Secure your wordpress site: 2016

As of today, almost 25 to 30 percentage of websites are built using WordPress. All the credits goes to its wonderful community and support which made it possibe to make it the most used Content Management System online. With its popularity, it has been the first priority for the attackers as well. Though nothing on internet is 100 percent secure, we can take steps make things harder for attackers. So, on this post, we will be discussing on WordPress security and simple methods to risk reduction/elimination.

WordPress Security is often referred to as “Hardening”. Makes sense, as I already mentioned above nothing is 100% secure, we can just improve our security to make our sites less prone to attacks. Below I am listing out some commonly referenced security solutions which you can find on internet everywhere:

Limit false user logins:
Enable lockdown feature for failed login attempts. This will prevent from continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked and we get notified of this unauthorized activity.

Keep WordPress up-to-date:
With every release of WP, informations about any security holes that were fixed from the previous version is made available to the public, which means an out of data WP version is more vulnerable.

Keep plugins and themes up-to-date:
Similar to the above case, one should regularly update plugins and themes to their latest versions. Each plugins and themes installed on your site is like a backdoor into your site admins, so keep it safe and secure.

Delete any plugins or themes you’re not using:
Deleting unused plugin and themes will more likely reduce the chance of being hacked. As you don’t use them, there is less chance you update them, which even when in uninstalled state might be vulnerable.

Only download plugins and themes from well-known sources:
Need to make sure, when you download/purchase themes and plugins, it should be from the genuine source, one which you can rely on and also, make sure the plugin is upto date.

Change file permissions:
Avoid 777 permissions on your directories. File should be set to 644 (wp-config.php to 600) and directories either 755 or 750

Use email as your username:
Avoid using “admin” as your username. Rather, you can use your email instead. The reasons are quite obvious, simple usernames are easy to predict.

Secure passwords:
Need to make sure, all of the users use strong passwords.

Check for theme authenticity and conduct security scans:
A security scanner will check for a malicious code in you plugins, core files and themes to ensure nothing has been tampered with. Several scanners exist that you may wish to consider including Sucuri Sitecheck, CodeGuard, Theme Authenticity Checker, and AntiVirus.

Backup your site:
Scheduled backups are an essential part of any site’s security because it ensures that if your site is compromised, you’ll be able to restore it to a latest working version.

Above points should cover all of the security measures that most of the sites have. I have been working with WP for years and to my experience there are few other points, which if we are able to take care of, will make our site more robust.

Rename your login url:
Relocating/renaming your login page is a quick way to prevent automated attacks. Brute force attacks are automated to find the wordpress default login urls and try logging into the system with random details. Changing url’s to something else, will fail their algorithm and make their job harder.

Decrease use of plugins:
Using extensive amount of plugins increases the vulnerability of your site. This not only increase the chance of being hacked, but will also, affect your sites speed and performance too. So, one should try not to use unwanted plugins and use it only if it is a compulsion.

Don’t use pirated plugins and themes:
Do not download paid plugins/themes from anywhere other than where they are officially for sale. It’s a lame to download pirated plugins. Totally legitimate plugins are often corrupted with the malware by the time they hit these illegal download site/torrents which when installed to our site will have direct access to our backend.

Automatic Core Updates:
I’ve already mentioned above the importance of updating your WordPress Installation as the upgrades are released. With the recent WP releases, updates now happen automatically. But major updates are still something you need to approve. You can insert a bit of code into your wp-config.php file, however, to configure your site to install major core updates automatically. However, auto updates can break your site, esp. if a plugin or theme isn’t compatible with the latest WP version.

# Enable all core updates, including minor and major:
define( ‘WP_AUTO_UPDATE_CORE’, true );

Hide Author Usernames:
It’s a good idea to hide the author’s username to ensure you aren’t making the hacker’s job easier. To do this, all you need to do is add some code to your site. Once inserted, this code will make it so when someone inputs ?author=1 after your main URL, they won’t be presented with the administrator’s information and will instead be sent back to your homepage.

Just copy and paste the following into your functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
{
if (is_author())
{
wp_redirect( home_url() ); exit;
}
}

Eliminate the Plugin and Theme Editor
Disallowing plugin and theme editor in the WP dashboard ensures even if any user account gets compromised, the hacker can’t use the editor to modify the code.
You can remove this editor by inserting below code into wp-config.php.
define( ‘DISALLOW_FILE_EDIT’, true );

Eliminate PHP Error Reporting
Error reporting are useful while troubleshooting in development. Error messages often include server path and other informations related to your server/site, which might be enough for hackers. So, its better we disable it altogether. You can disable error messages by adding below code snippet to wp-config.php
error_reporting(0);
@ini_set(‘display_errors’, 0);

Choose Best Hosting You Can Afford
You can trick out your site all you want with all the latest security hacks but if you don’t have a good hosting provider, your efforts aren’t going to matter all that much. In fact, security experts WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the host itself. That’s edging on half there, which means you need to do something about your hosting plan, ASAP.

If you want to use shared hosting, make sure your plan includes account isolation. This will prevent someone else’s site on the server from affecting yours in any way. But I think it’s a much better idea to use a service that’s catered directly toward WordPress, however. A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server that’s designed for running WordPress, and a customer service team that knows WordPress inside and out.

Protect Your important files using .htaccess.
.htaccess plays a vital role in WordPress in case of permalinks structure and security.The minor changes you make in this one file can have such a huge impact on your entire site’s security. There are so many rules, you can implement form security, which extends from hiding wp-config.php files to restricting admin access, restricting ip’s, etc. We will cover how we can update/modify for .htaccess file to increase security in later posts.

I hope these covers most of all the security measures that one can take to improve WordPress security. Please drop in your comments, if you think is important and not listed above.

2 Comments

  1. thanks for this nice article. Recently, my site got infected with malware causing lots of trouble to my clients SEO. Implemented most of the steps mentioned above but few are quite technical, trying to understand them.. will let you know if I get stuck on anything.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.