Imagine with me for a moment that you’re a website owner who just had his/her website hacked. The countless hours of hard work go down into the drain and your main income source from the website just got squashed. That's a harsh reality but the facts don't lie — an average of 30,000 websites get hacked every day and yours could be next.
Keeping your WordPress site safe from hackers is a priority in today's world. The vulnerabilities in WordPress is an 'everyday thing' (such as this and this). WordPress security is more than just your web hosting responsibility. It is yours and this tutorial is going to guide you exactly how to hardening WordPress with approachable WordPress security checklist.
The WordPress core is very secure and typically, hackers will not go towards that route. Instead, they will look for the smallest mistakes done by website owners themselves and exploit the weaknesses.
Since hackers tend to go after the low-hanging fruit, it really isn’t that complicated to harden WordPress and keep it secure. As a matter of fact, you can keep your site at the far upper end of the security bell curve by following these 8 simple WordPress security checklist.
Every once in a while, a WordPress update will be released and accompanied by an ominous disclaimer: “This is a critical security release.” While such a disclaimer makes things crystal clear, it’s important to install every WordPress update as quickly as possible – even those that don’t tout their own importance.
Updating all your WordPress themes and plugins should be daily if not weekly security checklist. Using the latest versions will not only give you better performance, but also security patches.
Many updates to themes, plugins, and the WordPress core are released to address significant security vulnerabilities. So the number one thing you must do to keep WordPress secure is to keep everything updated.
Forget about those easy usernames and passwords. Using any of those and you are literally opening up doors for hackers to exploit.
Here's an example.
What’s worse than using “admin” as your admin username? How about pairing it with a boneheaded password like “password.”
The WordPress login page is a common target for automated, brute-force, login-attempting bots. They’ll just hang out at /wp-login.php trying combination after combination of common usernames and passwords hoping you’ve been lazy enough to leave the front door unlocked.
The solution is to use a unique username and password. While I personally tend to go for nonsense usernames like “s3r7as,” any unique username will be a vast improvement over “admin.” Your password, on the other hand, really should be random nonsense.
Considering that WordPress has a built-in random secure password generator, there’s really no excuse for using an easy-to-guess password. So if your password isn’t secure go to Users » Your Profile now and close this security loophole.
Trackbacks and pingbacks may be a good signal for SEO but both of these are significant WordPress security threats.
If you don’t use trackbacks and pingbacks on your WordPress site, disable them. You can do this with a plugin, as we’ll see in a moment, or you can go to Settings » Discussion and uncheck the boxes next to Attempt to notify any blogs linked to from the article and Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.
Changing these settings will still allow trackbacks and pingbacks to be turned on for individual posts and pages. So a better option is to use a plugin that will completely lock down pingbacks and trackbacks once and for all. I’ll show you how in just a moment.
There are at least two good reasons why you should consider disabling trackbacks and pingbacks: they can lead to comment spam and they can be used in a coordinated DDoS and brute force attack.
A lockdown feature for failed login attempts can solve the huge problem of continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. Along with over 30 other awesome WordPress security measures, you can specify a certain number of failed login attempts before the plugin bans the attacker’s IP address.
All In One WP Security & Firewall is another great WordPress security plugin that provides an easy interface and decent customer support without any premium plans. This is a highly visual security plugin with graphs and meters to explain to the beginner's metrics like security strength and what needs to be done to make your site stronger.
The features are broken down into three categories: Basic, Intermediate, and Advanced. Therefore, you can still take advantage of the plugin if you’re a more advanced developer. The main ways this plugin works is by protecting your user accounts, blocking forceful attempts on your login, and enhancing the user registration security. Database and file security is also packaged into the plugin.
You can learn more about All In One WP Security And Firewall plugin here.
Changing the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via
wp-admin added to the site’s main URL.
When hackers know the direct URL of your login page, they can try to brute force their way in. They attempt to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username:
admin and password:
p@ssword … with millions of such combinations).
At this point, we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.
This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs. Like so:
wp-login.phpto something unique; e.g.
/wp-admin/to something unique; e.g.
/wp-login.php?action=registerto something unique; e.g.
Users leaving wp-admin panel of your site open on their screens can pose a serious WordPress security threat. Any passerby can change information on your website, alter a person’s user account, or even break your site altogether. You can avoid this by ensuring that your site logs people out after they have been idle for a certain period of time.
You can set this up by using a plugin like BulletProof Security. This plugin allows you to set a customized time limit for idle users, after which they will automatically be logged out.
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can easily do this by adding the following code in your wp-config.php file.
