Avatar
Brenda Stokes Barron
. 2 Comments

WordPress is one of the most popular content management systems out there and with good reason. It’s simple to use, there are thousands of themes and plugins available for it, and you can create any type of website with it. It’s no wonder then that WordPress powers 35.1% of all websites on the internet.

But, its popularity comes with a cost. WordPress is often targeted by hackers. According to Sucuri, in 2018, 90% of all website cleanup requests belonged to WordPress, a 7% increase from 2017.

Website Hack Trend Report 2018 - Sucuri

As such, securing your WordPress website should be at the top of your list, whether you have a personal portfolio, a business website or an online store.

When it comes to WordPress security, users usually fall into two camps: the ones who take security seriously and take precautionary measures and those who believe or hope it will never happen to them because their site is not important enough.

To better understand the severity of security issues associated with websites, be sure to visit the Internet Live Stats page sometimes. There, you can see an exact number of websites hacked each day and even watch the number rising in real-time.

Website hacked in real time

22 Steps to Secure Your WordPress Website

To prevent your site from ending up as one of the sites on the Internet Live Stats, follow the tips below and secure your WordPress website.

1. Opt For A Hosting Company With Security Features

The first step towards securing your WordPress website is to invest in a hosting company that implements proper security features. This includes support for the latest version of PHP, MySQL, and Apache as well as a firewall and 24/7 security monitoring.

If possible, choose a hosting company that performs daily backups and regular malware scans. You can even find hosting companies that employ various DDOS prevention measures.

Your hosting company is usually the first wall hackers have to break through to get access to your site so investing more upfront and purchasing a more expensive hosting plan will definitely pay off. We recommend choosing a managed WordPress hosting provider.

2. Use Strong Passwords

Make sure that the passwords for your WordPress website as well as your hosting account area are both secure. Use a mix of uppercase and lowercase letters, numbers, and symbols to come up with a strong password. You can also use a password manager like LastPass to generate and store secure passwords for you.

3. Ditch the Admin Username

WordPress used to set the default username as admin and most users never bothered to change it. As a result, admin is usually the first username hackers will try when they launch a brute force attack.

As such, you should never use the admin username for your WordPress website. If you’re recently installed your WordPress website, chances are you have had to set your own username. But if you’re a long-time WordPress user, you might still be using the admin username.

If that’s the case, create a new admin username for your site by going to Users > Add new and choosing a strong username and password. Set the role to the Administrator and then click the Add new user button.

Creating an administrator account

You’ll then login with those new credentials and delete your old admin user. Remember to assign all your content to your new admin user before deleting the old one.

4. Use a Contributor or Editor Account to Post On Your Site

If you want to take the above tip a step further, consider creating a contributor or an editor account to add new posts and articles to your site. Doing so will make it harder for hackers to do damage on your site as contributors and editors don’t usually have administrator privileges.

Creating an editor account

5. Use a Backup Plugin

If you’re not backing up your website yet, you need to start right away. A backup system will help you restore your site if the worst happens and your site ends up being hacked.

Use a plugin like UpdraftPlus to create a regular backup schedule for your website and don’t forget to store the backup files offsite to ensure those files don’t end up infected as well.

6. Harden The Admin Area

When it comes to hardening the admin area, you’ll need to change the default admin URL and limit the number of failed login attempts before a user is locked out of your site.

By default, the admin URL for your website will look like this: yourdomain.com/wp-admin. Hackers know this and will attempt to access this URL directly so they can gain access to your site.

You can change this URL with a plugin like WPS Hide Login.

WPS Hide Login

As far as limiting the number of failed login attempts, you can use Login Lockdown plugin.

Login LockDown

7. Keep Files Up to Date

As we’ve mentioned earlier, outdated files pose a security risk because they leave your site vulnerable to other exploits. That’s why you need to install updates as soon as they are released.

While you’re at it, make sure to regularly go through your installed plugins and deactivate and delete the plugins you’re not using anymore.

