WordPress Security: 15 proven techniques to secure your WordPress website in 2020

With the increase in WordPress users worldwide, there has been lots of discussion related to WordPress security. In this article, we have tried to cover the most important actionable steps to harden your WordPress Security. Before diving into the techniques, let’s discuss some insights on WordPress uses.

WordPress popularity and it’s safety, security concerns

WordPress is gaining more and more traction as the most popular content management systems around the world and it has been on top position as the fastest growing content management system for many years. According to the latest data from W3techs, more than 35% of CMS websites in the world are powered by WordPress.

WordPress popularity makes it more vulnerable towards attack and is the most targeted CMS by the hackers. According to Sucuri, in 2018, 90% of their clients website infected belonged to WordPress which is a 7% increase from 2017. Percentage shows how vulnerable WordPress is to attack from hackers.

According to Internet live stats, more than 100 thousand websites are being hacked everyday.

Taking all these into consideration, WordPress security should be taken seriously and necessary steps should be taken to secure your WordPress website. No matter the type of website you have, personal, business, blog, enterprise or any other. Your website is always prone to attack from hackers unless you take necessary actions to secure your WordPress website.

WordPress on it’s core is pretty secure and is regularly updated to avoid any vulnerabilities. However, codes from open source platforms like WordPress are accessible to all the users and hackers are always looking for a loophole to exploit it for their personal benefits. Anything on the web is vulnerable to getting exploited, similar is the case with the WordPress website. However, as a website owner it’s our responsibility to tighten WordPress security to decrease the likelihood of being hacked.

“The four most common WordPress malware infections are Backdoors, Drive-by downloads, Pharma hacks, and Malicious redirects.” 

Smashing Magazine

WordPress security techniques

WordPress security has always been our top priority and after years of experience in WordPress we have come up with following proven techniques to harden your WordPress security. Whether you are technically savvy or not, these WordPress security tips should be easy to implement on your own.

Secure Hosting Company

WordPress hosting provider plays a vital role in WordPress Security. Good hosting providers with years of experience in WordPress hosting have much information about WordPress security and optimization. They have their server fine tuned specifically for WordPress and provide multiple layers of security on server hardware and software level for common threats which includes: regular malware scans and monitoring of their network for suspicious activity, DDOS attacks prevention measures in place, keep their server software and hardware up to date, daily backups and proper disaster recovery plans.

41% were hacked through a security vulnerability on their hosting platform.”

WP White Security

The easiest way to keep your WordPress website secured is to go with a good hosting provider. You might be intrigued by the offers from cheap hosting providers but trust us investing a little more for a quality hosting services means you can focus on what you do rather than going through all those hassles after your site gets infected. This is why we prefer managed WordPress hosting providers like Pantheon, Kinsta, WP Engine, FlyWheel, SiteGround, etc.

Managed WordPress hosting provides an additional level of security including automatic backups, software updates, malware scans, recovery plans, staging environments, site optimization and many more features. Best thing is, most of them provide 24/7 support and their support is handled by real people with depth knowledge in WordPress rather than automated bots with other hosting providers. Also, with managed hosting you will not only increase WordPress security but also, improve your website performance and speed.

Update WordPress, plugins and themes regularly

Outdated softwares is vulnerable to exploits. Lot’s of vulnerabilities that were detected on older versions of WordPress have been fixed on the latest updates. WordPress is maintained and updated regularly by hundreds of developers and updates may contain feature addition as well as many enhancements in security. Updates are there for a reason so, as a website administrator it’s our responsibility to keep WordPress up to date to harden WordPress security.

Only 29% of WordPress websites are running the most current version of the software (5.3).

WordPress

Unfortunately, records show the majority of WordPress websites running outdated versions of WordPress. More than 40% of users are still using lower versions than 5. The main reason behind this is their innocence of unknowing the potential risk they are into and another reason is the fear of breaking the website.

According to a recent report by wpscan.org, of the 3,972 known WordPress security vulnerabilities:
52% are from WordPress plugins
37% are from core WordPress
11% are from WordPress themes

ithemes

Similar is the case for themes and plugins. Themes and plugins help with additional functionality than what is available in WordPress core. Make sure to use them wisely though as they might impact your performance. Maintainers of plugins and themes as well release updates regularly for additional features, bug fixes or security fixes. So, let’s make sure to update them as the updates are available.

Avoid using Nulled themes & plugins

You should be very careful when using themes and plugins. When searching for the plugins in the WordPress repository, make sure to use the ones from trusted authors and the ones which are regularly maintained. There are lots of WordPress marketplace where you can get premium themes and plugins for different functionalities. Premium themes look more professional and have more flexibility compared to the free ones. Developers maintain them regularly and provide regular updates and support for any issues. But there are few sites which offer these premium themes and plugins for free. We usually call them Nulled themes & plugins.