Two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.
Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.
First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in WordPress admin sidebar.
Next, you need to install and open an authenticator app on your phone. There are several of them available for free (and paid) such as:
Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.
This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.
You will need to install and activate the Inactive Logout plugin. Upon activation, visit Settings » Inactive Logout page to configure plugin settings.
Simply set the time duration and add a logout message. Don’t forget to click on the save changes button to store your settings.
Yes, no matter how difficult you believe your password is, hackers work around the clock to find ways to crack even the hardest passwords.
Our malware researcher Luke Leal shows how quick it is for a hacker to crack a password in this short video:
We offer some quick tips for you:
Having said that, the best practice is for you to change all of your passwords right now with the help of a password manager. This way, you only need to remember one password — the master LastPass password, for example — and still follow all password best practices.
The web hosting that you use plays an important role in keeping your WordPress safe. They are your first line of defence and there are many hardening WordPress steps they can take on their end (server-level).
There are some great web hosts that take matters of their own hands — such as SiteGround and Kinsta hosting that perform server-level WordPress hardening to ensure that nothing slips through the cracks.
For example, we have seen both of these web hosting companies performing server-level patching upon detecting any anomalies or vulnerabilities within WordPress cores. And when vulnerabilities are detected on plugins or themes, they will send an urgent email to notify end users (yes, that's us) about the vulnerabilities and steps to resolve them.
To detect if a theme or plugin can be trusted or not, first, read its ratings. There you can find clues to whether there have been security breaches or issues in the past, like buggy updates.
You’ll also want to check to see when a plugin/theme was last updated. If a plugin or theme hasn’t received an update in some time (say years), then the inactiveness in that plugin/theme is a sign you should look somewhere else.
In addition, analyzing a plugin or theme’s popularity is another way to better ensure you aren’t installing malicious code into your WordPress site.
A plugin/theme that’s widely popular isn’t necessarily less likely to be targeted by hackers but is more likely to be updated with security patches regularly due to its wide use.
Over time, your WordPress site will require some housekeeping.
As you start to accumulate themes and plugins, you should go through and dispose of the ones you no longer use. Getting rid of unnecessary clutter is likely to make your site run faster, as well as remove security vulnerabilities from stagnant or outdated add-ons.
If using WordPress multisite, try using a plugin like Plugin Activation Status to perform a plugin audit and detect unused plugins across all sites in the multisite network.
See the codex on WordPress housekeeping for more information on how to remove unused plugins and themes.
Even if you take the above security precautions (and the ones listed after) you should always backup your WordPress site.
If it’s something you’d rather not have to worry about, WP Engine conducts automatic backups for you every day. That way you can roll back to your original site *should* you ever lose your site due to an outside invasion.
If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is susceptible to by default, as the system doesn’t care how many attempts a user makes to login.
Using WordPress brute force protection to limit logins will ban the host user from attempting to login again after the specified bad login threshold has been reached.
Keeping an eye on what’s happening with your website can provide important clues that something might not be right. There are a few different places you should check on a regular basis.
The point here is that you should be vigilant when it comes to hardening your WordPress site. You can potentially avert untold damage by catching a security breach as early as possible.
You need to make it more difficult for a hacker to access specific pieces of the WordPress installation. Though this can be accomplished with a security plugin, you can also take the few manual actions below:
Avoid using "admin" or "administrator" as your username is a great way to harden your WordPress site. While the terms certainly give some level of credibility and authority in your team, this is a risky move that will make your WordPress site vulnerable.
Changing or deleting the username is easy in WordPress. You could use the Username Changer plugin. You can't go wrong with this plugin (like seriously).
If you are running a WordPress blog, chances are you are going to encounter some malicious code injection attempts. Installing WordPress free plugin such as Block Bad Queries will help you deter malicious queries attempted on your server and WordPress blog.
The plugin works in the background, checking for excessively long request strings (i.e., greater than 255 chars), as well as the presence of either "eval(" or "base64" in the request URI.
Jetpack does many things including some security features such as Monitoring which allows you to monitor whether your site is up or down, Single Sign-on which is powered by WordPress.com to allow users using their WordPress.com account, and Brute-force protection.
If you are want to go lean and save some money, installing Jetpack on your WordPress site could help you improve the overall site security.
The cybersecurity threat to WordPress websites is higher than ever. There is no better time to improve WordPress security and you need to take action to ensure that your site is always protected.
Instead of cracking your head with the latest security tips and tricks, subscribe to WordPress care packages or services to ensure that your WordPress site is always secured.