8. Protect Your Computer

You might be wondering what does your computer have to do with your website. If your computer is infected with a virus and you access your site or upload files to it, those infected files can infect your website as well. In short, you want to make sure to:

  • Avoid using public Wi-Fi networks to access your site
  • Install anti-virus software and make sure it’s up to date

9. Change Your Database Prefix

Another fact that’s well-known by WordPress hackers is that your database prefix is set to wp. This fact makes it easy for them to guess the table prefix and use automated SQL injections to gain access to your site.

Changing your database prefix is a manual process that involves editing your wp-config.php file and changing the table names using phpMyAdmin. Before making the change, be sure to backup your site as a preventative measure.

Editing wp-config

You’ll need to login to your hosting account and access your cPanel or whichever control panel your host is using. Then, access the File Manager and locate your wp-config.php file in the WordPress directory.

Find the table prefix line which looks like this: $table_prefix followed by a = sign and the table prefix itself. Replace the default string with your own prefix using a combination of numbers, underscores, and letters like so:

$table_prefix = ‘hgwp_3456_’;

Once you’re done editing the wp-config.php file, exit the File Manager and access the phpMyAdmin so you can change all the table names. Doing this manually can be tedious as there are 11 tables in total that you need to edit. Instead, you can input an SQL query by going to SQL tab

running an SQL query

Then input this:

RENAME table `wp_commentmeta` TO `hgwp_3456_commentmeta`;

RENAME table `wp_comments` TO `hgwp_3456_comments`;

RENAME table `wp_links` TO `hgwp_3456_links`;

RENAME table `wp_options` TO `hgwp_3456_options`;

RENAME table `wp_postmeta` TO `hgwp_3456_postmeta`;

RENAME table `wp_posts` TO `hgwp_3456_posts`;

RENAME table `wp_terms` TO `hgwp_3456_terms`;

RENAME table `wp_termmeta` TO `wp_a123456_termmeta`;

RENAME table `wp_term_relationships` TO `hgwp_3456_term_relationships`;

RENAME table `wp_term_taxonomy` TO `hgwp_3456_term_taxonomy`;

RENAME table `wp_usermeta` TO `hgwp_3456_usermeta`;

RENAME table `wp_users` TO `hgwp_3456_users`;

While the above query should change your database prefix everywhere, it’s a good idea to run another query to make sure any other files using the old database prefix get updated:

SELECT * FROM `hgwp_3456_options` WHERE `option_name` LIKE '%wp_%'

You’ll also want to search for theusermeta and replace any leftover old prefixes with the new one:

SELECT * FROM `hgwp_3456_usermeta` WHERE `meta_key` LIKE '%wp_%'

10. Harden Your .htaccess and wp-config.php Files

.htaccess and wp-config.php are the most important files in your WordPress installation. As such, you need to make sure they are secure and protected.

Simply add the codes below to your .htaccess file, outside the # BEGIN WordPress and # END WordPress tags to ensure the changes aren’t overwritten with each new update.

<files wp-config.php>

order allow,deny

deny from all

</files>

<Files .htaccess>

order allow,deny

deny from all

</Files>

<Files wp-login.php>

order deny,allow

Deny from all

# allow access from my IP address

allow from 192.168.1.1

</Files>

The snippets above will protect your wp-config and .htaccess as well as limit access to the wp-login.php screen.

Lastly, add the snippet below to prevent PHP file execution:

<Files *.php>

deny from all

</Files>

11. Check and Change the File Permissions

When you’re done securing your .htaccess and wp-config.php file, stay a little longer in your cPanel and check the file permissions for the files and folders in your WordPress website.

File Permissions

According to the WordPress codex, the permissions should be set as follows:

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

If your settings are different, hackers could easily read the contents as well as change the contents of the files and folders which can then lead to your site being hacked as well as other sites on the same server being hacked.

12. Use Two-Factor Authentication

Consider using a plugin like Google Authenticator to set up two-factor authentication for your site. This means that in addition to entering your password, you will also have to enter a code generated by a mobile app to log in to your site. This can stop brute-force attacks so it’s a good idea to set it up now.

