Posted in

How to secure a wordpress site

What do sites like Interview Mantra, Bilforsikring, Prepared Marketing, and 1.5 million other WordPress sites have on common? They have all been hacked at one time or someone has tried to hack them. Find out how to secure your wordpress site.

WordPress was developed by Matt Mullenweg in 2003.WordPress is a popular CMS for building a new website for both newbie’s as well as tech nerds, hackers all around the world keep on trying to find new loopholes and vulnerabilities within WordPress to hack it. In fact, now-a-days this is one of the major concerns among new businesses and some of them try to avoid using WordPress for this hack phobia.

WordPress security is often referred to as “hardening”. It is just like the process of adding reinforcements to your castle. It’s all about bolstering the gates and putting lookouts on every tower. But that term doesn’t always allow you to realize the details that go into improving site security.

“8 out of 10 sites included base64 encoding in their themes.”

Siobhan McKeown

Here are some of the ways to secure and make almost impossible for a hacker to hack WordPress.

  1. Use fast and secure hosting 

People always look for the unlimited plan accounts with unlimited space, unlimited bandwidth and unlimited domains for their hosting because they think that it will be cheaper that way. But what they never understand is that what a trap they are falling into. In short, there is nothing unlimited or free in this universe. Not even sun light, it is also going to run out one day one way or another. Big brand companies use the “UNLIMITED” tag to lure newbie users to get them online and after that provide such a pathetic service that they will almost feel forced to upgrade to a more costly VPS server.

  1. Always Change the Default “admin” username

WordPress installation on any server has become so easy nowadays that most of the people just ignore these minor things. No matter whether you use the default WordPress installer or any one click installer that comes with your server control panel, make sure you change the primary admin username to anything else from the default “admin”. This is very important. The reason it is most important is that most hackers use Brute Force Attack tools to randomly guess your username and password for successful login.

  1. Always use a super strong complex password and keep on changing it

 According to report by Global consultancy Deloitte that over 90 percent of user-generated passwords, even those considered strong by IT departments will be vulnerable to hacking. I know everyone knows this and it is a very basic thing, but trust me every hacker use it when it’s needed. Make sure your WordPress admin password contains a combination of Uppercase, Lowercase, Alphanumeric, special characters (e.g. @, #,?), and are at least 12 characters long. In this way, you can give the hacker a real pain to actually decrypt your password. Make your habit to change your passwords at least once in three months.

  1. Disable Directory Indexing and Browsing

On most web servers directory listing has been enabled by default for the much good reason, but after your website development has been completed, just open the .htaccess file present in the root directory or under the public_html directory of your server and add this following code at the top of your existing htaccess code.

Options -Indexes

This will disable the directory listing feature of your server and anyone who tries to access a server directory that doesn’t have a index.html or index.php file will return a 403 Forbidden error. The above code will work for Apache as well as Lightspeed servers but if you have an nGinx server, contact your server admin to enable this on your website.

If you do not disable this feature in your website hackers can easily follow along with your directory structure and find out what exact files you have on your server and how they are arranged. This gives them an advantage of knowing your site perfectly. So, you must enable it. Folders like wp-content or wp-includes in WordPress sites contain sensitive data that isn’t required for everyone to see it. As you know, the wp-content folder contains your themes, plug-in, and media uploads. Hackers can find potential exploits by going through these files. So yes, in a way, you’re making the hacker’s job easy by not disabling directory browsing.

  1. Always keep your WordPress core, themes & plugins updated

Although it is true that updating WordPress core, theme or plugins may break your site sometimes but it only occurs for 0.001% of the website who uses badly coded themes and plugins. The reason things get broken after the update is that sometimes the developer of the theme you are using or some plugin in your site has stopped supporting and updating its code. So, when WordPress deprecate any function, those theme/plugins still tries to access it and end up having lots of PHP error.

I suggest using a backup system like UpdraftPlus Premium or BackupBuddy and creating a backup of your entire site before updating. In this way, if something bad can happen you can still restore back to your previous working version of you site. No matter what the case is, always keep your site updated with the latest version of WordPress, installed themes and plugins. Developer releases patch every other day to fix the vulnerabilities in their software as soon as they get spotted or notified.

  1. Limit Login Attempts

Hackers try to exploit weak password vulnerability by using scripts that enter different combinations until your website cracks. To prevent this, you can limit the number of failed login attempts per user.

For example, you can say after 5 failed attempts, lock the user out temporarily. If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.

  1. Disable XML-RPC in WordPress

Hackers are using the XML-RPC function in WordPress for DDoS botnet attacks as well as Brute Force attacks. The XML-RPC function was originally designed to be used an intranet notification system for WordPress users. But few use it anymore due to spam. In March 2014, Sucuri reported 162,000 sites being used in DDoS attacks without the site owner’s knowledge via security holes in XML-RPC.

