and change the username and passwords for the current user.
So, it is essential to implement such methods to log out the idle user automatically after a certain amount of time. The same thing applies to the WordPress website. We often get busy with the other things while working on WordPress and forget that in another tab we’re still logged in to WordPress.
It is recommended to have idle user automatic logout functionality in place to avoid such kind of session hijacking threats.
In WordPress, we can achieve this functionality using this plugin called Inactive Logout. It allows you to define custom time to get users automatic logged out with a custom message on the screen.
Users can simply get to the settings of this plugin at Setting>>Inactive Logout.
There is a by default meta tag inside the head section of our WordPress website, which holds the value of the WordPress version number.
The WordPress version number can be really important for hackers because there are several online vulnerabilities database that has information about the known vulnerability according to the version number.
And if you’re using an older version of WordPress, there might be a known vulnerability that can be exploited by attackers to gain access to your Website. So, the hiding version number of WordPress becomes essential.
To do so simply add below code into the themes functions.php file
function remove_wordpress_version_number() { return ''; } add_filter('the_generator', 'remove_wordpress_version_number'); function remove_version_from_scripts( $src ) { if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) ) $src = remove_query_arg( 'ver', $src ); return $src; } add_filter( 'style_loader_src', 'remove_version_from_scripts'); add_filter( 'script_loader_src', 'remove_version_from_scripts');
Also, hide the WordPress version number from the RSS feed:
In the theme functions.php file add the below code
function remove_wp_version_rss() { return”; } add_filter(‘the_generator’,’remove_wp_version_rss’);
For the security of WordPress cookies, there some unique keys called WordPress salts. It is recommended that you must use salts to secure the cookies.
WordPress salts are important when you want to null the current cookies and assign new cookies to the user. Once you change the WordPress salts it automatically nullifies the current cookies and forces WordPress users to re-authenticate for the new session.
If you suspect any kind of cookies compromisation, immediately use should change the WordPress security keys.
To generate WordPress salts, simply go to official WordPress salt generator, Every time you visit it’ll generate new salt keys. Simply copy the code and paste it into the wp-config.php file.
WordPress administrators always forget to look at the user roles. Make sure your employees have the least permission according to their requirements.
Sometimes giving extra privileges into WordPress leads to unwanted information leaks. So, make sure to double-check all user roles.
By default, WordPress provides six user roles, listed in descending order, the first role will have the highest privileges
The user with the subscriber role will have the lowest priority.
There is a number of the way by which a hacker can determine that the target website is using WordPress. May attacker can use scanners or may attacker will manually analyze the source code to determine the current theme and plugins your WordPress website is using.
So, this is an extra step to tighten the security of WordPress by manually hiding the WordPress footprints that may lead to a lot of information about themes & plugins.
To do so simply install the plugin WP Hide & Security Enhancer
This plugin uses .htaccess file to rewrite the URL rules. And .htaccess file is the really important file of your server, A tiny mistake can take down your entire website.
So, make sure to take the backup of .htaccess before applying any changes from the plugins.
The plugin has a large set of functionalities to hide WordPress from snoopers.
If there is an error regarding the PHP in Plugins or themes files, by default it is directly displayed in the front end of your WordPress website.
The error reported in such a way that it contains the complete path of the file at the server-side with the exact line number, where the error is persisting.
So, it can be really important information for hackers to exploit your website. To prevent displaying error in the front end, copy and paste the below code in your wp-config.php file.
error_reporting(0); @ini_set(‘display_errors’, 0);
If still not works. There might be some settings from the hosting provider side, Please ask the resolve it as soon as possible.
At this point in our WordPress security guide, I have covered most of the WordPress parts, where we can take proper security measures to ensure our Website security by all means.
Now it’s time to make our WordPress website more secure from the Server Side as well.
The below methods requires tweaks to the apache server configuration file i.e. .htaccess file. So, make sure you have access to it and also double make sure to take the backup of it, before applying any changes.
When you install WordPress, It creates some of the rewrite rules in .htaccess file. These rules make sure to handle the pretty permalinks for WordPress.
By default, WordPress default rewrite rules look like below code
# BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress
Also, there can be different versions of .htaccess rules based on the installation of WordPress. The above rules are for the basic WP installation.
Warning: Add any other custom rules after line “# END WordPress”.
To ensure the utmost security of your WordPress website, below are some of the .htaccess file tweaks you need to carry out right away.
By default, the WordPress directory structure can be accessed from the browser directly using the path URL. It does not allow attackers to make any change to the files, but it still shows, how your WordPress website is structured.
This is how it looks when directory browsing is enabled:
And This information can be useful to an exploiter. Also, search engines can easily index this kind of path. So, it’s the best practice to disable it.
Add below code inside the .htaccess file
Options All -Indexes
As a WordPress user, we know that there are some of the files that are very critical and important for WordPress. For eg. .htaccess, wp-config.php, php.ini, etc.
It becomes essential that we take the extra step to secure those files on the server side also.
As .htaccess file is the heart of any Linux server with apache because it contains the rules that are used by the server to fulfill the content request by the client. It contains rules for URL rewrite, directory browsing, access permission, and even redirects.