Google Authenticator

13. Disable XML-RPC

XML-RPC allows your site to establish a connection with WordPress mobile apps and plugins like Jetpack. Unfortunately, it’s also a favorite of WordPress hackers because they can abuse this protocol to execute several commands at once and gain access to your site. Use a plugin like Disable XML-RPC plugin to disable this feature.

Disable XML-RPC

14. Use HTTPS and SSL

The Internet has been buzzing with blog posts and articles about the importance of HTTPS protocol and adding SSL security certificates to your site for quite some time now.

HTTPS stands for Hypertext Transfer Protocol Secure while SSL stands for Secure Socket Layers. In a nutshell, HTTPS allows visitor’s browser to establish a secure connection with your hosting server (and therefore, your site). The HTTPS protocol is secured via SSL. Together, HTTPS and SSL ensure that all the information between a visitors’ browser and your site is encrypted.

Using both on your site will not only increase your site’s security, but it will also benefit your search engine rank, establish trust in your visitors, and improve your conversion rate.

Talk to your hosting provider and ask about the possibility of obtaining an SSL certificate or to point you in the direction of a reputable company where you can buy one.

15. Disable Theme and Plugin Editing Through Your WordPress Dashboard

Having the option to edit your theme and plugin files right within your WordPress dashboard is handy when you need to quickly add a line of code. But it also means that anyone who logs into your site can access those files.

Disable this feature by adding the following code to your wp-config.php file:

// Disallow file edit

define( 'DISALLOW_FILE_EDIT', true );

16. Move The wp-config.php File To A Non-WWW Directory

As mentioned earlier, the wp-config.php file is one of the most important files in your WordPress installation. Make it harder to access by moving it from the root directory to a non-www accessible directory.

  1. For starters, copy the contents of your wp-config.php file into a new file and save it as wp-config.php.
  1. Go back to your old wp-config.php file and add the line of code below:
<?php

include('/home/yourname/wp-config.php');
  1. Upload and save the new wp-config.php file to a different folder.

17. Change Your WordPress Security Keys

WordPress security keys are responsible for encrypting the information stored in the user’s cookies. They are located in the wp-config.php file and look like this:

define('AUTH_KEY', 'put your unique phrase here');

define('SECURE_AUTH_KEY', 'put your unique phrase here');

define('LOGGED_IN_KEY', 'put your unique phrase here');

define('NONCE_KEY', 'put your unique phrase here');

define('AUTH_SALT', 'put your unique phrase here');

define('SECURE_AUTH_SALT', 'put your unique phrase here');

define('LOGGED_IN_SALT', 'put your unique phrase here');

define('NONCE_SALT', 'put your unique phrase here');

Use the WordPress Salts Key Generator to change them and make your site more secure.

18. Disable Error Reporting

Error reporting is useful for troubleshooting and determining which specific plugin or theme is causing an error on your WordPress website. However, once the system reports an error, it will display your server path as well. Needless to say, this is a perfect opportunity for hackers to discover how and where they can take advantage of vulnerabilities in your site.

You can disable this by adding the code below to your wp-config.php file:

error_reporting(0);

@ini_set(‘display_errors’, 0);

19. Remove the WordPress Version Number

Anyone who takes a peek at the source code of your website will be able to tell which version of WordPress you’re using. Since each WordPress version has public changelogs that detail the list of bugs and security patches, they can easily determine which security holes they can take advantage of.

WordPress version

Luckily, there’s an easy fix. You can remove the WordPress version number by editing your theme’s functions.php file and adding the following:

remove_action('wp_head', 'wp_generator');

20. Use Security Headers

Another way to secure your WordPress website is to implement security headers. Typically they are set at the server level in order to prevent hacking attacks and reduce the number of security vulnerability exploits. You can add them yourself by modifying your theme’s functions.php file.

Security Headers

Cross-scripting attacks

Add the following code to whitelist allowed content, script, styles, and other content sources:

header('Content-Security-Policy: default-src https:');

This will prevent the browser from loading malicious files.