The XML-RPC vulnerability escalated into active hacking via Brute Force attacks. I recommend to Input Code to your Theme to block XML-RPC to disable.

  1. Delete the unused or unnecessary themes & plugins

It’s easy for a hacker to target unused themes/plugins or things that are installed but disabled to get pass the security of your website by targeting the vulnerabilities in those themes and plugins. As these things are already disabled in your site, so you are not going to notice any prominent change in the code of those themes/plugins and hackers use this to their advantage. Also, many times when you install a plugin on your site and then disabled it over time the actual developer of that plugin stop updating that plugin and hackers use vulnerabilities within those old theme/plugins to hack your site. So, always keep the things that you actually use on your site, if there is a list of plugin and themes which are installed in your WordPress installation but you don’t use it, just DELETE them. Whether it is a theme or plugin that comes with the default installation of WordPress or something you have separately installed earlier. This same rule applies to them all. Only keep the things you need and get rid of the rest.

It’s the fact the biggest security hole in a WordPress site comes not from WordPress itself but from plugins and themes. For example, the TimThumb hack, which is the largest successful hack against WordPress sites to date, came from plugins and themes that packaged the TimThumb library in their code and not from WordPress itself.

 “Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection”

  1. Secure your computers

 Keep your computer secure by acting on some of these rules:

  • Keep your OS and all programs updated
  • Install Anti-Virus software
  • Use personal firewalls
  • Open sites via HTTPS whenever possible
  • Use SSH or SFTP instead of FTP
  1. Use of plugins like Jetpack Protect filter

Some people think that Jetpack plugin is a very resource consuming plugin but let me tell you that all of you are wrong about this plugin. Jetpack is actually an amazing plugin that has been made for WordPress. The problem is that people use it in the wrong way and end up with a slow website and they point the finger to this plugin.

After installing Jetpack plugin most people just enable all the filters available within the plugin, which is not a good thing to do. Instead what you should do is go to Jetpack Settings in your WordPress dashboard and enable specifically those filters you truly need for your site and disable the rest.

But don’t forget to enable the “Protect” filter of Jetpack as it will help your site from getting attacked by Brute Force attackers and also safeguard your site from fake login attempt. This is a really useful filter which will not only protect your site from hackers but also safeguard your site from server slow down due to multiple random requests by hackers.

  1. Use AdvancednoCaptechreCaptcha plugin

The Google noCaptchareCaptcha is the predecessor of the original Google reCaptcha (v1) which used to show up annoying illegible captchas to do a simple task. But noCaptchareCapcha doesn’t show any annoying captcha instead it just asks you to click a checkbox and if Google thinks that your IP is suspicious then it asks you to select some specific picture from a list of the picture. This is really great and makes solving captcha a painless process.

WordPress has an awesome plugin named Advanced noCaptchareCaptcha which will allow you to enable noCaptchareCaptcha in your WordPress login page, signup page and even in comment form which is great as now hacker bots cannot just keep trying to guess the proper login credential of your site because they can’t get pass the captcha.

Also as noCaptchareCaptcha is a Google project so you can trust that its fraud detection algorithm is up to date with latest hacking trends. I will suggest you enable this plugin for your comment form to which will not just reduce the number of your spam comment, but also save your site from hacker bots who try to do SQL injection via comment forms.

  1. Only use trusted themes and plugins

Always use or install themes or plugins from trusted websites because in most of the cases though provide completely built a free website, there is a high chance that those themes and plugin has malicious code which can compromise your website security. If you are installing free themes or plugins, only install them through your WordPress plugin installer or download them from WordPress plugin repository.

  1. Set the proper permission for files and folders

Always set proper and right permissions for example If you have cPanel access log in to your file manager and make sure all the files of your site has permission set to 644 and all the directories have permission set to 755 unless some plugin especially asks you to set some special permission to some special folders. Like some cache plugin asks users to set the permission to /wp-contents/cache/ folder to 777. These are an exceptional case, but for rest of the file follow the above permission structure.

  • Folders: 755
  • Files: 644
  • wp-config.php: 444

SSH COMMAND TO CORRECT PERMISSIONS

  • find /wordpress -type d -exec chmod 755 {} \;
  • find /wordpress -type f -exec chmod 644 {} \;

Conclusion

You can remain safe if you follow my tips that I’ve described above besides installing a bunch of plugins and slow down your site for no good reason ever. Think again before you choose cheap hosting services like GoDaddy, Bluehost, Hostgatore, JustHost, Hostdime etc. These companies sell hosting at an extremely cheap price. But you may end up having a slow and unsecured hosting experience.

Securing a WordPress site is not as easy task it’s much more than installing a security plugin and walking away. It needs to fill out a complete strategy. Some you might’ve known about before but it is my hope that some were new discoveries. Sometimes, it’s the simple things you haven’t thought of yet that spell the difference between a mediocre security strategy and a great one.