Nulled theme or plugin is a hacked version of a premium theme/plugin that might contain malicious code for bad intentions like collecting information, adding in malware, etc. We strongly advise not to use these Nulled themes and plugins. It’s always tempting to save a few dollars but saving a few dollars initially might lead to a massive loss in future when your website gets hacked.

By not using Nulled themes and plugins, you are supporting developers to generate revenue for their living and overall helping WordPress community to thrive. In return to that you get regular updates, 24/7 support and overall improve your WordPress security 🙂

Use strong usernames and passwords

One of the top reasons for WordPress security breaches is because of the weak password. And the main reason people use weak passwords is that it is hard to remember them. But we have different password managing solutions available these days like Lastpass, 1password, etc. which can help you manage your passwords easily and you don’t have to remember password for all the applications you use.

Top usernames being attacked: admin, Admin, administrator, test, root.

8% of WordPress security breaches happen as the result of a weak password.”

WP SmackDown

Use a mix of numbers, lowercase/uppercase letters, symbols and phrases to come up with a strong password if you are doing it manually or you can use online generators or password managers suggestions as well. Not only your WordPress admin password but you need to have strong passwords for your ftp, cpanel, databases or any other logins.

Similarly, it’s always better to have a strong username. Avoid using “admin” as your username and use email instead or any unique username. The only reason we are suggesting to have stronger username and password is to prevent automated attacks called Brute force attacks. These types of attacks include an automated script which tries to gain access to the site using random password or library of stolen passwords.

Change your WordPress admin URL

By default, WordPress login page can be accessed easily through yourdomain.com/wp-admin or yourdomain.com/wp-login.php. Everyone including hacker knows the direct URL for your login page. This makes it easy for hackers to try brute force attacks. Changing the admin URL to something else makes your site less prone to attack. There are several plugins available that can help you change admin URL easily. WPS Hide Login or even iThemes Security plugin can help you change the login URL.

If you can protect yourself against plugin vulnerabilities and brute force attacks, you are accounting for over 70% of the security problem.

Wordfence

Limit login attempts

Another simple solution to prevent brute force attempts is by limiting failed login attempts. WordPress doesn’t restrict the number of times users can try to login which increases the risk for brute force attacks. You can use the Login LockDown plugin to limit the failed login attempts. Login LockDown plugin keeps track of IP address and timestamp for every failed login attempts and will disable the login functionality if there are many login attempt exceeding the allowed limit within the short period of time. Number of login attempts, the time period, lockout length, etc can be customized as of the users choice from it’s settings page.

Disable XML-RPC

XML-RPC is a remote procedure calling using HTTP as the transport and XML as the encoding. It allows to pass multiple commands within one HTTP requests and is used to make connections to different services, mobile apps and plugins like Jetpack. However, this powerful feature can be misused by hackers to execute several commands at once and gain access to your site. XML-RPC is used extensively by hackers for brute force attacks.

One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allows applications to pass multiple commands within one HTTP request.

Sucuri

Therefore, if you aren’t using XML-RPC, then it would be beneficial to simply disable it. You can validate if XML-RPC is enabled in your site using XML-RPC Validator. There are different methods you can disable XML-RPC. You can simply install Disable XML-RPC plugin or use any of the other methods listed below:

• Disable using WordPress filter
  Simply add this code to your functions.php

add_filter('xmlrpc_enabled', '__return_false');

• Disable using .htaccess

<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

• For Nginx users

location ~* ^/xmlrpc.php$ {
return 403;
}

Install security plugins

WordPress security is challenging and there are different types of malware plus hacking techniques discovered everyday. It would be pretty time consuming for a site administrators to be up to date with these techniques and update their sites security manually and obviously, will consume a lot of time. Fortunately, there are different companies working on website securities as a part of their service and these companies have developed plugins that can be used to protect our websites. Some of these plugins include:

• Sucuri Security
• iThemes Security
• Wordfence Security
• Securepress

These plugins have their free and premium versions. But the free version should be enough for most of the websites until you need some advanced level of security. These plugins take care of your websites security and provide different features and functionalities. Some of which are listed below:

• Malware scanning
• IP Whitelisting
• IP Blacklisting
• Security Logs
• Firewall
• Detect vulnerable plugins and themes
• Login security: Two factor authentication, captcha, etc.

Install ssl certificate

SSL (Secure Socket Layer) helps browser to establish secure connection with your server. This will make sure the information transferred from user’s browser to server is encrypted and cannot be intercepted in between. Website with SSL enabled use HTTPS instead of HTTP and you can see padlock sign next to your website address.

Enabling SSL not only helps in website security but also benefit’s in search engines rank. Google has officially mentioned HTTPS as a ranking factor. Other than these benefits different research shows that SSL builds up confidence in users browsing your site that is, it increases trust and credibility of your website. Knowing all these benefits, it’s very common to see websites to have SSL enabled these days.

Also, most of the hosting providers now provide free SSL certificate to your website. If you haven’t enabled SSL yet, do contact your hosting provider immediately or you might already have an access to cPanel/Plesk panel to enable free SSL.