Iframe clickjacking

Add the line below to instruct the browser not to render a page in a frame: header(‘X-Frame-Options: SAMEORIGIN’);

X-XSS-Protection and X-Content-Type-Options

Add the following lines to prevent XSS attacks and tell Internet Explorer not to sniff mime types

header('X-XSS-Protection: 1; mode=block');

header('X-Content-Type-Options: nosniff');

Enforce HTTPS

Add the code below to instruct the browser to only use HTTPS:

header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');

Cookie with HTTPOnly and Secure flag in WordPress 

Tell the browser to trust only the cookie set by the server and that the cookie is available over SSL channels by adding the following:

@ini_set('session.cookie_httponly', true);

@ini_set('session.cookie_secure', true);

@ini_set('session.use_only_cookies', true);

If you don’t want to add these headers manually, consider using a plugin like Security Headers. Regardless of which method you choose to implement the security headers, be sure to test them using https://securityheaders.io website and entering your site’s URL.

21. Prevent Hotlinking

Hotlinking is not a security breach per se but considering it refers to another website using your site’s URL to point directly to an image or another media file, it is considered theft. As such, hotlinking can lead to unexpected costs not only because you’ll have to deal with legal ramifications but also because your hosting bill can go through the roof if the site that stole your image receives a lot of traffic.

Add the code below to your .htaccess file if you’re using the Apache server and replace the dummy domain with your actual domain name:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Alternatively, if you’re using NGINX servers, you’ll want to modify your config file with the following:

location ~ .(gif|png|jpe?g)$ {

valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;

if ($invalid_referer) {

return 403;

}

}

22. Log Out Idle Users

The last tip in this guide for increasing your site’s security is to log out idle users after a period of inactivity. You can use a plugin like Inactive Logout to automatically terminate inactive sessions.

Inactive Logout

This is necessary because if you log into your website to add a new blog post and get distracted by another task, your session can be hijacked and hackers can abuse the situation to infect your site. It’s even more important to terminate inactive sessions if you have multiple users on your site.

How to Recover From a Hack

The security measures above are a great way to secure your site. But what if your site gets hacked anyway? Here are a few steps to follow in case your website was hacked.

1. Confirm The Hack and Change Your Password

If your site was hacked, first off, don’t panic. This won’t help you and the deed is done so it’s important to act quickly. Start by checking your site and see if you can log in to your dashboard. Check if your site is redirecting to another site or if you see any suspicious or strange links or ads.

Change your password immediately and then proceed to the next step.

2. Get In Touch With Your Hosting Company

Contact your host and let them know your site has been hacked. They can help you identify the source of the hack. Some hosts will also clean up your site and remove the malicious code and files.

Use a Backup to Restore Your Site

If you’ve been diligent about backing up your site, locate a backup from before the hack and use it to restore your site. While you might lose some of the content, you’ll be able to get your site up and running as it was before the attack happened.

3. Scan Your Site For Malware

Use Sucuri’s free scanner to scan your site for malware and identify the compromised files. You can also opt for their site cleanup service if you don’t know how to remove the malware yourself.

4. Check Your Site Users

Login to your WordPress website and go to Users > All Users. Make sure there are no users who shouldn’t be there and delete them if necessary.

5. Change Your Secret Keys

Use the aforementioned WordPress Salts Key Generator to generate new security keys and add them to your wp-config.php file. Since those keys encrypt your password, the hackers will remain logged in until their cookies are invalidated. New security keys will do just that and force the hacker out of your site.

6. Hire a Professional

Finally, hire a professional to clean up the hack and remove the malware from your site. Keep in mind that hackers can hide malicious code in multiple files so if you’re not experienced with malware removal, it’s easy to miss an infected file. This makes it easy for hackers to hack your site again so hiring a professional is highly recommended.

7 Most Common Types of WordPress Vulnerabilities

Before going any further with this article, let’s address the elephant in the room: is WordPress secure? The answer to that question is yes. The core of WordPress software is secure and the company behind WordPress takes security seriously.

Their security team has 50 experts on board which include lead developers and security researchers who are working behind the scenes to ensure that WordPress is secure.

