WordPress Security tips
Although generally considered as a CMS only for managing blogs, WordPress, in fact is a very powerful platform that can be used to create your entire site without the need of any additional applications. Its ease of use, large community always ready to help, and an impressing variety of plugins has made WP a preferable choice for many webmasters. At the moment WP holds around 15-20% of the ‘market’. However, regardless of its ease of use – it is also one of the weakest platforms when it comes down to security.
Last year and a half taught us that WordPress security should not be taken lightly by any means. Between 15% and 20% of the world’s high traffic sites are powered by WordPress. The fact that it is an Open Source platform and everybody has access to its Source Code makes it a tempting prey for hackers.
Most attacks are coming from Russia, Germany, Poland and India including, but not limited to:
- SQL Injections
- Blackhole Exploit Kit attacks
- Password and Login brake efforts
Truth is, if a capable master of the script targets your site, there is really no way to prevent an intrusion. What you are about to read below are some precautionary actions you can take to quickly minimize the risk to an acceptable level. If your WordPress site is well protected chances are a hacker would prefer picking another, easier victim.
Starting with the more obvious ones:
1. Update your WP regularly
There is absolutely no reason to stay on the older versions when there is a new one available. WordPress updates contain bug fixes, vulnerability fixes and cover security flaws discovered by the vast WordPress community. Same goes for updating themes. It is easy and efficient. Actually, it is the best and easiest way to prevent your page from malicious activities, which are most likely as result of a compromised and not fully updated application, site, exploitable php scripts, etc. All the old versions of your applications can be considered as a potential security holes. They can simply be used by the attacker, who is (most of the time) an automated spider.
You must have heard a lot about updating regularly your WP, including all installed plugins. Updating your version and installed plugins is of vital importance to the overall WP security. When a new version of WordPress is available, users are informed via an automatic message; there will be also a warning in your WP admin area. When a new WP press version or new version of any installed plugins is available – you should proceed with any recommended updates IMMEDIATELY. You can do this with a few click from the top note in your admincode panel informing you that there is a newer version available -> Please Update Now -> Update Now. All of our customers, using cPanel control panel, will also receive an additional reminder from our application installer tool Softaculous if there is an outdated version of WordPress installed under your hosting account.
2. Select your plugins very carefully and remove un-needed ones:
The advantages of an open community are endless but what you need to know is that adding random plugins can be a security threat to your site. The problem comes not 0necessarily due to malicious intentions of the plugin creator, but mostly due developer’s lack of experience or secure web site development knowledge. We find this point so important that we will dedicate our next article on how to choose your WordPress plugins.
Now, another step is to make sure that you remove all the plugins that you do not need anymore and you have disabled. Disabling the plugins does not mean that they are removed from the server, thus if you simply disable them, you leave a door open for potential attacks. Depending on your WP version you can either remove the plugin from using the DELETE link next to the plugin (you first need to disable it) ; or for older versions you can remove the WP SECURITYplugins by logging to your site via FTP, going to the directory where the plugin is installed and then delete the folder with all the files from the server. This applies to the themes as well, in case you don’t need a certain theme, delete it from your admin panel (Appearance -> Themes). It is recommended to perform this on a regular basis because it is almost automatic to install and later disable a plugin, and you could easily forget about this which could cost you your site being compromised.
3. Chose a strong password? Choose username wisely:
Many of the attacks target the default WordPress username with bruteforce, password cracking robots. First step is to change your “admin” or “administrator” username from the WordPress Administration Panel.
– Go to mysql tool (phpmyadmin)
– Find your database
– Go to wp_users and browse for “admin”
– Under user_login column, change it to something else.
This naturally leads to the following…
Choose a password that includes multiple upper and lowercase letters, as well as symbols such as ”!@#$%^&*()” Go to Users–>Your Profile and change it through the “New password” field at the bottom. This will make it way harder to crack it down. Make sure you do the same for your ftp Cpanel hosting account password and don’t use the same one you used in WordPress.
Login Limiter – it is very common to break a user account via brute force password attack. It means that in a very short period your login page will be bombarded with different combinations of usernames and passwords. You can prevent this from happening by setting a login limiter. There are certain plugins that you can use for this such as Limit Login Attempts.
4. Disable user registration
If you do not need users to register on your site, make sure that you disable this option. You can do so from your admin panel and then from the Settings menu disable the ‘Anyone can register‘
5. Limit the IPs that can log into your admin account – this is another measure you can take in order to secure your site. The easiest way to do this is by using a plugin that will limit the IPs allowed to access your admin account.
6. Remove the WP version info from your site
When you install WordPress it automatically adds the version to the header of all your blog pages. Removing it is important, because if you leave it freely published on your site, you make the life of a potential hacker much easier. You should remove it from the page header meta, and since it is also contained in the readme.html file, renaming (removing) this file as well could do the trick.Wp-resized If the version is still shown add this line in your theme’s functions.php file<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
7. WP security keys
If you do not have such keys, make sure you add them. These WordPress security keys, also known as Secret keys, will further protect your password by adding ‘salt’ to it thus making it very difficult to be broken. You can create your own, but it is recommended to use the WordPress random generator. Once you have these keys, you should go to your wp_config file and place them accordingly
8. Frequently backup your database
You heard this one before. Do regular backups or you will eventually regret it. You may lose all of your work if being hacked. Also, remember to backup every time you make changes. You can do that through the use of a plugin or manually.
9. Protect your WP-CONFIG.PHP file:
Move your wp-config.php file one directory up from the WordPress root. WordPress will look for it there if it cannot be found in the root directory. Also, nobody else will be able to read the file unless they have SSH or FTP access to your server.
There are a number of important plugins you should consider installing:
10. Login LockDown
This is very useful plugin, protecting you against brute-force password-crack attacks. It keeps track of the IP address of every failed login attempt. You can configure the plugin to disable login attempts for a range of IP addresses when a certain number of failed attempts is reached.
11. Secure WordPress
Secure WordPress is an easy to install comprehensive plugin taking care of number of things, including:
– Hides your WP version.
– Removes error information on login page.
– Removes core update, plugin update and theme update information for non-admins.
– Blocks queries potentially harmful to your WordPress website
– Adds a virtual index.php plugin directory.
– Many others…
12. Bullet Proof WordPress Security
Crash resistant, comprehensive plugin, covering many aspects of an attack – XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. According to the official description – “The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website.” This pretty much sums it. A must have!
13. Exploit Scanner
Exploit Scanner goes through the files on your website database, comment and post tables in search of anything suspicious. It also notifies you for unusual plugin names. It does not remove anything, it simply warns you for potential threats.
14. WordPress Firewall
This is another must-have security plugin.
– Investigates WordPress web requests in attempt to block obvious attacks.
– Black and whitelists pathological-looking phrases based on which field they appear within, in a page request. (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).
15. Protect your WordPress Login against Brute-Force Attack
Please study how to Protect your WordPress Login against Brute-Force Attack.
Implementing all of the above will probably take less than an hour to complete, while making your WordPress site much more resistant to intrusions. Over 1 million WordPress sites were cracked last year, mainly due to easily preventable security gaps. Have yourself prepared and you are likely to be on the safe side.
Hope we helped. Please, share your thoughts on tour blog’s WordPress security in the comments section.