Regular backups

Backups are essential part of website security. Nothing on internet is 100% secure and as we are working on tightening security, hackers are also continuously working on new methods to hack websites.

Backups ensures the ability to restore the website if your site is compromised by any means. As we are discussing on WordPress security, there are different options available for WordPress backups which includes:

• WordPress Backup Service providers like VaultPress, CodeGuard and BlogVault which stores your backup on cloud and has a subscription based model at minimal monthly fee.
• Managed WordPress Hosting providers as we have discussed earlier they have automatic backups set in place and also, allows manual backup if needed
• WordPress Backup plugins like UpdraftPlus, BackupBuddy, WP Time Capsule, etc. These plugins provide you an option to store your backups locally on server or any cloud storage (amazon s3, google drive, dropbox, etc.) All of these plugins have their premium version but free version should be enough for normal cases.

DDOS Protection

DDoS (Distributed Denial of Service) is a type of attack where attackers send flood of traffic to your server through multiple systems and geographic locations overloading your server and disrupting the services for hours or days. Infected computers and other machines (IoT) devices are mostly used for these types of attacks.

A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade.

Wikipedia

While we only hear of big companies attacked with DDoS, any other website on the internet is vulnerable to these types of attacks. You can use third party services like Sucuri and Cloudflare for DDoS protection. They provide different solutions for security and performance which include DDoS protection as well. Definitely, something to look into when you have time.

File and directory permissions

Files and directory permissions are vital for WordPress security. Depending upon the permissions hackers can easily access your website and execute malicious scripts from your server. Below you can find the recommended permissions for files and directories.

• All directory permission should be set to 755 or 750
• All files should be 644 or 640 except wp-config.php which should be 440 or 400 to prevent other users on the server from reading it.
• No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.

More details of permissions here.

Prevent hotlinking

Hotlinking basically means someone linking your static files like images, js, css, etc. directly from your server to their website stealing your servers bandwidth. Depending upon the hotlinked sites traffic the impact can be minimal to hazardous causing maximum use of server resources and high server bills.

Plugins like All in One WP Security and Firewall includes built in tools for hotlinking protection. Depending upon the web servers you are using, you can use the techniques below to block hotlinking manually.

• Block Hotlinking in Apache
  Add this code to your .htaccess file to prevent hotlinking. You can whitelist any other websites you like by copying 4th row and replacing it with other domain to whitelist.

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?whitelistanyotherwebsitehere.com [NC]

• Block Hotlinking in Nginx
  Whitelist any other domain as you can see below for google, yahoo, etc.

location ~ .(gif|png|jpe?g)$ {
    valid_referers none blocked ~.google. ~.yahoo yourdomain.com *.yourdomain.com;
    if ($invalid_referer) {
        return 403;
    }
}

• Block Hotlinking on CDN
  When it comes to hotlinking CDN is not an exception. People can directly copy your CDN image link and add it to their website causing unwanted traffic and high bills. Depending upon CDN, hotlinking prevention steps are quite different. You can prevent hotlinking on cloudflare going through this link.

Disable file editing

WordPress by default has a built-in code editor which allows you to edit theme and plugin files directly from WordPress admin. While this is useful when we need to make an immediate change, we do not recommend anyone to make changes directly from here. While with the latest updates WordPress added in some check for errors before saving, there is always a chance for us to make mistakes. So, we prefer making changes first on your staging environment, test and then only deploy your code to production.

Another reason you would want to disable file editing is to prevent hackers from modifying the code directly from admin in case they somehow get access to WordPress admin. This is the first place from where they can insert malicious scripts on your site.

You can simply disable file editing by adding below code snippet on wp-config.php or use other security plugins:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Secure your wp-config.php and .htaccess file

wp-config.php is the main file which consists of all configuration details for your WordPress website. By securing wp-config.php you can increase your WordPress security as all the vital configs related to database, security keys and other important information are stored here.

One of the methods to protect wp-config.php as mentioned above in Files and Directory permission is to set 440 or 400 permission. This will prevent other users from server from reading it. However, different hosting providers may have different requirements so, contact your hosting provider in case for any issues.

Another method would be to move wp-config.php outside of the public directory. So, let’s say your wp-config.php is in your public directory /home/yoursitename/public/wp-config.php, you make a copy of wp-config.php and add it to a higher level folder /home/yoursitename. Do this will make your wp-config.php inaccessible. Now, for wp-config.php on your public directory, you need to remove all the codes and include higher level wp-config.php so that WordPress functions properly.

<?php
include('/home/yoursitename/wp-config.php');

Conclusion

WordPress security has been a concern for lots of users from the very beginning. Noting the number of websites being hacked everyday, security shouldn’t be taken lightly. Provided steps above helps you harden your WordPress security and minimize the chances of your website getting attacked.

Just as they say “Prevention is better than cure”, it’s better to secure your WordPress website earlier than spending lots of time and money after its hacked and then implement. Act now and secure your website using the above tips and let us know how it goes in the comments below.