So, it must be secured with another layer of security to prevent access by the unknown user like an attacker.
To secure these file simply add below rules into the .htaccess file:
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$"> Order deny,allow Deny from all </FilesMatch>
php.ini file may contain another name, make sure to adjust according to the existing php.ini file on your server.
This is an additional step, that’ll make sure to restrict access to the PHP files in certain directories.
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/ RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L] RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
Your website may allow users to upload files for various purposes. But a hacker may use this feature to upload malicious code inside the upload folder and execute it within the upload folder.
So, this step will make sure that we disable the PHP execution in the upload folder whenever it is now required.
To do so,
<Files *.php> deny from all </Files>
An Attacker may inject malicious script into the existing script files using the various input methods. So, it is a good practice to disable script injection by any means.
Add below rules into the .htaccess file
Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]
This is the directory that doesn’t need to be modified by anyone once you installed WordPress. Also, it contains crucial files in it, that are used by the WordPress backend.
To make sure no one temper the content of wp-includes folder just add the below rules into .htaccess file
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
The above rules will not affect any of your plugins or themes files.
IP Address whitelisting is a good practice to whitelist certain IP Addresses that can only access a specific area of any website.
For the WordPress website, we can also use this technique to allow access WP-ADMIN area for specific IP Addresses only. To do so we simply need to add below code into the .htaccess file.
Warning: I recommend you to implement this rule in .htaccess file, only if your ISP (Internet service provider) has assigned you a Static IP Address. In the case of Dynamic IP address (DHCP), Each time you connect and disconnect to your internet network, Your IP address will be changed. So, You have to change the IP address again in the .htacesss.
ErrorDocument 401 default ErrorDocument 403 default <Files wp-login.php> Order deny, allow Deny from all Allow from 198.168.225.1 #Your IP Address. </Files>
If you have more than one IP to whitelist copy Allow from… line. You can add as many IP addresses as you want.
In the earlier version before WordPress 3.5, the XML-RPC functionality was disabled by default. But from the version WordPress 3.5 the XML-RPC functionality comes by default enabled.
Also, there is no direct option in the WordPress dashboard to disable it.
XML-RPC stands for remote procedure calls that use XML to encode its calls and uses HTTP as the transport mechanism. So, in simple words, it is a system that allows you to post on WordPress website using other third-party Applications. You don’t have to be logged in your WordPress dashboard to post anything.
You may be familiar with IFTTT or WordPress mobile app. Both use the XML-RPC system to post on WordPress on behalf of yours.
So, it is a recommended security practice to disable it, if you are not using this system at all.
Here’s how you can disable XML-RPC with .htaccess file:
Add below code in the .htaccess file.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny, allow deny from all #allow from 124.54.587.1 //Your IP Address </Files>
If you want to use it from a specific IP address, simply remove the # before allowing IP and add the IP address.
Above are the best .htaccess file best practices for WordPress website to hardened WordPress security.
On Twitter, I started a thread to gather the best WordPress security tips from the WordPress experts. These experts include Chetan Prajapati, Nidhi Jain, and Ajith Bohra, Core Contributors to the WordPress Project.
Here’s the Tweet from experts around the WordPress
Here are few tips from me to make #WordPress site secure. Which I follow too. pic.twitter.com/pAyLWJS1Aj
— Chetan Prajapati ⓦ (@iamchetanp) December 10, 2019
My 2 cents 🙂
— Ajit Bohra (@ajitbohra) December 10, 2019
Happy to help you with more info / case studies for your article. pic.twitter.com/nr05Y4IXEB
There are a lot of tools available to check your website's security.@sucurisecurity @ssllabs @quttera @detectify @SiteGuardingCom @Webinspector @wordfence
— Nidhi Jain (@jainnidhi03) December 10, 2019
Using https (SSL)
Keep cms, plugins, apps and scripts up to date
Here are a few WordPress security tips that one can follow. Also, the majority of the WordPress security issues can be fixed using WP Hardening plugin like Admin & API security, Information Disclosure & Basic Server hardeninghttps://t.co/10Qcju9MiW pic.twitter.com/srXU3TVBLu
— ASTRA Security (@getastra) December 11, 2019
Based upon the above methods that I have described, do you feel that your website is secured enough to protect against potential WordPress security threats like SQL Injection, XSS Penetration (Cross-Site scripting), AFD (Arbitrary file download), etc?
If You not sure, you should immediately carry out the best security practices for WordPress described in this guide. I would recommend you to choose a good web host company that has good reviews on the internet.
Also make sure to update WordPress core, themes & plugins as the update arrives. Take regular backups. Incremental backup would be awesome. Always look for the security of your WordPress website because a web application is never perfectly secured.
In this WordPress security guide, I tried my best to add all the security aspects that are essential for a WordPress website.
If there is anything I missed to add or discuss, please let me know in the comment section.
Security of any web application cannot be assured in one go, it’s a never-ending process. So, make sure to check the security status of your website regularly and make sure to follow the best practices from the WordPress experts.
If are an SEO person, I would like to share free SEO tools with you. Hope you find them useful.