In fact, most of the security incidents and risks are the result of human error paired with the presence of a security vulnerability.

There are seven types of WordPress vulnerabilities you need to be aware of:

  • Outdated WordPress files
  • Backdoor exploits
  • Pharma hacks
  • Weak passwords
  • Malicious redirects
  • Vulnerabilities in the hosting platform
  • Denial of service attacks

Let’s go over them and explain what exactly they are.

1. Outdated WordPress Files

Outdated WordPress files refer to the WordPress version, theme and plugin files. They pose a security risk because they leave your site exposed to other vulnerabilities such as backdoor exploits and pharma hacks.

As such, you need to make sure that your WordPress installation is up to date as well as your theme and plugins. You should proactively apply updates as they are released because they not only come with new features but they also include various security and bug fixes.

2. Backdoor Exploits

When it comes to backdoor exploits, hackers will take advantage of the outdated WordPress files to gain access to your site. Aside from outdated files, they can also gain access to your site through SFTP, FTP, and similar.

Once they have access to your site, they will infect your site and can also infect other sites that are on the same server as your site. Backdoor injections look like regular WordPress files to the inexperienced user. But behind the scenes, they take advantage of bugs in the outdated files to access your database and wreak havoc on your site as well as thousands of other websites.

3. Pharma Hacks

Pharma hacks refer to exploits of vulnerabilities in outdated WordPress files where a hacker inserts code into those files. Once the code is inserted, the search engines display ads for pharmaceutical products instead of your website. This can result in search engines marking your website as spam.

4. Weak Passwords

Weak passwords might be easy to remember but they also make it easy for hackers to gain access to your site through a brute force attack. A brute force attack happens when a hacker uses automated scripts that run in the background to attempt various username and password combinations until they find a working combination.

5. Malicious Redirects

Similarly to using outdated files and FTP or SFTP protocol to inject code that results in a pharma hack or a backdoor exploit, hackers will use the .htaccess file in your WordPress installation to redirect your visitors to a malicious website.

Your visitors can then end up with a virus or fall prey to phishing.

6. Vulnerabilities in the Hosting Platform

Sometimes, your website’s security might be compromised because you’re using a hosting company that doesn’t have security features such as a firewall or file monitoring. This is usually the case with cheaper hosting providers which means that choosing a cheaper host will, ironically, cost you more if your site gets hacked.

Keep in mind that cheaper hosting platforms also pose a higher security risk because your site could get infected or hacked as a result of hackers exploiting vulnerabilities on another website that’s hosted on the same server.

7. Denial of Service Attacks

Denial of Service attacks or DDOS attacks is one of the most dangerous threats for any website owner. In a DDOS attack, a hacker will exploit bugs and errors in code causing the memory of your site’s operating system to become overwhelmed. DDOS attacks will usually bring down a large number of sites that use a specific platform, such as WordPress.

Now that you know what are the common vulnerabilities associated with WordPress, let’s move on to the tips, best practices, and security recommendations that will help you secure your WordPress site.

Wrapping Up

WordPress is a powerful and popular CMS that makes it easy for anyone to create a website. But because it’s so popular, it’s also a favorite target for hackers. Luckily, there are a number of steps you can take to protect your WordPress site and if you follow the tips in this article, you’ll be well on your way to having a secure WordPress website.


Want to ask a question or leave a comment?


Ask me anything

  • Avatar
  • +

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

  1. Avatar

    Great security write-up Brenda. It was concise and I like that you listed plugin options as well as code snippets. I will be putting your tips into practice. Is there a security plugin that handles most of these items that you would recommend? What are your thoughts on plugins like iThemes Security Pro, WordFence Pro and Sucuri? I know they all slightly differ in terms of their security features and products, but was interested in knowing if you have used these and would recommend them?

    1. Avatar

      The one I personally have most experience with is iThemes Security (the free version). It can do many things listed here like changing the database prefix, harden htaccess, disable the theme and plugin editor, and more. It’s definitely worth checking out if you feel like doing things manually would be too intimidating for you.